The recent surge of ransomware attacks is upending the cyber insurance industry, pushing up the eligibility requirements and cost of coverage just as more companies need it.
Ransomware attacks -- in which cybercriminals take over an organization's computer network and demand a payment to hand back control -- have increased in frequency and severity over the past two years. According to blockchain research firm Chainalysis, ransom payments from companies increased 341% to $412 million in 2020.
"This is a tipping point this year," said John Kerns, an executive managing director at insurance brokerage Beecher Carlson, a division of Brown & Brown, which sells cyber insurance. "I've been in business for 32 years and haven't seen a market quite like this."
That's pushing insurance carriers to reevaluate how much coverage they can afford to offer and how much they have to charge clients to do so. Underwriters are demanding to see detailed proof of clients' cybersecurity measures in ways they never have before. For example, not using multifactor authentication, which requires a user to verify themselves in various ways, might result in a rejection.
The majority of insurance companies are raising premiums for plans that cover damage from hacks, including ransomware attacks. Prices for at least half of insurance buyers went up 10% to 30% in late 2020, according to a survey cited by the U.S. Government Accountability Office. In some cases, annual premiums companies are expected to pay have increased by as much as 50%, said Joshua Motta, founder of insurance tech company Coalition.
Many insurers are also restricting how much cyber coverage they can offer or limiting the terms and conditions, several industry executives said. In some cases, that means slashing the amount of reimbursement that can be used specifically for ransomware attacks.
Overall, ransomware claims have increased by upward of 300% in the past year, Kerns estimated. At the same time, t
The GAO study shows that companies are increasingly opting to buy cyber insurance. Large insurance broker Marsh McLennan told the agency that 47% of its eligible clients decided to get the coverage last year, compared with 26% in 2016.
Adding to the chaos is the fact that hackers are sometimes targeting companies specifically because they have insurance, according to James Turgal, a former FBI agent who is now a vice president at Optiv, a cybersecurity firm that advises companies on how to deal with hacks.
New hacking groups are getting into ransomware attacks to go after what they see as an "endless pot of money" facilitated by insurance companies, Turgal said. "I've worked cases where they're actually providing a snapshot of your cyber insurance cover page from your own system showing you, 'Hey, you have cyber insurance, so there's no reason not to pay.'"
French insurance giant AXA said at the beginning of May that it would stop reimbursing ransomware payments in France, after French officials raised concerns that the payments were encouraging more crime. Days later, AXA said one of its subsidiaries had been hit by a ransomware attack, according to The Associated Press. A spokesperson for AXA did not return a request for comment.
Ransomware is a catchall term for software that lets hackers take over control of a computer network and lock out the original owner. They usually gain access by tricking employees into giving up passwords or downloading malicious code through "phishing" emails.
Attackers generally leave a digital ransom note explaining that the network owner has a set period of time to pay using cryptocurrency or risk losing access to their computers permanently.
Chainalysis data shows the average ransom payment has quadrupled from about $12,000 at the end of 2019 to $54,000 at the beginning of this year. Hackers have also started stealing and dumping sensitive files from their victims if they aren't paid promptly.
Ransomware attacks have hit many aspects of everyday life in the past two years. Chemotherapy treatments in Vermont were delayed, meat plants were temporarily shut down across the United States, and an attack on the company that owned the Colonial Pipeline set off a panic up and down the East Coast that spurred a real-life fuel shortage.
Colonial Pipeline, which admitted it paid about $4.3 million to hackers who breached its system, confirmed in testimony before Congress this month that it did have cyber insurance. The Justice Department recently said it reclaimed more than $2 million of that.
Many more of these attacks go publicly unreported. But insurance firms still feel the effects when they shell out millions to reimburse ransom payments and get businesses back on their feet.
"I know that we have several clients that had under-the-radar ransomware losses that were seven-figure losses," said Adam Lantrip, leader of the cyber practice at insurance broker CAC Specialty.
Information for this article was contributed by Ellen Nakashima and Dalton Bennett of The Washington Post.