Cybercriminals Seek Ransomware Payments and Settlements

As ransomware attacks have become more prevalent, there has been an increase in cybersecurity insurance (aka cyber insurance) that covers the losses an organization may suffer from a cyberattack. Cyber insurance typically covers losses incurred from data destruction, hacking, data extortion, and data theft. Cyber insurance also often covers ransomware extortion demands, which can seem like a good way to avert disaster. But because cybercriminals are well aware that organizations that have insurance are more likely to pay out a settlement for ransomware payments, cyber insurance isn't quite the panacea many organizations would like it to be.

Jim Richberg, Field CISO, Trusted Security Advisor at Fortinet

Cyber Insurance is a Double-edged Sword for Ransomware Payments
When dealing with a rapidly moving threat like ransomware, cyber insurance can be a double-edged sword. Although having the insurance company pay out a claim is beneficial to an organization, anecdotal evidence suggests that some organizations, especially local governments with limited cybersecurity resources, may be preferentially targeted because they have insurance.

Expenditures such as insurance payments are public records for government, so would-be attackers can determine that a government has coverage, know from the premium paid roughly what the level of coverage is, and know that in the event of ransomware, professional negotiators retained by the insurance company will step in. In other words, identifying the insured can be a simple way for criminals to isolate easy targets and get quick settlements.

Cybercriminals are doing their homework. Looking at the issue from their point of view, cybercriminals making ransomware demands want to know if you have insurance because they know they are more likely to get paid if you do. All the information about your organization can be used against you to verify that you're a good financial target and are likely to pay.

Criminals include whether or not an organization has insurance into their playbooks, and according to data from a ransomware survey, some entities are being targeted many times, especially if they pay.

The Limits of Cyber Insurance for Ransomware Payments
Although cyber insurance generally covers the cost of a ransomware settlement, the coverage is limited. It often covers the replacement of damaged computers and possibly fines associated with the loss of personal identifying information. But cyber insurance doesn't cover the full impact of a cyberattack; it's not a security blanket that insulates potential victims from ransomware.

For example, cyber insurance doesn't cover operating losses, the value of lost proprietary or competitive information, or costs stemming from damage to the organization's reputation. In many cases. These losses can significantly exceed the insurance payout. On a more positive note, insurance can help drive improvements in basic cyber hygiene and the adoption of best practices such as endpoint detection and response (EDR) and security platforms when such measures are required as prerequisites for the issuance of an insurance policy.

Driving Improvements in Cybersecurity
To the extent that insurance can create standards of behavior and cyber hygiene as a condition of coverage, it can drive improvements in cybersecurity. Using products unified in a cybersecurity mesh or common platform reduces the likelihood of an organization being successfully penetrated and the extent of the damage.

As this hardening of potential targets becomes reflected in insurance claims and actuarial data, it is likely that organizations that follow best practices in cybersecurity can reduce their premiums, much like having smoke alarms can reduce the cost of homeowners insurance.

Staying Ahead of Ransomware
Ransomware is a fast-moving topic, and the impact goes far beyond just paying a settlement. Criminals are getting faster at developing exploits of newly publicized vulnerabilities. The nature of ransomware itself has evolved from a crime that was focused on encrypting a victim's records to one that often now also threatens to publicize stolen records or wipe data as well.

Because ransomware crosses political, geographic, and technology borders, it requires an integrated response involving government and the private sector. Organizations can do their part by unifying security tools with cybersecurity mesh platforms and keeping up with good cyber hygiene, while being active consumers of threat intelligence.