Does Ransomware Insurance Give Companies a False Sense of Security?
Global aluminum company Nord Hydro suffered a ransomware outbreak in March 2019. Thus far, its ransomware insurer has paid out only $3.6 million against losses of $50 to $71 million.
$3.6 million out of an approximate $60 million, representing a mere 6% of total losses. Thus far, Nord Hydro is currently absorbing most of the financial costs, expected to climb as recovery operations continue.
Both ransomware attacks and ransomware insurance coverage are on the rise. Unfortunately, companies with ransomware coverage are finding that cyber policies are not the panacea they expected.
Insurers Limit their Ransomware Payouts
One analyst describes Nord Hydro's predicament this way: "Cyber claims are pending, on average, for 18 months due to an insured's lack of ability to prove losses from the event.” Nord Hydro’s insurer will likely pay more as the claims process continues. In the meantime, Nord Hydro continues to take a serious financial and PR hit.
Insurers also deny ransomware claims based on the policy wording. Policies require a certain amount of due diligence by the insured to protect themselves from attack. A carrier may challenge whether the company was sufficiently vigilant in protecting itself from attack. Other policy clauses exclude coverage for attacks by foreign actors. Merck is only one victim of the 2017 NotPetya attack suing its carriers for denying claims. The United States attributed the attack to Russian actors. According to the insurers, that meant the policy’s “war exclusion” clause barred coverage.
Unfortunately, paying the ransom is often seen as easier than suffering long downtimes and huge operational recovery costs. In some cases, the victim prefers that route to regain access to files and data quickly. If the policy covers the ransom, the ransomware victim needs to pay only the deductible while the insurer pays the rest of the ransom amount. Paying the ransom minimizes the downtime and its associated recovery costs. According to Coveware, a ransomware recovery firm, recovery costs can balloon to 10x the ransom amount.
For this reason, insurers often pressure ransomware victims to pay the ransom, rather than incur damages. For the insurance carrier, a ransom claim is far less costly than paying for long-term recovery services and damage claims.
The highest ransomware pay-out ever reported was $1 million by South Korean web provider Nayana. However, this amount stands out as an anomaly against the average ransomware demand, which, according to Coveware research, was $41,198 for Q3 of 2019. Even so, Coveware reports that the average ransomware demand was a modest $12,762 in Q1 of 2019. Why the more than 3x spike in ransomware amounts in less than a year? Because insurers prefer to pay the ransom, and attackers know it.
Fueling Ransomware Activity
ProPublica, a nonprofit investigative journalism organization, took a hard look at the ransomware insurance landscape. Its analysis concluded that insurers’ preference for the cheaper ransom payout “fuel[ed] a rise in ransomware attacks." The reporters exposed a spike in ransomware attacks and higher ransom demands following the increased willingness of victims and their insurers to pay the ransom.
However, businesses feel the brunt of this vicious ransomware cycle the worst, as they are often severely stretched to pay the ransom. This past year ransomware cost business more the $8 billion. Furthermore, even after paying the ransom, there is no guarantee of a return to business as usual. Upon having paid the ransom, the attacker has been known not to provide the victim with the decrypt key in return, or when they did, the decrypt key did not work. Furthermore, the decrypt key only releases the victim’s data, but the ransomware payload remains dormant in the enterprise network, with the potential to be reactivated in a future attack.
Paying ransomware demands is not only profitable for attackers, but it’s also fruitful business for insurers as well. According to research cited by ProPublica, cybersecurity coverage is one of the more profitable lines of coverage for insurers. For every dollar paid in cyber coverage premiums, insurers pay only 35 cents in claims. For all property and casualty lines, the claim payout nearly doubles to 62 cents of every premium dollar.
The Search for Comprehensive Protection
Ransomware insurance policies may have their place but need to be considered as a back-up last resort as they still leave organizations vulnerable to high ransom demands and future outbreaks. The best strategy for enterprises to protect itself from ransomware damage is to take active measures to prevent the ransomware outbreak from occurring.
With ransomware attacks on the rise, conventional security approaches like legacy antivirus and endpoint detection and response products do not provide the required protections. Protecting against a successful ransomware attack requires more sophisticated tools.
Deep Instinct's solution uses deep learning AI, the most advanced form of machine learning, to prevent ransomware from executing. In a recent third-party test that assessed the protection capabilities against ransomware, Deep Instinct's predictive threat analytics platform detected and prevented all ransomware samples from executing. While no cybersecurity solution can guarantee 100% prevention, it’s evident the Deep Instinct platform gives organizations a fighting chance against the ever-growing ransomware threat.
Augmenting current security frameworks with a stronger prevention solution not only helps organizations avoid the high costs of disruption, damages, and compromised assets associated with a ransomware outbreak, but it also supports the long term goal of removing the incentive for attackers to continue to deploy ransomware attacks.
Register for the webinar Ransomware: Best Defense Strategies Against Attacks and learn more about Deep Instinct’s preventative approach against ransomware. In this session, we will provide useful knowledge on how an organization can secure itself, no matter the ransomware attacks the future may bring.