Ransomware, supply chain attacks put cyber insurers on notice

Dive Brief:

The rise of cyberattacks is putting pressure on the cyber insurance industry, as newly released data from startup insurer Coalition shows average ransomware demands nearly tripled in the first half of 2021. The average ransom demand reached $1.2 million per claim during H1, compared to $450,000 in the year-ago period. Ransomware demands reached an average of $1.3 million during the second half of 2020 but leveled off by H1 of 2021.
Attacks against healthcare organizations rose sharply, up 311%, during H2 of 2020 compared with the first half of the year. Attacks against industrial firms rose at an even faster rate — 387% over the same period.
About 1,000 Coalition policyholders were exposed to Microsoft Exchange server attacks. While 98% of policyholders remediated the vulnerability, 2% were compromised and had to file a claim. The Microsoft Exchange attack accounted for 13% of Coalition's claims during the first half of 2021. Microsoft officials did not immediately return a request for comment.

Dive Insight:

Ransomware attackers have become more sophisticated in how they select targets and what they ask for in demands, according to the report. Attackers have obtained stolen insurance data to find out which companies have coverage and what insurance firms are willing to shell out to settle a claim.

Coalition executives say that insurers will tighten certain requirements to obtain a policy as the industry looks to lower risk.

"Yes, in general it will become more difficult for organizations to qualify for cyber insurance," Joshua Motta, co-founder and CEO of Coalition, said via email. "The implementation of common cybersecurity controls will increasingly be required as a condition of coverage."

As a general trend, price increases, co-insurance and sub limits will continue throughout the year, Motta said. Coalition has not pulled back from the market, sub-limited ransomware coverage, added co-insurance, or added exclusions for end-of-life software as others in the market are doing, he said.

In many cases when clients decide their only option is to pay a ransom, Coalition will help organizations negotiate the payment through an incident response firm, according to Motta. In many cases this happens because data is encrypted during the attack or the company did not have any data backups.

"The incident response team will begin by contacting the threat actor through a chat forum on the dark web or email in response to the initial ransom note sent by the victim," Motta said. "The threat actor will typically send details regarding how much they are demanding for data retrieval."

When a final number is agreed to, companies use an outside party to purchase bitcoin and make the final transaction, Motta said. Legal issues must first be resolved, including running a check with the Office of Foreign Assets Control (OFAC), since payments cannot be made to criminals subject to U.S. sanctions.

Cyber insurance firms have been under increasing pressure over the past 18 months, as attacks against organizations increased during mass remote work. The rise in nation-state activity, including supply chain attacks and ransomware, has led to sharp increases in claims and pressure to contain payouts.

Forrester Research Senior Analyst Alla Valente said there is a supply and demand problem in the insurance industry. Organizations want insurance coverage, but there is a question of whether the cyber insurance industry was built to handle the high volume of claims they are seeing now.

"I do wonder whether or not [the insurance industry] had the right cybersecurity subject matter expertise to say that first of all, historical data on cybersecurity is far smaller than it is on just regular insurance coverage," Valente said.