Cyberinsurance that covers ransomware is the modern update to kidnap and ransom (K&R) insurance. First offered by Lloyd’s of London after the kidnapping and murder of 20-month-old Charles Lindbergh, Jr. in 1932, K&R insurance has a long history of almost a century. Demand for the insurance increased in the 1960s after several high-profile kidnappings by radical groups in Europe.
K&R insurance was good business for the insurance industry for decades, albeit with many challenges. One of the challenges was the need to keep secret all info about who was covered by the insurance since if kidnappers know that someone’s insured and therefore able to pay out a large sum, they’d be much likelier to kidnap them. As a result, K&R insurance often includes provisions that allow the insurer to cancel the policy if its existence becomes known. They also generally reimburse the insured only after the ransom has been paid, rather than putting out money upfront. This also helps conceal the fact that the victim is insured, because it generally takes families and even businesses some time to raise the money for ransom.
Updating Ransom Insurance for the Cyber Age
Ransomware attacks have reached all-time highs, in terms of frequency as well as the size of ransom demands. Payouts have been climbing. A record $40 million was reportedly paid by CNA Financial in March 2021. That’s much less than the record kidnapping payment – $275 million (in today’s dollars) paid for the release of Jorge Born in 1975–but still a lot of money Colonial Pipeline reportedly paid over $4 million to get a decryption key from the criminals who locked up their data, only to find that key didn’t work well. JBS SA paid an estimated $11 million. If a company has $1 million in cyberinsurance, but pays a much larger ransom, it’s still out of pocket a huge sum.
The increase in ransomware attacks has many companies scrambling to get cyberinsurance or update existing policies to cover ransomware; Companies that already have it are increasing their coverage as ransom demands steadily rise. That leaves insurance companies facing a dilemma similar to the one that resulted in the requirement to keep K&R policies secret. Payouts are controversial. Many authorities believe that the more companies pay up, the more thieves are encouraged to use ransomware and the greater the ransoms they’ll demand.
For this reason, many governments pressure businesses not to pay ransom. New York State is considering a bill that would ban its municipalities from making ransomware payments. The US Department of the Treasury has warned companies that paying ransom to entities on the sanctions list, which includes several cybercrime gangs, could put them in violation of US law. Several cybergangs are on the sanctions list.
One large global insurer, AXA, has said it will not reimburse ransomware payouts made by French companies. Other insurance companies are putting limits on what they will pay, such as requiring companies to foot a coinsurance payment of 50% of the ransom payment.
Insurance companies are having trouble keeping pace with the increase in payouts: Despite raising premiums by 22% in 2020, the direct loss ratio – the amount insurance companies paid out compared to their premiums – has gone up to 73%. Ransomware attacks now account for 41% of cyberinsurance claims.
Mitigating Ransomware Damage
Many cyberinsurance companies have made recommendations to their policyholders about cybersecurity—which were often ignored. The tremendous rise in cyberattacks we’ve seen over the last year has led companies to start paying more attention. But there is undoubtedly more that insurance companies could do. Why not offer policy holders deeply discounted premiums if they implement a robust Zero Trust approach to cybersecurity? Or even make having certain cybersecurity protections in place a prerequisite for coverage?
Protecting Against Ransomware
As we’ve previously reported, phishing attacks are the top delivery mechanism for ransomware. Cyberthieves going after the “big game” – large companies or organizations with the capacity to pay 7-figure ransoms – are increasingly using “spearphishing,” highly targeted attacks that are sophisticated enough to slip past even knowledgeable users who wouldn’t normally click on a suspicious email.
Conventional approaches to guarding against phishing attacks include user training and blocklisting, technology that prevents users from clicking through on known dangerous links. Unfortunately, these measures are often ineffective. Even after training, many users will still click on a dangerous link if the email is written convincingly enough. Cyberthieves have developed automatic URL generators that can create new malicious URLs faster than they can be blocklisted. The most effective way to protect against phishing attacks is to move to a Zero Trust approach–that is, trusting no URL to be safe.
Zero Trust and Ransomware
Zero Trust assumes that every user and each website is potentially dangerous. Remote Browser Isolation (RBI) implements Zero Trust for web browsing by executing web browsing sessions on a virtual browser in an isolated container in the cloud, where an infected website can’t do any harm. Safe rendering data sent to the user’s regular endpoint browser enables them to interact with the site just as they normally do. Ericom RBI also disinfects any email attachments and downloads from websites, deactivating any active malware before the file is passed on to the user to block yet another ransomware delivery mechanism.
A cybersecurity scheme that is 100% secure and entirely foolproof has yet to be invented. But RBI can effectively stop some of the most common vehicles for ransomware attacks—phishing, drive-by malware, infected downloads and malvertising–dead in their tracks. It would certainly be a win-win proposition – for organizations as well as their cyberinsurers – for insurance companies to incentivize adoption of a Zero Trust security approach with premium discounts, just as discounts are available for car owners who install anti-theft devices in their cars.
