Scant evidence that cyber insurance boom is leading to better security

  • The rise of the cyber insurance has largely failed to promote better cybersecurity practices among the industries they cover, according to a new report released Monday from British security think tank RUSI. (Photo by Spencer Platt/Getty Images)

    The security community for the last few years pointed to great potential for cyber insurance to drive progress in cyber best practices: force companies to up their game by making certain standards a requirement for coverage.

    But recent research shows that’s not happening.

    The rise of the cyber insurance has largely failed to promote better cybersecurity practices among the industries they cover, according to a new report released Monday from the British security think tank Royal United Services Institute (RUSI). This is particularly true for the scourge of ransomware, where rising payments and business incentives to pay may pose an existential threat insurance providers in Great Britain – and beyond.

    Although ransomware is “a societal problem,” the authors note that cyber insurers are facing some heat for the role they play in financially propping up the cyber-criminal industry.

    “These add fuel to the fire by incentivizing cybercriminals’ engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities, write authors Jamie MacColl, Jason R.C. Nurse and James Sullivan. “Growing losses from ransomware attacks have…emphasized that the current reality is not sustainable for insurers either.

    When a company is hit with ransomware, they’re often faced with three choices: pay up, lean on backups or rebuild the entire IT network. Since insurers usually opt to cover the cheapest option, paying an upfront ransom almost always ends up costing less than starting from scratch or incurring weeks of downtime while systems are restored from backups.

    While this model and approach seemingly make business sense to insurers, it ends up putting an absurd amount of money into the pockets of criminal groups. These groups then have more resources to further develop their malware and infrastructure, offer better compensation to entice talented hackers to join their network and buy zero-day exploits or initial access to victim companies.

    In February, a report from Chainalysis, which tracks cryptocurrency payments in law enforcement investigations, estimated that these groups took home at least $350 million in ransom payments in 2020, and experts say that many incidents are not publicly reported, because the victim has decided to quietly pay before their information is advertised online and not engage with law enforcement.

    Several high-profile incidents in recent months and underscored the challenges faced in this area. The U.S. government was initially unable to get information around ransom payment from executives at Colonial Pipeline, and some were outraged when CEO Joseph Blount in a media interview appeared to cast paying the $4.3 million ransom (which Blount later said the company submitted an insurance claim for) as “the right thing to do” and a patriotic duty to keep vital American infrastructure running. A ransomware attack on insurance giant CNA in March also resulted in a $40 million payment that is believed to be the largest ransom payment to date on record, according to Bloomberg.

    The RUSI report, part of a year-long project with the University of Kent studying ways to incentivize better cybersecurity through insurance, finds little hard evidence that indicate this model is forcing companies to reevaluate their own cybersecurity practices and investments. It also warns the current model of making regular large ransom payments will not financially benefit insurers over the long term.

    While some of the carriers interviewed for the report touted their pre and post-incident services — like forensic analysis, incident response, legal services and public relations – as valuable services that help lift a victim organization to a higher, more secure plane of cybersecurity that prevents future attacks, there’s only scant, scattered evidence that this is actually happening in some places.

    In fact, many companies that buy cyber insurance tend to view it as a tool for resilience against cyber attacks rather than a risk mitigation tool. Research by threat intelligence firm Cybereason in June claimed that an eye-popping 80% of companies that paid the ransom wound up getting infected by ransomware again in the following months, often by the same group.

    One example of a favorable impact cited by the authors: claims by U.S. insurance provider Corvus that their scanning for ports and vulnerabilities commonly exploited by ransomware groups resulted in a 65% drop in ransomware-related claims from April to September 2020.

    These insurers can do more to sharpen the kind of data they collect, push industry to adopt security standards set by government organizations like the U.S. National Institute for Standards and Technology and rate different cyber security products for their value and impact on premium costs.

    “There is a solid body of theoretical arguments that cyber insurance could play a meaningful role in improving cyber security among businesses, as referenced in a previous RUSI Emerging Insights paper,” the report argues. “However, in practice, it is still yet to be seen if cyber insurance can fulfil this promise.”

    While the paper is geared towards the UK insurance market, the challenges and potential solutions outlined share many parallels with that of the U.S. market, where a ransomware epidemic has forced policymakers to elevate the issue and consider a number of previously extreme solutions, like banning ransom payments, heavily regulating the cryptocurrencies used to pay and directing law enforcement and intelligence agencies to increasingly target the IT infrastructure that these groups rely on to carry out their schemes.

    The findings echo similar claims made in a U.S. Government Accountability Office report on cyber insurance in May, which found that the industry on the whole lacked the kind of historical data around data breaches and their effective mitigations to properly price their coverage, though some providers of cyber insurance interviewed by SC Media disputed the conclusions at the time.

    “If you ever go to a restaurant and felt like having a nice lobster dinner, you probably saw the menu say ‘market priced’, because who knows how many lobsters they caught that day, or that time a month or that year? The pricing is really variable in what lobsters cost on a day-to-day basis, it can fluctuate wildly,” said John Pescatore, director of emerging security trends at the SANS Institute, in May. “That’s sort of what the case is [today] for cyber insurance, it’s essentially market price.”