After a ransomware attack forced it to close thousands of miles of pipelines, Colonial Pipeline recently spent $4.4 million to restore its data. This decision may make the insurance company unwilling to bear the bill.
Such incidents have attracted increasing attention from companies that provide cybersecurity guarantees for large organizations. In fact, the French insurance company AXA announced on May 9 that it would no longer support ransomware claims, which raised questions about how the industry will respond to cyber ransomware in the future.
In this dynamic environment, how should cyber insurance companies assess and mitigate ransomware risks? Explained Phil Edmundson, founder and CEO of Corvus Insurance in Boston. Corvus Insurance is a commercial insurance company that uses data science to analyze IT vulnerabilities and help companies prevent violations.
Dark reading: How do ransomware attacks affect your risk model?
Edmundson: We follow the activities of cybercriminals very closely. We looked at the latest data from various third-party providers, including average ransomware payments and the number of reported ransomware incidents. The number of actual cases is underreported. We are really paying close attention to the development of the type of technology that cybercriminals are using.
About twelve cybercrime groups accounted for the majority of ransomware incidents. They identify themselves by name. Part of their purpose is to be able to negotiate ransom payments reliably. The only way for an insurance company or organization to gain trust is because they see a pattern of implementation. We studied the types of vulnerabilities successfully used in ransomware.
Dark Reading: How do cyber insurance companies usually handle ransomware claims?
Edmundson: Corvus is very different in this respect. We have built our own software to analyze the organization’s IT security defense measures. This allows us to… [identify] There are loopholes in advance and [work] Work with our policyholders to prevent these loopholes. But we are not perfect.
After receiving the notice of claim, the first thing we need to do is to help the organization understand the means of activities that must be carried out. They must notify government officials of criminal activities. Then, they must present their recovery plan. In many cases, organizations have adequately backed up their data so that they can resume operations in a reasonable time without paying a ransom. We may help them find new IT facilities and cloud computing functions to enable them to surf the Internet faster.After that, we help them calculate financial losses [due to damaged hardware or software or lost revenue].
Dark Reading: What caused the company to actually pay for ransomware? What costs and benefits will they generate when they make these decisions?
Edmundson: This is a very difficult calculation. [Think of] Colony pipeline hackers. They paid the ransom and then received the decryption key. The decryption key is obviously working poorly. They can start and run their own backups faster than using the decryption key. Therefore, they paid the ransom, but they had no value.
What we usually do with our customers is to encourage them to quickly analyze the cost of daily business losses, and then help them to calculate between paying the ransom and not paying the ransom. Sometimes the ransom amount may be more than the insurance money purchased by the organization. The ransom requirement may be US$3 million. But maybe the organization only has a $1 million policy.
With our non-compliance response service, we try to help each organization find the best way. One of the most difficult and important things to perform is to calculate the damage to the business that occurs every day.
Dark reading: Do you think that AXA’s decision to stop providing insurance for ransomware payments will increasingly become a standard practice for cyber insurance companies?
Edmundson: Some insurance companies are limiting their payouts. They may be rewriting their insurance policies to pay only 50% or a percentage of the loss commonly referred to as the co-insurance clause or co-insurance percentage. Others may make payments conditional on certain actions of the insured organization, making it difficult to pay claims.
Now this is a vibrant place. The insurance industry must have been caught off guard. Regarding what the policyholder will do, I must think that the policyholder wants to buy insurance against this risk. [In this case] I hope that many of them will leave AXA and buy a policy from another insurance company with a wider coverage.
Dark Reading: Does paying these payments actually induce ransomware attacks and make them more frequent?
Edmundson: I think it may be true, at least to a certain extent. But then we saw that the ransom paid by the organization far exceeded the amount of insurance it had. We know that many organizations will pay a ransom even if they do not purchase insurance. It depends on each situation.
Dark reading: How do you deal with the recent cases of ransomware attacking the hospital, these incidents required the evacuation of the facility, resulting in the death of the patient?
Edmundson: I think an interesting way to answer this question is to recognize the communications made by cybercriminals on the Colonial Pipeline hack, and they do their best to say: “Hey, we just want to make money here. Let’s not try to disrupt the American energy system.” I Think that cybercriminals are a bit sensitive, and they should draw a clear line of things that are not just money. Hopefully, this will keep them away from the healthcare industry, where these behaviors can be a matter of life and death. And may keep them away from other categories.
Dark reading: Can this analysis enable you to direct your company to a specific product that can fill the loopholes you find?
Edmundson: We are increasingly being asked to do so. We issue reports to each policyholder and tell them their loopholes. They always ask us: “Okay, how can I solve it?” When we first started doing this three years ago, no one really paid attention to our suggestions. But now they are paying attention. They are looking for more powerful suggestions. We just announced a new defense system for policyholders, we call it vCISO [virtual chief information security officer]. This inevitably leads us to make more recommendations on the specific types of defenses that organizations can deploy.
Richard Pallardy is a freelance writer based in Chicago. He has written for publications such as “Supplement”, “Discovery”, “Science” magazine and “Encyclopedia Britannica”.View the complete bio