Ransomware incidents continue to feature in the international as well as IT industry press, with recent high profile victims being JBS Foods, Fujifilm, Colonial Pipeline, Ireland’s Health Service Executive, and AXA Insurance.
Less well publicised are the many smaller organisations that are held to cyber ransom. Being targeted in this way does not indicate negligence or bad practice: many well-secured networks are quietly also becoming victims. Industry surveys show that ransomware is playing a significantly increased role in malware-associated data breaches year-on-year, now involved in 61.2%. Of course, the many organisations forced to close do not survive to participate in industry surveys, and non-public companies are not required to report ransomware incidents, both of which surely push the true frequency higher.
What Bridewell Has Been Doing?
At Bridewell, ransomware is rightly top of mind when clients use our consulting and managed service and we have been assessing and reducing their attack surface exposure accordingly. We also monitor and hunt in the environments of our managed detection and response (SOC) clients for indicators of intrusion and compromise, e.g., Cobalt Strike beacons or DarkSide exfiltration TTPs.
A third aspect we have also been helping with is reviewing companies’ insurance posture as part of their overall security strategy for cyber resilience. This blog addresses the growing role that cyber insurance plays in the ransomware lifecycle, the value proposition of insurance and some key terms to look out for.
The Cyber Insurance market has continued to mature and expand: the total global cyber insurance market has gone from estimated £3.bn in 2018 to £6.7bn in 2021 to £14bn by 2025.
Much of that is huge enterprises with up to $1bn of cover, but the number of other businesses taking out cover is growing.
Another part of this secular growth in the value of this line of insurance is due to increased premiums: these have recently increased by 11% year over year, indicating how many claims are being made.
A core item in cyber policies is payment for ransoms (via an intermediary), something not covered in most Business Interruption policies. Ransom payment is still legal in most jurisdictions but there are influential arguments against it, for example from the ex-Director of the NCSC, from the French Senate and AXA itself before its event. Nonetheless, in a survey of Europe and the USA by Hiscox, more than half of respondents (58%) paid.
There are some parallels with kidnapping where paying ransoms is illegal in many countries but is in some cases the only or most expedient option. An ecosystem of intermediaries and negotiators exists for this purpose.
Paying the ransom is a case-by-case and local decision that can be justifiable, in the interests of the organisation and its customers, including but not limited to healthcare scenarios. Colonial Pipeline paid a $4.4m ransom and JBS Foods $11m. The net result, however, has been positive feedback for the criminals: supplying further incentives and more resources, and attracting ever more bad actors who can easily access the Ransomware as a Service business model. As is well known, paying the ransom does not guarantee files will be successfully decrypted, nor prevent a second similar incident or doxxing blackmail to which the organisation may remain vulnerable. Backups are an internal insurance policy and appear to have enabled Fujifilm to rebuild without paying the ransom.
Ransoms are not the primary cost in cyber insurance, however. This position goes to First Party Damage – the insurer covering your lost revenue and making your organisation whole. That does not include improvements, just restoring the status quo ante. These restoration costs can be enormous, as exemplified in the stricken multinationals rebuilding from scratch in response to their NotPetya incidents: sometimes you must destroy the infrastructure to save it. Organisations will typically also need to spend to improve their security after an incident, which is available with betterment extensions in a policy.
Do I Need It?
This will depend on each organisation – the effectiveness of defences and backups, ratio of data located in SaaS versus on corporate infrastructure – but there is certainly a need for more awareness among decision-makers to make an informed choice. As a report from the insurance industry shows, up to 43% of C-Level executives had no awareness or overview of the cyber insurance offering. Until it is too late, we could add: seeking insurance cover after suffering an incident entails higher premiums.
If your company has Cyber Essentials certification through the IASME consortium the accreditor Bridewell works with, there is an amount of free Cyber Liability Insurance included.
Besides the intrinsic benefits of a policy, there is increasing evidence that having cyber insurance coverage benefits smaller vendors in qualifying to supply bigger providers who could never otherwise recover their damages from the vendor.
A good cyber insurance product can add value throughout the incident process, not just at the end.
Having good cyber hygiene, awareness, and tools to restrict execution can certainly reduce the likelihood of falling victim to ransomware, increasing the work factor for the human attacker behind the modern ‘human operated ransomware’ and deterring the opportunists. However, the risk cannot be eliminated. Cyber insurers have teamed with security vendors to make preventive controls available to their insured, since they both have an interest in averting an incident. These services can be valuable add-ons for mid-cap organisations who may lack a security team.
When called upon, insurers deploy niche external expertise to isolate and the contain incident from teams who manage ransomware regularly, something few internal IT staff typically do. This enables a company’s own employees to keep the organisation operating during an incident.
Another factor to consider is delayed or ill-advised expenditure decisions in an incident – a policy that has response modules included removes these dilemmas.
Insurers can deploy PR agencies experienced in managing reputational damage and internal communications. However, note that the costs of reputational damage per se are rarely insurable, and the second- and third order effects are likely out of scope of the policy: consider the shockwaves from the Colonial Pipeline incident for the stock market and millions of motorists.
As well as the costs of restoring the organisation, Third Party costs are a major threat following a ransomware incident. Adding to the injury of a ransomware incident, an affected company can then be litigated for losses by its customers and partners. Also, as more companies procure insurance, it becomes more likely that insurers of ransomware-stricken companies pursue a potentially liable supplier or vendor, through subrogation.
Features to Look Out for in a Policy
If you decide you should start looking at policies, the NCSC provides a helpful guidance on buying insurance. There is a broad range of policies and extensions available to meet different needs, increasingly priced to suit smaller companies.
As many companies found to their cost during COVID-19, not all policies are equal and some did not pay out – in that case, Business Interruption policies.
Some further important considerations we recommend on top of the NCSC list are to check:
- The ‘prior date’, which specifies how far before the policy events will be covered. With the median global dwell time for attackers now 56 days, the prior date should be 6 months, 1 year or indefinite (Full Prior Acts).
- The terms on subrogation, where the insurer may seek recovery on your behalf – this may affect your current agreements with suppliers and partners, e.g., their Limit of Liabilities.
- The availability and responsiveness of the insurer’s incident response provider.
- Exclusions – insider threats from staff are often excluded, but are a significant vector for attacks that you may have to manage separately; and
- Preventive benefits – whether the safeguards the insurer makes available to you are suitable for your security hygiene.