What’s Driving Big Ransomware Paydays?

About a century ago, insurers began to ease an enormously costly string of fire claims from fabric factories, then called mills. 

They encouraged insureds to install overhead sprinkler systems. In the early days, they were turned on by hand and powered by gravity. Later they were activated by heat-sensitive switches and driven by electric pumps. These risk management devices were and are remarkably efficacious: devastating and costly fire losses in commercial locations have been dramatically reduced. Premium rates have fallen in step, such that fire cover is affordable to tinderbox factory owners earning even the most meagre margins.

Now, roughly a century after insurers led the worldwide rollout of this simple but superb safety measure, underwriters are again desperate to reduce losses in a specific class of business. The first cyber insurance cover was written in Lloyd’s about 1987. A visionary financial institutions underwriter granted an extension of the standard FI wording to cover losses arising off-premises due to computer-related errors. It wasn’t yet called cyber insurance, but cyber insurance it was.

Three decades on, cyber was hailed as the greatest product innovation in decades. The global commercial insurance market had pretty much reached its potential in developed markets, so cyber was its savior. Insurers and brokers eager for a new sell had hackers to thank for demonstrating the need for a new class of business, neither property nor casualty, which every single commercial insured would soon require.

Within a few years, the hopeful (correctly) predicted, every existing corporate policyholder would be clamoring to add cyber to their shopping cart. All that the brokers and insurers needed to set the ball rolling was a few high-profile claims to frighten their clients. Alas, neither the occasional release of customer data nor even the odd exploding crucible was enough. It wasn’t until ransomware attacks causing massive disruption began to top the news—think WannaCry then Colonial Pipeline—that insurance buyers piled on.

Carriers scrambled to recruit underwriters from the market’s smattering of specialist MGAs. Long (sometimes ongoing) debates were held over esoteric questions like when a cyber attack is an act of war. Brokers reached out to personable university graduates with technology degrees to flog the new product to commercial clients worldwide. Everyone was full of e-glee.

It helped that regulators, including Lloyd’s and the Prudential Regulation Authority in the United Kingdom, made it clear that cyber risk should be handled in the stand-alone cyber market and not under the business interruption provisions of normal property, marine, construction, and liability policies. Cyber underwriters couldn’t hide their happiness at this regulatory meddling, intended helpfully to prevent unbearable “silent cyber” losses from a theoretical systemic risk.

How quickly the dream soured. Now, uncomfortably and unfortunately, the cost of claims under cyber policies has put them increasingly out of reach for many insurance buyers. Rates in the London direct and facultative market have risen like bubbles in beer, and they continue to ascend. The average price rise on renewal in December 2021 was, according to one broking source, 100%, and no ceiling is yet in sight. It’s almost cheaper to buy COVID-cancellation cover.

No wonder: underwriters report consistently, with grave faces, that—despite its enormous popularity and boggling price rises—cyber isn’t yielding profits anymore. Even with rates soaring, many were unable to make cyber pay (unlike the hackers, who are disturbingly able to make insurers pay).

So serious was the tide of cyber red ink bleeding out of 1 Lime Street that a rumor (incorrectly) asserted that the market had banished by diktat any new cyber risk underwriting. In fact, only the worst cyber performers have been told to cease, but it led to so many negative appetite updates, each blaming Lloyd’s central apparatchiks, that a total shutdown was presumed by some. I’ve never seen anything quite like it.

There’s something else different about cyber. Despite the huge losses, it’s perhaps the most insurer-managed risk since the cotton mill. Loss prevention services are an inherent part of all cyber products. Policies almost always include risk assessment and management support delivered by a growing army of third-party cyber-security experts and trainers.

I once had to work through a four-part, insurer-branded, remote-delivered cyber-security course just to log on to a client’s network to download a bug file. It covered everything from password strength to phish-fingering. And while it’s true that the most common piece of advice the cyber experts give, one cyber broker told me, is “turn on Windows Defender,” there’s little doubt that insurers’ collective insistence upon cyber-security protocols and training has made it more difficult for hackers to break in to corporate systems and wreak their electronic mayhem.

Why, then, are claims rising? The answer is relatively obvious and straightforward. It’s always been the case that a few fires are good for the fire insurance market, but ransomware has grown out of control. Eight-figure demands are made and paid weekly. The highest I’ve heard of was €42 million ($47 million). They are so enormously high because hackers have learned to target companies with huge cyber limits. They constitute the modern extortionist’s low-hanging fruit.

Hackers may be despicable, but they’re not stupid. When they get inside a corporate system, the first thing they look for is the cyber policy. It’s not even rocketry science: those with the highest limits face the greatest demands. This is no mere fantasy. Someone might be looking at your insurance policy right now. If they are, be sure they will e-mail it to you as part of their play (usually along with the details of some really sensitive corporate secrets they’ll release if you don’t pay).

Hackers know that the security specialists will, more often than not, advise the hacked insureds to pay. Decryption keys usually work and offer the fastest route to business as usual. With a business interruption cost of, say, $3 million a day, and a five-day span to restore systems from backup (if the hackers haven’t deleted it; they will if they can, and they often can), a $5 million or $10 million ransom for 24-hour recovery is a no-brainer.

“But wait,” I hear you thinking. “We can foil them!!” True, in the Colonial Pipeline ransom the U.S. government was able to recover the bulk of the cryptocurrency paid over to the criminals. So why not always do that?

It’s entirely doable. Insurers could, through a process I don’t begin to claim to understand, do what U.S. federal cyber-crime busters effectively did: watermark the bitcoins. When the pseudo-cash shows up later, the bad guys can be traced down and collared. That too should be a no-brainer, like ceiling-mounted fire control systems.

Unfortunately insurers are afraid. We hear occasionally that one or another has been hacked. Poke the criminals hard enough with the virtual equivalent of hundred-dollar bills covered in purple dye, and they have the power to take down the offending carrier’s systems forever—they really do. Worse, they might look at everyone’s limit and hack happily to trigger a genuine systemic risk.

The solution then, is to make the insurance of ransoms illegal. We would see some initial casualties, but a prohibition would immediately remove the low-hanging fruit and pour buckets of cold water over the ransomware industry. If we don’t do that—or something else that puts ransoms under control—the ransomware problem, and thus the cost of cover, will simply continue to grow.