How Ransomware Attacks Have Shaped the Cyber Insurance Market
The surge in ransomware attacks is forcing insurance companies to look for a new approach to providing coverage.
Welcome to the age of ransomware. During the COVID-19 pandemic, hackers worldwide became bolder and demonstrated the effectiveness of holding a company's critical data or systems hostage. High-profile hacks have shown the enormous power that ransomware holds over the corporate world, proving that no one is safe.
This shift has sent shockwaves through the world of cybersecurity, with repercussions in the fields of data governance, compliance and business management. But how has the rise of ransomware changed the world of cybersecurity insurance? Understanding the change requires a solid understanding of how ransomware has evolved over time.
While ransomware has been around since the early 1980s, it's just during the last five years that it has become a formidable threat to companies and government agencies.
One of the first widespread ransomware attacks to be documented was a simple Trojan virus spread on floppy disks in 1989.1 This PC Cyborg virus locked PC systems and required users to send $189 to an address in Panama to restore access. This attack was ransomware in its simplest form: A program that disabled systems and then required payment for the user to regain access.
However, early ransomware was held back by a structural challenge to the scheme: the problem of payment. Post office boxes and mail are easily tracked, even if the address is on the far side of the world. This traceability essentially capped the reasonable amount of money that could be requested; if the hackers asked too much or chose a target with extensive financial or political resources, the victim could find a way to track and shut down the operation.
All that changed when cryptocurrency came along.
When Bitcoin became available in 2010, hackers recognized the value of such a tool. One of Bitcoin's most exciting advantages was that it was a universal currency that couldn't be tracked, and was totally unbacked by any government or preexisting fiat currency. Suddenly, ransomware hackers had been handed a custom-fit solution to their problem of payment tracing.
CryptoLocker, one of the first examples of truly modern ransomware, arrived on the scene in 2013.2 CryptoLocker exhibited most of the key attributes of current ransomware, including email-entry, Bitcoin ransom and the ability to expand throughout a network after the initial breach. With these essential characteristics locked down, hackers began to expand ransomware to the position of power that it currently holds today.
As the COVID-19 pandemic forced most business processes online, ransomware threats and incidence steadily increased. Almost all large organizations working in the financial, healthcare and energy sectors were forced to cut down on their brick-and-mortar operations. This shift to digital operations increased the pressure on targeted organizations to pay ransoms when put into positions of stress.
At the same time, hacker organizations began to choose their targets based on whom they thought would be able to pay the biggest ransom, a practice known as big game hunting.3
Today, large corporations and government agencies are more concerned with ransomware attacks than ever. Attacks are frequent and often cause massive damage.
Since the advent of big game hunting, traditional cybersecurity insurance practices have been forced to pivot. Most cyber insurance policies used to cover ransomware payments, which were usually inconsequential compared to the bottom line of the insured business.
However, a few factors have totally reshaped the landscape of ransomware insurance, and cybersecurity insurance in general.
Most importantly, the average cost of the ransoms has shot up over the past four years, making it much more costly for insurance policies to cover these types of payments. Researchers found that the average ransom paid was around $570,000 in the first half of 2021, an 82 % percent increase from the 2020 average.4
But this number doesn't paint the entire picture of the total cost to the insurance company, as there are so many other trickle-down consequences, such as lost business, double or triple extortion and employee downtime. It's also important to note that these figures vary greatly, and the highest payments made in 2021 were many times greater than the average.
Secondly, the rapid increase in incidence has made covering ransomware costs almost unsustainable for many cybersecurity companies that continue to look at ransomware in an old-school way. In the mid-2010s, when ransomware attacks were increasing slowly, insurance companies could keep up with demand for coverage by slowly increasing cost. However, the ransomware spike of the past three to four years has completely changed the game, sending insurance companies scrambling to figure out how to keep policies available and rates competitive.
In just a few years, ransomware has been redesigned into an incredibly powerful cyber tool that insurance companies must find new ways to handle. As ransomware has quickly become a dangerous threat to all sectors of the market, insurance companies will most likely continue to bundle their policies with security packages, moving to more of a Software as a Service (SaaS) model. This solution may take some of the liability off the hands of corporations, hopefully keeping premiums low and availability of policies high.
1"History of Ransomware," Crowdstrike, 21 Jun 2021.
2"Alert (TA13-309A): CryptoLocker Ransomware Infections," Cybersecurity & Infrastructure Security Agency (CISA), revised 7 Oct 2016.
3"Cyber Big Game Hunting," Crowdstrike, 21 Mar 2022.
4Baylor, Ramarcus, Jeremy Brown and John Martineau. "Extortion Payments Hit New Records as Ransomware Crisis Intensifies," Paloalto Networks, 9 Aug 2021.