Colonial Pipeline recently shelled out $4.4 million to recover its data following a ransomware attack that forced it to shut down thousands of miles of pipeline. The decision potentially left its insurer on the hook for the bill.
Such events are of increasing concern to the firms that underwrite cybersecurity for large organizations. In fact, French insurer AXA announced on May 9 that it would no longer support ransomware claims, raising questions about how the industry would address cyber extortion going forward.
How should cyber insurance companies assess and mitigate ransomware risk in this dynamic and volatile environment? Phil Edmundson, founder and CEO of Boston-based Corvus Insurance, a commercial insurer that uses data science to analyze IT vulnerabilities and help businesses prevent breaches from occurring, explains.
Dark Reading: How do ransomware attacks impact your risk models?
Edmundson: We follow the activities of cybercriminals very closely. We look at recent data from a variety of third-party providers around the average ransomware payment and the number of ransomware events that are reported. The number of actual cases is underreported. We look really closely at developments in the types of technology that cybercriminals are using.
There are about two dozen cybercriminal gangs that account for most of the ransomware events. They identify themselves by name. They do that, in part, to be able to negotiate ransom payments with credibility. The only way that insurers or organizations can gain the trust to do that is because they see a pattern of fulfillment. We study the types of vulnerabilities that are being used to succeed in ransomware.
Dark Reading: How does a cyber insurance company typically address ransomware claims?
Edmundson: Corvus is very different in this regard. We have built our own software to analyze the IT security defenses of organizations. That allows us to … [identify] vulnerabilities ahead of time and [work] with our policyholders to block those vulnerabilities. But we're not perfect at that.
The first thing we do when we're notified of a claim is to help that organization understand the avenues of activity that have to occur. They have to notify government officials of the criminal activity. Then they have to bring out their restoration plan. In many cases, the organization has backed up their data sufficiently to be able to resume operations within a reasonable period of time, without the payment of a ransom. We may help them to find new IT facilities and cloud computing capabilities to get them online more quickly. Afterward, we help them to calculate their financial losses [due to damaged hardware or software or lost revenue].
Dark Reading: What situations lead a company to actually make a ransomware payment? What are the costs and benefits that come into play when they make those decisions?
Edmundson: It's a very difficult calculus. [Think of] the Colonial Pipeline hack. They paid the ransom, then received the decryption keys. The decryption keys apparently worked very poorly. They were able to get up and running with their own backup quicker than they would have from the decryption key. So they paid the ransom, but they got no value from it.
What we generally do with our clients is encourage them to quickly analyze the cost of each day's loss of business and then help them to make that calculus between paying the ransom or not. Sometimes the ransom amount may be for more money than the organization has purchased insurance for. The ransom request might be for $3 million. But maybe the organization only has a $1 million policy.
With our breach response services we try to help each organization find the best path through that. One of the most difficult and most important things to do is to calculate the harm to the business that takes place every day.
Dark Reading: Do you think that AXA's decision to stop insuring ransomware payments will increasingly become standard practice for cyber insurers?
Edmundson: Some insurers are imposing limitations on their claims payments. They may be rewriting their policy to only pay 50% or some percentage of the loss that's often referred to as a coinsurance clause or coinsurance percentage. Others may make the payment conditional upon certain actions by the insured organization, thereby making it harder for a claim to be paid.
It's a very dynamic place right now. The insurance industry has certainly been caught off-guard. In terms of what policyholders are going to do, I have to think the policyholders want to buy insurance against this risk. [In this case] I expect that many of them would leave AXA and go buy a policy from another insurer that has more robust coverage.
Dark Reading: Does making these payments actually incentivize ransomware attacks and make them more frequent?
Edmundson: I think it probably does, at least on the margin. But then we have seen organizations pay a ransom well in excess of the amount of insurance that they have. We know that many organizations will pay a ransom even if they didn't buy insurance. It depends on each situation.
Dark Reading: What do you make of cases like the recent ransomware attack against a hospital, which required that the facility be evacuated, resulting in the death of a patient?
Edmundson: I think one interesting way to answer that question is to recognize the communications that were made by the cybercriminals on the Colonial Pipeline hack, where they went to some length to say, "Hey, we're just trying to make money here. We're not trying to disrupt the American energy system." I think there's some sensitivity among cybercriminals that they should draw a line in places that don't go beyond just money. Hopefully, that will keep them away from the healthcare sector where these acts can be a matter of life and death. And probably keep them away from some other categories.
Dark Reading: Does that analysis allow you to direct companies to specific products that will plug the holes that you do find?
Edmundson: We are increasingly being asked to do that. We issue reports to every policyholder telling them about their vulnerabilities. Invariably they ask us, "Well, how do I fix that?" When we first started doing this three years ago, nobody really paid attention to our recommendations. But now they pay attention. They're looking for a more robust advice capability. We just announced a new defense system for our policyholders that we call the vCISO [virtual chief information security officer]. That inevitably leads to us making more recommendations about specific types of defenses that the organizations can deploy.