Written by Ruth Promislow, Michael Whitt and Kees de Ridder
Updated May 28, 2021: A previous version of this post erroneously stated that the ransomware attack on AXA happened after AXA's announcement that it was suspending insurance coverage in France for ransomware extortion payments.
Insurer AXA, among Europe's top five insurers, recently announced that it was suspending insurance coverage in France for ransomware extortion payments. AXA said it made this decision in response to concerns raised by French justice and cybersecurity officials during a recent Senate roundtable in Paris about the global epidemic of ransomware. Notably, days before AXA's announcement, the insurer was hit by a ransomware attack.
AXA's move reflects a growing sentiment around the world that the current state of insurance coverage for ransomware payments is fueling the ransomware business. Earlier this year, The Guardian interviewed the founding head of the United States National Cyber Security Centre, Ciaran Martin, who asserted that the ransomware problem is being exacerbated by insurance coverage for extortion payments and suggested it was time to consider a legal ban on ransom payments. The FBI has stated, "[p]aying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities."
In April 2021, the Institute for Security and Technology in the United States released a report entitled "Combating Ransomware," which sets out recommendations from a ransomware task force made up of a coalition of experts in industry, government, law enforcement, civil society and international organizations. This report does not propose a ban on insurance coverage for ransomware payments. Rather the report recommends the establishment of "an insurance-sector consortium to share ransomware loss data and accelerate best practices around insurance underwriting and risk management," and suggests that the insurance industry can "push insured organizations to better manage their risk."
The Combatting Ransomware report outlines several recent statistics that underscore how ransomware has exploded in the last few years:
- Ransomware attacks are the most common reported cyber insurance claim, according to Coalition, a cyber-insurance firm.
- In the first half of 2020, Coalition observed a 260% increase in the frequency of ransomware attacks among its policyholders, with the average ransom demand increasing 47% to an average of $338,669.
- In 2020, victims paid $350 million in ransom, a 311% increase from the prior year (Chainalysis).
- The average payment in 2020 reflected a 171% increase compared to 2019 (Palo Alto Networks).
- In 2020, nearly 2400 U.S.-based governments, healthcare facilities and schools were victims of ransomware.
- A 2020 survey of 5,000 IT managers found that 51% had been hit by ransomware in the last year and in 73% of these attacks, the criminals succeeded in encrypting the data.
- Throughout 2020, the number of ransomware attacks involving data exfiltration increased by around 50%.
Other studies provide further evidence of how the frequency of attack and the level of extortion demands is increasing drastically. According to a recent study by NetDiligence, the average ransom demand has increased more than ten-fold in the last few years, with some demands being in the range of millions, and the number of demands increasing enormously. One insurer reported only 8 ransomware claims in 2015, and 108 in 2019. It was recently revealed that a Canadian insurer paid $40 million to lift the ransomware from its systems.
It is conceivable that other insurers may follow AXA's approach in removing insurance coverage for ransomware, or limiting coverage for these payments. At present, there are several indications that the market for coverage of ransomware payments is contracting. In the shorter term, it is reasonable to expect that insurers will consistently require a particular level of security standards as a precondition to insurability. It is also reasonable to expect that ultimately, the insurance industry will adopt security baseline requirements as a standard for cyber insurance.
Security standards that may be required as a baseline for insurability include: a proactive strategy for minimizing the risk of a successful attack; a well-rehearsed incident response plan to maximize an organization's ability to identify security issues and recover quickly; and a robust backup strategy that enables an organization to restore encrypted systems from backups.
A proactive strategy to resist ransomware attacks includes the following steps:
- Implement safeguards to protect critical services—for example:
- Regularly update systems with the appropriate security patches to ensure cybercriminals cannot take advantage of known flaws.
- Filter web and email content for malicious URLs.
- Use multi-factor authentication on all accounts.
- Implement least privilege so that users only have the bare minimum privileges they need to do their jobs. This can help reduce the risk of attackers gaining access to critical systems or sensitive data.
- Avoid using remote desktop access services.
- Monitor supply chain security, including system software and hardware suppliers.
- Exercise diligence when purchasing software, hardware or computer or network services.
- Develop organizational awareness and responsibility to identify cybersecurity risks. For example, educate employees on what to look for in terms of phishing and suspicious emails.
- Mobilize internal resources from various divisions within the organization such as management, legal, technology, human resources and compliance, and have the team identify the risks and vulnerabilities that are particular to the organization, including worst-case cyberattack scenarios.
Well-Rehearsed Incident Response Plan
The ability to recover quickly from a ransomware attack can depend on having a well-rehearsed incident response plan in place. An incident response plan should set out (among other things) how security events will be escalated, who are the key decision makers within the organization and their respective roles, and a roadmap for how to handle different types of security incidents. Regular "code-red" scenarios (essentially a cyberattack fire drill, also known as tabletop scenarios) are important so that the incident response team can rehearse how they will handle a cyberattack, and fine-tune their strategy for managing an incident. In the course of 'code-red' scenarios, organizations can also learn valuable lessons about how they can minimize the risk of attack or the impact on operations from an attack.
Some hallmarks of a robust backup strategy include:
- retaining redundant backup copies of systems and data in multiple off-site and offline locations;
- storing critical assets offline;
- physically and digitally separating critical data and networks;
- backing up regularly; and
- regularly testing backup and recovery plans.
Regardless of whether an organization is required by its insurer to implement a particular standard of security, it is better off by implementing a robust strategy to prevent, detect, contain and recover from attacks.
The Bennett Jones Cybersecurity group is available to lead you through regular code-red scenarios and guide you on developing a tailored proactive management strategy to your organization's risks and vulnerabilities and an incident response plan that accounts for your operations. The team is also available 24/7 to help you manage a cyberattack. Key contacts for cyberattack matters are Ruth Promislow and Michael Whitt.