:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/cmg/BPEI2QQ76SHPPOW6X6A6WHEGX4.jpg "Hong Kong’s M+ museum opens amid censorship controversy – KIRO 7 News Seattle")
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/cmg/GLQND2AXQQO2G4O6Q7SICYRJ4A.jpg "Blinken headed to Africa to address various crises – KIRO 7 News Seattle")
BOSTON – (AP) – In the past few weeks, ransomware criminals have claimed at least three North American insurance brokers as trophies offering policies to help others survive the very network crippling, data-stealing blackmail attacks they seem to have suffered themselves.
Cyber criminals who hack into corporate and government networks to steal sensitive data for blackmail routinely try to find out how much cyber insurance coverage the victims have. Knowing what victims can afford can give them an edge in ransom negotiations. The cyber insurance industry is also a prime target for crooks seeking their customers’ identity and coverage.
Before ransomware became a widespread global epidemic that struck businesses, hospitals, schools, and local governments, cyber insurance was a profitable niche industry. It has been accused of fueling the delinquent feeding frenzy by routinely recommending payment to victims but preventing many from going bankrupt.
Now the industry is not only in the crosshairs of criminals. It is close to profitability, which is being turned on its head by a more than 400% increase in ransomware cases in the past year and skyrocketing extortion demands. As a percentage of premiums earned, cyber insurance payouts now exceed 70%, breakeven.
Fabian Wosar, chief technical officer at Emsisoft, a cybersecurity company specializing in ransomware, said the prevailing stance of insurers is no longer: pay the criminals. It should be cheaper for everyone involved.
“The ransomware groups got way too greedy too quickly. The cost-benefit equation that insurers originally used to figure out whether or not to pay a ransom just doesn’t exist anymore, ”he said.
It’s not clear how the biggest ransomware attack of all time, which began on Friday, will affect insurers. But it can’t be good.
Pressure is growing on the industry to stop ransom refunds.
In May, the major cyber insurer AXA decided to do this for all new policies in France. But it is apparently alone in the industry so far, and governments are not moving to ban reimbursement.
AXA is one of the major insurers to have suffered ransomware attacks, with operations in Thailand being badly affected. Chicago-based CNA Financial Corp., the seventh-placed US cybersecurity underwriter last year, crippled a network in March. Less than a week earlier, the cybersecurity firm Recorded Future published an interview with a member of the Russian-speaking ransomware gang REvil who knows how to gather information before attacks and who happens to be behind the current attack. He suggested that it actively seek out insurers to get data on their customers.
CNA wouldn’t confirm a Bloomberg report that a $ 40 million ransom was paid, which would be the highest reported ransom in history. Nor would it tell what or how much data was stolen. It just said that systems that held most of the policyholder data were “unaffected”.
In a regulatory filing with the Securities and Exchange Commission, CNA also said that its losses may not be fully covered by its insurance and that “future cybersecurity insurance coverage may be difficult to obtain or only available to us at a significantly higher cost.”
Another major insurance provider that was hit by ransomware was the Gallagher broker. Though it was hit in September, it was only revealed last week (June 30) that the attackers may have stolen very detailed data from an unspecified number of customers – from passwords and social security numbers to credit card details and medical diagnoses. Company spokeswoman Kelli Murray didn’t want to say if cyber insurance contracts are on compromised servers. Nor would she say whether Gallagher paid a ransom. The criminals of the RagnarLocker gang apparently never posted any information about the attack on their dark web leak site, suggesting that Gallagher paid.
Of the three insurance brokers who allegedly attacked ransomware gangs in the past few weeks and posted stolen data as evidence on their dark websites, two in Montreal and Detroit did not respond to phone calls and emails. The third in Southern California admitted being handcuffed for a week.
When the Colonial Pipeline and the large meat processor JBS were hit by ransomware in May, insurers were already passing higher coverage costs on to customers.
Cyber premiums in January in the US and Canada rose 29% from the previous month, said Gregory Eskins, an analyst at leading commercial insurance broker Marsh McLennan. In February the month-to-month increase was 32%, in March it was 39%.
To cut back losses related to ransomware – Eskins said it made up about 40% of cyber insurance claims in North America last year – new, stricter rules or lower coverage limits are imposed on policy renewals.
“The price has to match the risk,” said Michael Phillips, chief claims officer at the cyber insurance firm Resilience in San Francisco and co-chair of the public-private ransomware task force.
A guideline could now stipulate that the reimbursement of extortion payments cannot exceed a third of the total coverage, which usually includes reclaims and lost revenue and can include payments to public relations firms in order to mitigate reputational damage. Or an insurer can cut coverage in half or introduce a deductible, said Brent Reith from broker Aon.
While some smaller airlines have completely discontinued coverage, the big players are upgrading instead.
Then there are hybrid insurers like Resilience and Corvus from Boston. You don’t just ask prospects to fill out a questionnaire. They physically examine their cyber defenses and actively involve customers when cyber threats arise.
“We monitor and make active referrals not just once a year, but year-round and dynamically,” said Phil Edmundson, Corvus CEO.
But is the entire industry agile enough to absorb the growing onslaught?
The Government Accountability Office warned in a May report that “the extent to which cyber insurance will continue to be widely available and affordable remains uncertain”. And the New York State Treasury Department said in a February circular that massive losses were possible in the industry.
Both policyholders and insurers who are stingy in sharing experience and data are to blame, the UK’s Royal United Services Institute said in a new report. Most ransomware attacks go unreported and there is no central clearinghouse for them, although governments are beginning to put pressure on mandatory industry reporting. As an industry, insurers are not particularly transparent. In the United States, they are not regulated by the federal government, but by the states.
And for the time being, cyber insurers usually defend themselves against demands to suspend reimbursements for ransom money paid.
On a conference call in May, the UK’s Beazley CEO Adrian Cox said “in general, network security is not good enough right now”. He said it was up to the government to decide whether payments were bad public order. CEO Evan Greenberg of the leading US cyber insurer Chubb Limited agreed in the company’s annual report in February that the decision on a ban is a matter for the government. But he advocated the ban on payments.
Jan Lemnitzer, lecturer at Copenhagen Business School, believes that cyber insurance should be compulsory for businesses both large and small, just like anyone who drives must have car insurance and seat belts. The study by the Royal United Services Institute recommends it to all government suppliers and vendors.
While he thinks the ban on ransom payments is problematic, Lemnitzer says it is a “button,” says Lemnitzer, forcing insurers to stop their reimbursements.
Some have suggested imposing fines for ransom payments as a deterrent. Or the government could withhold a percentage of each cryptocurrency recovered from ransomware criminals, and the proceeds go to a state ransomware defense fund.
Such measures could hurt criminal revenue, said Steptoe and Johnson attorney Stewart Baker, a former NSA general counsel.
“In the long term, this likely means that resources currently going to Russia to pay for Ferraris in Moscow will instead be used to improve cybersecurity in the United States.”
Copyright 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed in any way without permission.
