Most cybersecurity attacks you see in the headlines are like car accidents on the highway. They may grab your attention for a few, visceral moments and then you continue on your way. But the CNA Financial attack on March 21, 2021 commands a bit more attention. Casual rubberneckers may miss one crucial detail: The attack might have targeted more than CNA Financial’s system—the ultimate score could have been the insurance company’s clients.
CNA Financial had to shut down customer and employee services for three days to prevent a deeper incursion into their systems. But an initial investigation wasn’t able to rule out the worst-case scenario: The attackers might have gotten their hands on the insurer’s list of clients, as well as their coverage details.
Commenting on the situation, Chris Clements, VP of Solutions Architecture at cybersecurity company Cerberus Sentinel, said he expected to see “service providers increasingly targeted by cybercriminals. After all, why spend time trying to compromise a hundred different companies individually when you can compromise them all at once by targeting their provider?”
Cyber Insurance: A Game-Changer?
Cyber insurance is a game-changer for both victims and attackers.
If you’re a company with cyber insurance, in many situations, you can recoup losses as a result of the attack. A cyber insurance policy usually covers financial damage stemming from:
- Lawsuits filed by customers whose identities have been stolen as a result of hackers grabbing sensitive information during the attack, such as social security and driver’s license numbers and health records
- Financial losses incurred from stolen credit card information and bank credentials
- Cost of repairing your systems
- Recovering data that’s been compromised
- Resources necessary to inform customers about the breach
To illustrate, let’s say you have an e-commerce company, and an attacker broke into one of your databases, getting away with customers’ credit card information. They then sell the data on the dark web, and the buyer uses the cards to make fraudulent purchases. The customers whose cards were used dispute the charges and get their money back. The bank goes after your company. Your cyber insurance policy would cover the amount the bank’s asking for and any legal fees associated with facilitating the process.
Without cyber insurance, covering these costs on your own could mean crippling financial losses.
But this sickle swings both ways.
The other side of the cyber insurance coin is less appealing: Ransomware attackers are more likely to target an insurance company’s customers.
But how would they know your company’s covered?
1. Your organization announces it is cyber-insured
Sometimes, companies announce they have cyber insurance—either in a press release or on their website—for the following reasons:
- To give customers the confidence they need to do business with them, knowing that if a breach ever happens, costs they need to recoup may be covered by the company’s cyber insurance policy
- To give investors a sense of security in the knowledge that a data breach or ransomware attack will not drain the company’s financial resources
However, there’s a major drawback, too. Ransomware hackers now know your company—through your insurance provider— has funds earmarked to cover the costs of a ransomware attack.
2. The insurer’s systems get breached and attackers obtain its master list of clients
Hackers actively target insurance companies to figure out which organizations have cyber coverage. According to a hacker affiliated with the REvil ransomware collective, step one of an attack often involves hacking the insurance company. The cybercriminal, going by the moniker “Unknown,” explained that they do this “to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
Are Cyber-Insured Companies Being Targeted?
Ransomware attackers target companies with cyber insurance, and they may also use coverage amounts to dictate how much to demand.
“Big-game hunter ransomware groups will likely see insured victims as a quick win, allowing prompt ransom payment with the minimum of fuss,” says Jason Hill, Head of Research at CyberInt, a cyber threat intelligence company. “An uninsured victim will require some level of encouragement to pay, such as the double extortion tactic, which increases the workload for the ransomware group and could still end in non-payment.”
A double-extortion tactic involves stealing the victim’s data and then encrypting it. If the victim refuses to pay, the attackers threaten to publish the information to further pressure the victim into paying up within the prescribed time period.
Is Cyber Insurance Helping or Harming the Fight Against Ransomware?
The fight against ransomware involves protecting organizations from the malware used to instigate an attack, as well as going after and prosecuting the hackers responsible for them. In this regard, cyber insurance isn’t helping the fight.
Knowing what we now know about cybercriminals’ tactics—as disclosed by Unknown, the REvil attacker mentioned above—it appears that cyber insurance may be doing more harm than good. Once attackers get wind of the fact that a company can afford to pay ransomware settlements because they’re cyber-insured, the chances of that same company getting attacked just doubled—or maybe even tripled.
While this logic is sound, there’s a bit more to the picture.
Ransomware Targets Can Be “Chosen” Based on Vulnerabilities
It would be short-sighted to blame all ransomware attacks on cyber insurance. Even though the existence of a cyber policy can increase an organization’s chances of being attacked, it doesn’t necessarily mean hackers will successfully breach those companies’ systems. If an organization is hard to infiltrate because they’ve deployed a solid cybersecurity strategy, hackers will move on to the next target.
Attackers look for the low-hanging fruits—or those organizations that aren’t adequately protected. They exploit vulnerable systems to introduce ransomware into their networks. According to the HIPAA Journal, unpatched vulnerabilities in operating systems and software are hackers’ most exploited attack vector. In other words, having cyber insurance is not enough—you also have to ensure adequate safeguards are in place to protect your infrastructure.
Are Ransomware Settlements Covered by Cyber Insurance?
Ransomware settlements are covered by cyber insurance, and in some cases, insurers will even facilitate the payment process. That’s because the sooner a company recovers its systems and gets back up and running, the less the damage for everyone involved.
But as ransomware attacks increase in severity and frequency, insurers have been taking steps to protect themselves. For example, AXA announced it was going to stop covering ransomware payments in France. They made their stance known with a direct, unmistakable message: “The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay.”
Some experts agree with AXA’s logic. In an interview with ABC News, Brett Callow, an analyst at Emsisoft, praised AXA’s move, saying, “The only way to break this vicious cycle is to cut off the flow of cash—and ceasing to reimburse ransom demands may well do that.”
But other insurers aren’t stopping coverage altogether. The demand is high, as more and more companies turn to cyber insurance to strengthen their protection. Instead, they’re increasing cyber insurance premiums—from more than 50% to close to 100% and ratcheting up protection requirements before companies gain or maintain coverage.
Combining Coverage and Protection
Cyber insurance is, without a doubt, a double-edged sword. On one hand, it insulates companies from the debilitating costs stemming from a ransomware attack. On the other, it can increase their chances of getting attacked. But whether or not you choose to get ransomware coverage, your best defense is still proactive cybersecurity.
Aside from taking the steps necessary to assess what’s working and not in your security strategy, make sure employees understand the risks, and have an incident management plan in place that you can test and refine. This combination of insurance and cybersecurity measures better equips your organization to manage—or avoid—ransomware.