The development of the ransomware-as-a-service (RaaS) business model, which enables hackers to use off-the-shelf ransomware tools and services, has supercharged the field of cyber crime and enabled threat actors, even with limited technical IT skills, to launch highly disruptive attacks.
A whole RaaS ecosystem has sprung up with cyber criminals now adopting specialised roles, most of which may have nothing to do with the actual launch of an attack. These include: Identifying unknown vulnerabilities, gaining initial access, developing malware, processing any ransoms paid and even handling the negotiations.
Impact on the insurance sector
Ransomware has been a significant factor in the notable deterioration in cyber insurers’ underwriting performance over the past two years. In aggregate, the loss ratio on US cyber insurance rose from 44.6% in 2019 to 66.9% in in 2020, with ransomware accounting for three quarters of claims according to credit rating agency AM Best.
More recent indicators suggest no material improvement in the claims environment, with ransomware remaining a key driver. Given the continued upward pressure on claims, cyber insurers’ loss ratios remained elevated in 2021 despite a steep increase in the price of cyber insurance last year.
Ongoing policy debate
The payment of ransoms by victim firms (or their reimbursement through insurance) potentially incentivises ransomware criminals and in the process amplify the risk of future attacks on themselves or others. One 2021 study, for example, shows that 70% of UK IT security professionals surveyed believe insurance payments to companies that have paid a ransomware demand exacerbate the problem and cause more attacks. Governments have also highlighted how the ransoms demanded are often tailored to the amount insured under the cyber insurance policy.
This has revived a policy debate about how far governments should intervene to mitigate the economic externality associated with ransoms – that is, using laws, regulations and taxes to ensure victim firms recognise that paying ransoms possibly fosters more ransomware and ratchets up future extortion demands. Policy discussions are ongoing in a number of countries about the possibility of banning ransom payments altogether.
Banning ransom payments is not really the answer
There are no easy solutions to ransomware and measures often involve important trade-offs, not least because of the potential for unintended consequences. For instance, an outright ban on ransom payments could drive such transactions underground and/or encourage ransomware attackers to engage in new forms of extortion.
A Geneva Association survey of cyber re/insurers reveals that, while most feel that banning ransom payments or prohibiting associated insurance payouts would probably discourage some ransomware attacks (Figure 2), such a blunt policy response may not always have the desired effect, especially if bans are not consistently applied on an international level. A ban solely against insurer reimbursements would be particularly ineffective, depriving victims of an important means of protection when other forms of risk financing may be difficult to organise.
Italy’s experience with kidnapping in the 1990s underscores the challenges of any ransom ban. The Italian government made it illegal to pay ransoms in 1991, a move widely credited for the subsequent flattening in kidnapping rates. But the threat did not go away completely as the families of kidnapped Italian citizens simply stopped reporting crimes to authorities.
Cyber insurance is part of the of the solution
While it is often ransom payments that grab the headlines, the total losses related to a ransomware attack go well beyond extortion demands. Insurance plays an important role in supporting companies that face a variety of first- and third-party losses resulting from ransomware. After an attack, cyber insurance can be a mechanism for convening the right team of experts. These experts often bring in valuable negotiating skills that can be used to help lower the ransom actually paid – not least because they are well placed to assess the credibility of the threat, including the viability of decryption keys and likelihood of restoring operations.
In addition, cyber insurance promotes awareness about the exposure to ransomware and other cybercrime, sharing expertise on risk management and encouraging investment in risk prevention and mitigation. For instance, carriers often continuously monitor the threat environment, highlighting vulnerabilities and weaknesses in a firm’s networks and systems that might be unknown to the policyholder. Likewise, through the terms and conditions of available cover, (re)insurers can incentivise investment in good cyber hygiene, which significantly lowers the chance of ransomware and other cyberattacks.
Governments and regulators must go further to counter ransomware attacks
There is no silver bullet for ransomware, and a multi-faceted approach will be required to reduce the underlying drivers, limit their impact and ensure business resilience. Governments, along with their regulatory and supervisory agencies, have an important role to play in improving the security of cyberspace and helping legitimate businesses gain the upper hand against cyber adversaries.
Many of these suggestions are mirrored in measures already announced by various governments to enhance cybersecurity in the wake of the recent ransomware epidemic. In particular, improved mechanisms to track, monitor and share information about ransomware strains should be beneficial.
Tighter cryptocurrency regulations to help identify and root out illicit transactions, enhanced cryptocurrency tracing, forensics and other blockchain intelligence tools to recover stolen funds will be needed – especially to counter emerging trends such as the adoption of privacy-protecting coins and the use of decentralised exchanges that make investigating online crimes and enforcing sanctions difficult.
Policy can also encourage firms to make themselves more resilient against ransomware attacks. Aggregate premiums for standalone cyber insurance represent less than 1% of the global property and casualty market, while some reports indicate that only around a third of small businesses purchase this kind of protection. With cyber exposures only set to increase, policy measures to foster this small but nascent market will help ensure the full societal benefits of cyberspace are realised. A
Mr Darren Pain is director cyber and evolving liability and Mr Dennis Noordhoek is director public policy and regulation with The Geneva Association.