Which came first -- the ransomware chicken or the cyberinsurance egg?
That's the central question to a debate that has emerged in the wake of massive spikes in both cyberinsurance policies and ransomware attacks this year, as infosec professionals speculate about possible connections between the two.
On one side of the debate is the fast-growing cyberinsurance industry, an estimated $4-plus billion market that's experiencing massive growth. On the opposite end is the infosec community, which is grappling with a surge in ransomware attacks this year. While no studies have shown a direct connection between the rising number of cyberinsurance policies and ransomware attacks, the infosec community has grown increasingly concerned -- and vocal -- about a possible link.
The theory, according to infosec professionals, is that cyberinsurance policies give companies an easy and affordable way to pay the ransoms and retrieve their data, which in turn leads to more ransomware attacks. In a recent blog post titled "Cyber insurance: here to stay, whether we like it or not," Christopher Boyd, lead malware intelligence analyst at Malwarebytes, said ransomware helped "supercharge" the cyberinsurance market, which has facilitated the ransom payment process.
"At this point, it doesn't really seem to matter much if the victims pay up off their own back, if they hand over a ransom then reclaim money from insurers, or if the insurer is simply on hand to cover recovery and cleanup costs," Boyd wrote. "The bottom line is, it's hard to argue that this doesn't just keep the attacks coming."
The insurance industry, however, has pushed back on that line of thinking. In October, insurance brokerage Marsh published a report titled "Cyber Insurance is Supporting the Fight Against Ransomware" that contested "misinformation" in the media about policies driving ransomware's growth.
"Far from being part of the problem, cyber insurance can be a valuable tool in the fight against ransomware and other cyber threats," Matthew McCabe,
senior vice president and assistant general counsel for cyber policy at Marsh, wrote. "Fulfilling its traditional role, cyber insurance pools insureds that are similarly at risk and spreads their potential losses."
Still, security vendors claim they've seen an increase in the number of organizations that choose to pay the ransom, despite recommendations from law enforcement and infosec experts not to pay.
"We're getting into the area of speculation, but what impact has cyberinsurance had [on the increase]?" said Raj Samani, chief scientist at McAfee. "There are insurance companies whose default position is to pay. And actually, that's understandable."
For example, Samani said, if a major city has been crippled by ransomware and the ransom is $1 million but the downtime, restoration and clean-up costs are projected to be $100 million over several weeks, then it's easy to see why organizations would choose the former option over the latter.
Amid a string of high-profile costly ransomware attacks on municipalities and healthcare organizations, the debate suggests there's a growing chasm between the infosec and insurance industries.
A symbiotic relationship?
Ransomware has had a clear impact on the cyberinsurance market; many carriers say ransomware and business email compromise the two biggest drivers of claims this year.
But it's difficult to determine how much of an effect, if any, the cyberinsurance market has on the ransomware landscape. Insurance carriers and brokers don't publish the number of clients who pay to retrieve their data, and neither do security vendors that perform incident response on ransomware attacks.
Some vendors have published anonymous survey results that show the overall percentage of businesses that pay ransoms. For example, SentinelOne's 2018 Global Ransomware Report showed that 45% of U.S. businesses hit with ransomware chose to pay at least one ransom, though the survey data didn't explain what role cyberinsurance played in the decision to pay.
Still, there are some things that both industries generally agree on; ransomware attacks and ransom payments are increasing.
"Ransomware certainly is the thing that, as an industry and a company, is having the biggest increase in terms of frequency and the severity of the event," said Tim Francis, enterprise lead for cyberinsurance at Travelers Companies, Inc. "And it's not just that the ransom demands are increasing -- and they are."
In addition, Francis said ransomware attacks are generally more sophisticated, and because of that the potential impact on an organization's entire environment is much larger.
John FarleyManaging director, cyber practice group at Arthur J. Gallagher & Co
John Farley, managing director of the cyber practice group at insurance brokerage Arthur J. Gallagher and Co., agreed and said his company is "absolutely" seeing increases in terms of both frequency and severity.
"Just a few years ago, ransom demands were averaging between $5-$10,000," he said. "Now demands are typically in the six-figure range."
