Cyber-insurance is being blamed for the recent rise in ransomware attacks. As more victims fall back on their insurance companies to pay the ransom, security researchers warned that this approach could quickly become problematic.
In the first half of 2020, 41 percent of all cyber-insurance claims were made due to ransomware attacks, according to a 2020 Cyber Claims Insurance Report by CoalitionInc.
Indeed, in most cases, companies that were hit by ransomware were able to mitigate or even completely recover their losses through insurance.
After the city of Riviera Beach was hit by ransomware in June 2019, the city council held an emergency meeting and unanimously authorized its insurance company to pay a $600,000 ransom. The city of Lake City, Florida, paid almost $500,000 to ransomware attackers. It was mostly covered by insurance, too. And in 2020, the University of Utah paid a ransom of $457,000 after a ransomware attack crippled its servers with the help of its cyber-insurance provider.
Colonial Pipeline, hit by a ransomware attack last month, reportedly had cyber-insurance coverage through Aon and Lloyds of London for at least $15 million. Although it has not been confirmed whether they paid $4.4 million to attackers using this money.
Then there was Norway’s Norsk Hydro which received around $22.1 million from its insurance provider after the attack, while the total damage was estimated to be between $60 and $71 million.
Clearly, for companies that were hit by a ransomware attack, cyber insurance can help minimize the financial damage caused by the incident.
Nevertheless, security researchers are increasingly worried about the use of cyber-insurance to cover ransoms. Not only does making a payment put an organization in a potential legal conundrum, but it also shows to cybercriminals their efforts have paid off:
“Not only does making a ransomware payment also place an organization in a potentially questionable legal situation, it is proving to the cybercriminals you have funded their recent expedition,” said Brandon Hoffman, CISO at Netenrich.
While it may seem like a good idea to pay for ransomware with the insurance money, it could also encourage more organizations to adopt this approach:
“From a broad perspective, building in ransomware payments to insurance policies will only promote the use of ransomware further and simultaneously disincentivize organizations from taking the proper steps to avoid ransomware fallout,” Hoffman said.