Show Me the Coverage: Ransomware Actors Demand Cyberinsurance Policies
The landscape of cybersecurity threats is continuously evolving, and ransomware attacks have emerged as a significant concern for organizations of all sizes. In a ransomware attack, cybercriminals encrypt the victim’s files, rendering them inaccessible and demand a ransom in exchange for the decryption key. This extortion method has proven lucrative for cybercriminals, resulting in an alarming increase in the frequency and sophistication of ransomware attacks.
Recently, a new trend has emerged. Ransomware threat actors are now demanding that victims provide copies of their cyberinsurance policies. This new tactic enables attackers to tailor their ransom demands to the policy limits, maximizing their profits while minimizing the risk of victims refusing to pay.
Indeed, ransomware purveyors—eager to get paid—have long offered their victims “customer service” portals where, after being paid, they will walk the victim through the process of unlocking their data. Now some bold ransomware threat actors are going one step further—offering to assist their victims in filing insurance claims to be reimbursed for the cost of the attack
“Very important! For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information. But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company.”
The ransomware threat actor is inviting the victim to collude with the criminal to file an insurance claim up to the policy limit. This is, of course, a dangerous tactic for all involved.
The Rising Trend of Demanding Cyberinsurance Policies
Cyberinsurance policies have become an essential tool for organizations to manage the financial risks associated with cyberattacks. These policies typically cover the costs of incident response, legal fees and financial losses resulting from a cyberattack, including ransom payments. As the adoption of cyberinsurance has increased, ransomware attackers have recognized the opportunity to exploit these policies for their benefit.
By demanding copies of cyberinsurance policies, ransomware threat actors can determine the exact coverage and policy limits, allowing them to tailor their ransom demands accordingly. For example, if an organization’s policy covers ransom payments up to $1 million, the attacker can demand a ransom of $1 million, knowing that the insurance policy will cover the cost. This tactic increases the likelihood that victims will pay the ransom as the financial burden is shifted to the insurance provider. In fact, the threat actor can make a demand of “just under” the policy limit, so that claim is not a “loss limit” claim (a claim of or above the policy limit) which would impact the insured’s ability to purchase insurance in the future. See how helpful the hackers can be?
Implications of the New Ransomware Tactics
As cybercriminals become more aware of policy limits, ransom demands are likely to increase in line with the coverage provided by cyberinsurance policies. This escalation in ransom amounts can result in higher premiums for organizations, ultimately driving up the cost of cyberinsurance. Moreover, while the victim (insured) and the insurer have a vested interest in paying the lowest amount (either by paying the ransom, restoring data or some other form of remediation), the ransomware threat actors are attempting to pit the victim against their insurer.
Strain on the Cyberinsurance Industry
The increased frequency and magnitude of ransomware attacks combined with rising ransom demands puts a tremendous strain on the cyberinsurance industry. Insurers may struggle to maintain profitability leading to higher premiums, more restrictive coverage and even the withdrawal of some providers from the market.
By tailoring ransom demands to policy limits, threat actors ensure that victims (through their carriers) are more likely to pay the ransom because they can rely on their insurance coverage. This successful extortion strategy may encourage other cybercriminals to adopt similar tactics, fueling the growth of ransomware attacks.
Providing cyberinsurance policies to threat actors may raise legal and ethical concerns for organizations. By doing so, organizations are essentially aiding the extortion process, which may violate local or international laws. The insurance companies may allege that the victims are “colluding with” or conspiring with the threat actors to defraud the carrier up to the policy limit. Furthermore, organizations might find themselves in a precarious position when it comes to negotiating with cybercriminals and providing sensitive information.
The tactic is also dangerous because the threat actor might look at the insurance policy and assume that the coverage amount is the actual policy limit without reference to the actual limit (or sublimit) specific to the ransomware coverage. Even when a victim (or their carrier) decides to pay the ransom, the cost of payment is not the only cost associated with the attack. There are the costs of investigation, validation, restoration, prevention, notification, regulatory compliance and litigation, which can far exceed the cost of simply paying the ransom. If the threat actor targets their demand to the policy limit and the carrier pays this, this means that all of these additional costs may be borne by the victim without coverage.