It's difficult to tell whether cyberinsurance has had an effect on the increase, Farley said, and there's no evidence that suggests attackers know if a target has cyberinsurance or what their coverage may be.
"I don't think cyberinsurance is necessarily driving this," he said, "but I do think [attackers] are measuring how many times someone's actually paying. And if you're getting paid, you're going to continue the crime."
Despite the lack of a definitive connection, some security vendors suggest cyberinsurance contributes to the overall increase in ransom payments, which they claim indirectly contribute the overall surge in attacks.
For example, earlier this month anti-malware vendor Emsisoft noted in its "State of Ransomware in the US" report for 2019 that "Organizations that have cyber insurance may be more inclined to pay ransom demands, which results in ransomware being more profitable than it would otherwise be and incentivizes further attacks."
Emsisoft did not release specific numbers about cyberinsurance or paid ransoms and said the report is based on observations from researchers within the Emsisoft Malware Lab. Emsisoft spokesperson Brett Callow said "it is impossible to say" whether more victims choose to pay ransomware demands.
But Callow also said cyberinsurance policy holders may be more inclined to pay ransoms "simply because the money does not come directly from their pockets. Additionally, in the case of the public sector, paying a $10,000 deductible may be more politically palatable than paying a $500,000 ransom."
To that end, Ryan Weeks, CISO at backup vendor Datto, said his company has seen organizations that ultimately choose to pay the ransom through their cyberinsurance carrier rather than pay to restore data from backups and replace encrypted systems, which can cost more.
"The one thing everybody is starting to become aware of is, if you have a ransomware incident and have almost any type of cyber liability insurance, then the insurance carrier is going to pay the ransom," Weeks said.
Weeks said there's an "almost inherent incentive in the insurance market to pay the ransom," but he also said it would unfair to blame cyberinsurance for the spike in ransomware attacks until a comprehensive study is performed to establish a cause and effect between the two.
But Farley said having a cyberinsurance policy doesn't necessarily mean the organization is going to pay the ransom. "I think cyberinsurance can have the opposite effect," he said, explaining that a policy could allow an organization to pay the costs of business interruption, lost revenue and data/asset restoration.
To pay or not to pay?
However, Farley acknowledged that some organizations, particularly state and municipal governments, can be under enormous pressure to restore their systems as quickly as possible. He pointed to the rise of ransomware attacks on major cities like Baltimore and Atlanta, which led to the U.S. Conference of Mayors to pass a resolution earlier this year that opposes paying ransoms because it "encourages continued attacks on other government systems, as perpetrators financially benefit."
"I think a lot of people agree with that," Farley said. "Number one, no one wants to perpetuate the crime, number two, you don't know who you're paying, and three, there's no guarantee you'll get your data back."
The other side, he said, is that municipalities may have to contend with emergency services being offline, which could potentially impact public safety, and could lead to higher overall restoration costs that will ultimately fall on taxpayers.
The debate over whether victims should pay or not isn't a simple one, Francis said. Insurance carriers like Travelers take all factors into consideration when advising clients, who ultimately make the final decision.
"Each situation is different. Sometimes it's better to pay the ransom, and sometimes it's not," he said. "Depending on how long an insured organization is willing to go potentially with their systems down, it may be better to try to restore. But sometimes when you pay the ransom, it doesn't work as well as you think."
Insurance carriers aren't the only entities that may be contributing to a higher rate of ransom payments. McAfee's Samani said there are a number of "ancillary services" that market data recovery but are actually just paying ransoms behind the scenes to retrieve customers' data.
"There's an entire ecosystem that's been created offering ransomware recovery services," he said. "There are those that claim to be able decrypt those ransomware variants that have no [publicly available] decryptors, so either they have the most amazing computing power the world has ever known, or they are in some way, shape or form paying for that decryptor."
It's unclear if ransomware operators incorporate cyberinsurance into their strategies, either to raise overall ransom demands or to specifically target insured organizations. But Weeks believes, given the amount of money that's at stake, that if it hasn't already happened, it soon will.
"At the end of the day, people are going to do whatever they have to do to get their businesses back up and running," Weeks said. "And the attackers know this, and so everything they do is designed to maximize the success of that ransom payment."