Ransomware, which Munich Re ranked as the dominant risk and loss driver for cyber insurance in an April report, remains an ethical and legal minefield for insurers, said underwriters at the InsureTech Connect Asia conference in Singapore on Thursday (June 6).
With an ever-changing list of sanctioned groups conducting attacks across Asia, insurers have had to grapple with ethical and legal dilemmas around paying ransomware, said Andrew Taylor, senior vice president of underwriting, reinsurance and claims at MSIG.
“There are varying stances towards the payment of ransoms in the industry,” Taylor added. “There are some insurers who’ve made very public statements that they will not pay for ransomware.”
But not paying for ransom doesn’t mean that insureds would not be able to access associated costs. “Generally, (insurers) say, ‘We won’t pay the ransom, but we’ll reimburse the cost of stopping this ransomware attack’,” Taylor said.
Insurers also offer expertise and advice on how to negotiate with ransomware groups, and even access to cryptocurrency wallets if policyholders decide to pay ransoms with them. “And they also provide advice on whether they think the criminal or the individual is a sanctioned individual or group or country,” he said.
The issues involved go beyond ransom payments.
“There’s misconceptions around this point of view, because eventually the ransom payment is a small component of the total cost of a claim,” Taylor said. “There’s a lot of expense costs that insureds get access to under the policy.”
As law enforcement and ransomware groups continue to play their cat and mouse game, insurers will have to be careful and avoid making payments to sanctioned groups, said Rob Philips from consulting firm Ankura.
Philips brings up a recent case, where police in the UK, US and Australia named Russian national Dmitry Khoroshev as the ringleader behind what was once the world’s largest ransomware outfit, with the US Treasury Department formally sanctioning him soon after.
But even after a concerted effort to dismantle Lockbit’s dark web infrastructure, the group is “still conducting attacks on victims in Singapore and throughout the world,” said Philips. “And now the victims are in this situation that, if their data is locked by a ransomware attack, and they don’t have backups, and their data have been stolen, and the group are threatening to publish (data) on their leak site, if the victim is thinking about making a payment to unlock their data, it could present some problems.”
“We’ve seen a very dynamic situation in terms of the groups out there,” Philips added. Average amounts of ransoms have been around US$400,000, and have ranged from $25,000 to up to $5 million, he said.
By working with cyber insurance providers, insureds also get the support they need in an extremely stressful crisis situation, said Jennifer Tiang, regional head of cyber in Asia for broker WTW. “Organisations, typically don’t have a whole digital forensics specialist team,” Tiang said.
“The set of skills that you need to address in these kinds of events is completely, probably outside their (IT teams’) skillset. This is why you want to bring in the digital forensics firms, legal firms, entities to share their experience and guide you through and make sure you’re mitigating the impacts of this event.”
Audits as risk mitigation
For less digitally mature organisations and markets, the challenge of crafting appropriate cyber cover is particularly acute. Organisations in emerging markets may lack the robust IT systems and cybersecurity controls that insurers typically look out for when assessing risk.
AI has eliminated a need to be “digitally literate”, said MSIG’s Taylor. “I think AI enables us to be technologists,” he said. “It’s not (about) being digitally literate, it’s providing the right mechanism of education about how that policy will help them out of the risk that they do have.”
With companies increasingly connected, criminals often seek the weakest link, said Taylor.
It’s in these connections where it’s difficult to underwrite and assess risk.
“Sometimes that is a small business with weaker security or no money to pay,” he added. “The reason you’re being targeted and the reason your network is being destroyed is because you’re just part of the kill chain to get to the bigger target.”
Insurers have increasingly positioned the underwriting process as part of risk mitigation and risk management, said WTW’s Tiang.
“(Insurers are) not asking these questions because they are trying to make it difficult for you to get insurance,” she said. “The insurers are saying: ‘these are the claims that we’ve seen, and it’s because of the absences of these controls, or perhaps the absence of certain governance structures around security, and that’s why these hacks have happened.’
The cyber insurance underwriting process itself can be a powerful educational tool, she added.
“Just even the mere fact of being assessed, you know, that’s basically a free audit, so a free set of guidelines based off insurers that have paid out on things,” she said. “I think if you’re really able to harness this, the services and processes associated with cyber insurance, that it’s going to help these emerging markets.”
