Insurance Jottings
What Insurers Should Know as Ransomware Takes Centre Stage
Cyber criminals aren’t just stealing passwords and data. They’re stealing the spotlight.
Amid the ongoing COVID-19 pandemic which has been a global focus since government shutdowns began in March of last year, insurers and businesses all over the world are now being forced to grapple with another damaging epidemic: ransomware.
Ransomware attacks accounted for nearly one quarter of all cyber incidents globally last year, according to software company Bitdefender, and they’re on the rise. So far this year, ransomware incidents have afflicted businesses, hospitals, schools, local governments, critical infrastructure and even insurance companies’ own operations.
An explosion of attacks this year has led state regulators and federal government officials to elevate their focus on ransomware, with The White House ramping up its discussions about the issue in the wake of recent incidents, Reuters reported.
“I think the takeaway is hopefully help is on the way and that companies are not being left to simply fend for themselves because the government is going to make enforcement and pursuit of these actors a priority,” said Peter Halprin, partner at New York-based law firm Pasich in the most recent episode of the Insuring Cyber Podcast.
Centralising the Focus
A spate of recent attacks are of particular concern among US government officials, as they’ve been attributed to cybercriminals operating from Russia. There was the hack last year in which Russian military cyber criminals sabotaged computer code within a software called SolarWinds.
Now, a July ransomware attack has made its way to the centre of the conversation, in which the Florida information technology firm Kaseya saw its management system hacked. REvil, a Russia-linked cybercrime syndicate, took credit for the breach.
In June, REvil extorted a US$11 million ransom out of meatpacker JBS after compromising its supply chain. Earlier this year, in May, an intrusion by another Russia-linked group at US fuel transporter Colonial Pipeline led to the shutdown of 5,500 miles of critical infrastructure, causing panic buying and gas shortages all along the East coast.
“They’re targeting every vulnerable organisation you can think of under the sun,” said Marc Wallenstein, partner at plaintiffs’ complex-litigation firm, Korein Tillery, later in the podcast episode. “…that wasn’t happening five years ago.”
It’s been reported that the US Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism, with internal guidance sent to US attorney’s offices across the country saying information about ransomware investigations in the field should be centrally coordinated with a recently created Ransomware and Digital Extortion Task Force in Washington.
In a press conference following the Colonial Pipeline attack, Deputy Attorney General of the United States Lisa Monaco stated that ransomware and digital extortion pose a national security and economic security threat to the United States.
Mr Wallenstein said a centralised focus on ransomware at the federal level is an important step in the right direction toward tackling the issue.
“By centralising information, it’s the first step to having a template approach and making sure that all the resources necessary are brought to bear quickly,” he said.
‘It’s your security against the outside world’
Mr Wallenstein added that for businesses, it’s critically important to invest now in the infrastructure, technology, staff and training necessary to prevent ransomware attacks from happening in the first place. Mr Halprin agreed.
“Businesses simply can’t hide from it,” he said. “I think they need to be proactive.”
Mr Halprin said incident prevention is a four-fold effort. Businesses need to implement both strong password protection and a robust incident response plan in case of an attack to limit its impact. Then, they need to consistently test their response plan and take action to address any vulnerabilities.
“It’s your security against the outside world. How do you protect people from getting in? What can you do?” he said. “…there are instances where underwriters are simply saying, ‘No, you’re just too risky and we’re not going to underwrite you.’ I think those are the kinds of things that will promote companies saying, ‘Oh, wait a minute. If we’re not even worthy of being underwritten right now, there are a lot of things we need to do to improve our systems.’”
Mr Wallenstein said insurers also need to be proactive with their clients to ensure they have the correct products and proper protocols in place to prevent a hack.
“If you have larger clients, you probably want to audit their IT infrastructure and their cybersecurity infrastructure,” he said. “If it’s not good enough, adjust your premiums accordingly, because this is a huge risk.”
Ransom Payments Still a Grey Area
One aspect of incident response which has seen much debate among businesses and insurers alike is the payment of ransoms. The US Treasury Department issued a warning in October that individuals or businesses, including cyber insurers, who help facilitate ransomware payments could be violating anti-money laundering and sanctions regulations.
However, the payment of ransoms is still a grey area for many businesses which could find themselves victim to an attack and cyber insurers that may reimburse clients for ransom payments.
Mr Halprin advised against the payment of ransoms, saying the risks are too high.
Mr Wallenstein went on to say that if ransom payments are prohibited, he believes the attacks would stop.
“But it is a very difficult line to draw,” he said. “It makes sense that the government is taking an incremental approach, because you’re essentially punishing the victim. If you have some poor business that’s hacked out of its systems and pays the ransom, it’s hard not to feel a lot of sympathy for them. And I think we all do.”
While no business or individual has yet been prosecuted for paying a ransom, Mr Wallenstein said businesses and governments should collaborate to ensure the right infrastructure is in place to stop ransomware payments. He added the reimbursement of ransom payments by insurers could be seen as a green light for clients to pay ransoms, which could in turn lead to more attacks.