In addition, the threat actor is unlikely to understand (or care about) exclusions and limitations from coverage in ransomware. For example, a policy that covers “lost or stolen” data may not cover a ransomware attack that does not result in exfiltration of data. A policy that covers “destruction” of data may not cover the ransomware situation where the data is still there but inaccessible. With the cost of ransomware (and insurance) increasing, insurers are increasingly taking a narrow view of coverages and an expansive view of exclusions from coverage. For example, when ransomware results in the exfiltration of data, is this a data breach covered by the data breach policy or a ransomware/extortion scheme that may be covered by a different policy (or even a different carrier?) Even the cost of negotiating the ransom itself comes out of the policy limits.
State Laws and Regulations Restricting Policy Limit Disclosure
Increasingly, states and the federal government have been cracking down on the ability of some regulated entities (financial services or government entities) to pay a ransom when demanded. Coverage limits may be protected under state law, particularly in the area of discovery. For example, in California, Assembly Bill 2182 (AB 2182), introduced in February 2020, sought to prohibit insurers from disclosing policy limits to third parties without the insured’s consent (California Legislative Information, 2020). While the bill did not specifically target cyberinsurance, it highlighted the growing concern around the disclosure of policy limits across various types of insurance.
Countermeasures to Mitigate the Risks
The best defense against ransomware attacks is to prevent them from occurring in the first place. Organizations should invest in robust cybersecurity measures, including regular vulnerability assessments, patch management, employee training and the deployment of advanced threat detection and response tools. Organizations should develop and maintain comprehensive incident response plans that outline the steps to be taken in the event of a ransomware attack. These plans should include procedures for isolating affected systems, preserving evidence, notifying relevant stakeholders and engaging with law enforcement and external experts as needed. Organizations should carefully review their cyberinsurance policies to ensure they provide adequate coverage for the potential risks associated with ransomware attacks. They should also consider discussing the evolving threat landscape with their insurance providers to ensure their policies remain up-to-date and effective.
Insurance Industry’s Response to the Rising Ransomware Threat
Denying or Excluding Coverage
In response to the increasing financial burden of ransomware attacks, some insurance companies are seeking to deny or exclude coverage for specific aspects of ransomware incidents. These measures may include refusing to pay for the ransom itself, restricting coverage to only certain types of ransomware attacks or setting specific conditions that must be met for a claim to be approved.
Charging Higher Premiums
As the risk of ransomware attacks continues to grow, insurance companies may opt to charge higher premiums to organizations seeking cyberinsurance coverage. This increase in premiums can make cyberinsurance less accessible for small and medium-sized businesses, potentially leaving them more vulnerable to the financial impact of a ransomware attack.
Government Efforts to Discourage or Prevent Ransom Payments
OFAC Regulations
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued guidance on ransomware payments, emphasizing that paying ransoms to entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) is prohibited under U.S. law. This guidance, issued on October 1, 2020, highlighted the risks of facilitating ransomware payments and underscored the potential legal consequences for both victims and intermediaries, including financial institutions and insurance companies (OFAC, 2020).
SEC Regulations
The U.S. Securities and Exchange Commission (SEC) has also taken an interest in the disclosure of ransomware incidents, particularly for publicly traded companies. The SEC has issued guidance on the reporting of cybersecurity incidents, emphasizing the importance of timely and accurate disclosure to investors. Companies that fail to disclose material information related to a ransomware attack, including ransom payments, may face regulatory scrutiny and potential enforcement actions. New proposed SEC regulations would require companies to report to the SEC any ransomware attacks and the extent of payments made.
In addition to regulatory measures, some governments have actively discouraged organizations from paying ransoms, citing concerns that such payments encourage further criminal activity and may not guarantee the recovery of encrypted data. The FBI, for example, has consistently advised against paying ransoms in ransomware attacks.
Conclusion
As ransomware threat actors adapt their tactics to exploit the growing cyberinsurance market, organizations must stay vigilant and adapt their strategies to counter these evolving threats. Strengthening cybersecurity defenses, implementing effective incident response plans and engaging with insurance providers to ensure appropriate coverage are critical steps in mitigating the risks associated with ransomware attacks.
At the same time, the insurance industry must adapt to the changing landscape while remaining aware of the legal and regulatory implications of their policies. Governments, regulators and the private sector must work together to develop a coordinated response to the ransomware threat, striking a balance between providing financial protection to organizations and discouraging the proliferation of ransomware attacks.