“If I were an in-house attorney to an insurance company, I would absolutely cease the reimbursement of ransomware payments immediately,” he said.
While global insurance company AXA announced in May it will stop writing cyber insurance coverage in France which reimburses customers for making payments to ransomware criminals, some in the insurance industry are responding differently.
The nation’s largest property/casualty insurance organisation is defending ransom payment reimbursements by insurers in a new set of principles stressing that the insurance industry wants to partner with government and business to improve cybersecurity, Insurance Journal previously reported.
The insurers say they “must be permitted to provide reimbursement coverage for the policyholder’s payment of ransom for cyber extortion,” subject to applicable sanction and other laws.
“This principle is consistent with the long-standing approach to the parallel issue of crime or kidnap & ransom coverages, which are allowed by regulators so long as those payments do not violate sanctions laws,” the American Property Casualty Insurance Association (APCIA) said in releasing its Cyber Extortion/Ransomware Guiding Principles.
APCIA said it is worried that prohibitions on the reimbursement of ransom payments present “potential unintended consequences” such as eliminating a meaningful risk management resource.
R J Lehmann, senior fellow at the think tank International Center for Law & Economics, said he believes a ban could have the opposite intended effect and encourage more attacks on high-value targets.
“…a ban on ransom payments would be likely to shift hackers focus to the highest value targets where an interruption would do the most damage to society,” Mr Lehmann previously told Insurance Journal.
Indeed, the insurance industry appears to be conflicted on this issue, as a recent Insurance Journal poll asking whether insurers should provide ransom reimbursement coverage within cyber policies brought mixed results.
Nearly half of respondents – 47% – said insurers should provide this coverage as it’s an important risk management source, especially for businesses which have no option but to meet ransom demands if attacked. However, just less than that – 42% – said insurers should not provide this coverage as it carries too many risks and will encourage payment of ransoms, which could lead to more attacks. A handful of respondents were not sure as ransomware continues to evolve. The data was collected at time of publication.
Mr Wallenstein said that while insurance companies reimbursing clients for ransom payments aren’t in any danger of repercussions right now, he sees that as a possibility in the future.
“If some creative prosecutor or regulator decides to make a name for themselves enforcing existing laws, then all of a sudden the field changes,” he said. “That happens all the time.”
Despite growing risks around ransomware, Mr Wallenstein said he believes things are moving in the right direction in terms of response and awareness.
“Hopefully, over time, everyone will figure out how to get us to a place where people can stop paying the ransom without the devastating consequences of, for example, a pipeline being turned off or a hospital being shut down.”
Mr Halprin pointed to ‘a grey rhino event’ to demonstrate how far things have come since the early days of ransomware. He described a grey rhino event as a threat that is highly probable and highly impactful, yet neglected.
“I think that’s how we could think of ransomware pre-Colonial Pipeline,” he said. “And I think now…people are seeing the threat for what it is, and I think that they can no longer put their heads in the sand anymore. So it’s really important for everyone to think about these things, to stay on guard and to steel themselves and protect themselves so that they are not the ones who are on the front page of the paper or we’re discussing in podcasts.”
Check out the rest of the most recent Insuring Cyber Podcast episode to see what else Marc and Peter have to say, and be sure to check back for new episodes publishing every other Wednesday along with the Insuring Cyber newsletter.
Eight Leading Insurers and Reinsurers Launch Net-Zero Climate Alliance
Eight of the world’s leading insurance and reinsurance companies have launched an alliance to help speed up a transition to a net zero emissions economy.
The companies, which include Europe’s top three insurers by premiums – Allianz, AXA and Generali – said the Net-Zero Insurance Alliance (NZIA) would work to shift underwriting portfolios towards net-zero greenhouse gas emissions by 2050.
The move comes as insurers come under increasing pressure to spell out how they plan to decarbonise their businesses amid growing calls for them to stop underwriting and investing in fossil fuel projects.
Each of the companies will individually set intermediate targets every five years and report on progress annually in cooperation with competition authorities, the NZIA members said in a statement.
“With this new Net-Zero Insurance Alliance, we are raising our climate ambition further,” said Thomas Buberl, chief executive of the AXA Group, which chairs the NZIA.
NZIA members, which also include Aviva, Munich Re , SCOR, Swiss Re and Zurich Insurance Group, will set underwriting criteria for the most carbon-intensive activities in their underwriting portfolios and offer solutions for low-emission and zero-emission technologies.
They will also include net-zero and decarbonization risk criteria in their risk management frameworks.
“By committing to join the gold standard alliance for net zero, the (NZIA) will ultimately make underwriting contingent on underlying companies having credible net-zero transition strategies,” said UN climate envoy Mark Carney.
The Alliance, first outlined in April, was presented by Generali CEO Philippe Donnet at Sunday’s G20 Climate Summit in Venice.
Many of the leading Europe-based insurers have already adopted climate-friendly policies.
Last month, Generali pledged to reach carbon neutrality in its direct investment portfolio by 2050.