Cyber-Insurance Companies: Are They Fueling Ransomware Frequency Spikes?

ProPublica says cyber-insurance companies are making the push to pay ransom demands because it saves them money in the long run.  A $500,000 payout makes better financial sense than  a recovery campaign that could cost millions.  The recent even in Lake City, Florida is a good example.  Ransomware attacks were covered under the city’s cyber-insurance policy.  The city paid the ransom, choosing to shell out $10,000 in deductible instead of the cost of a prolonged recovery which would have exceeded its $1 million coverage limit.  The city also wanted to resume normal services as quickly as possible.

Michael Lee, a sergeant in the Lake City Police Department said, “Our insurance company made [the decision] for us.  At the end of the day, it really boils down to a business decision on the insurance side of things: them looking at how much is it going to cost to fix it ourselves and how much is it going to cost to pay the ransom.”  In August alone, over  22 Texas municipalities were victims of ransomware attacks.  The number of attacks is only projected to continue to rise.

The cybercriminal isn’t the only one who gains from ransom payouts.  “In recent years, cyber insurance sold by domestic and foreign companies has grown into an estimated $7 billion to $8 billion-a-year market in the US alone, ” stated Fred Eslami, an associate director at AM Best, a credit rating agency that focuses on the insurance industry.   Paying the ransomware demands often goes public, spreading fear of attack to businesses and government organizations.  Fear equals increased buying of cyber-insurance policies.

The FBI maintains its stance that paying ransoms only serves to spread cybercrime and possibly fund terrorist regimes.  But insurance companies say that isn’t their problem.  “The onus isn’t on the insurance company to stop the criminal,” said Loretta Worters of the Insurance Information Institute. “Their objective is to help you get back to business.”

And with many victims of ransomware attacks facing weeks of recovery time on their own, many are choosing the quickest way out to mitigate their loses. “They’re going to look at their overall claim and dollar exposure and try to minimize their losses,” said Eric Nordman, a former director of the regulatory services division of the National Association of Insurance Commissioners. “If it’s more expeditious to pay the ransom and get the key to unlock it, then that’s what they’ll do.”

The City of Baltimore makes an excellent point of reference for the damages not paying ransom can cause an organization.  With no cyber-insurance, Baltimore refused to pay ransom demands and today has spent over $5 million in recovery efforts.  Likewise in Atlanta, who paid over $8 million now in recovery -related expenses rather than the $51,000 ransom demanded last year.  Looking at numbers like that, it’s easy to see why paying off the attacker may be in not just the insurance company’s best interest.

“The insurer is the one who is going to get hit with most of this if it continues,” said Lee. “And if they’re the ones deciding it’s still better to pay out, knowing that means they’re more likely to have to do it again—if they still find that it’s the financially correct decision—it’s kind of hard to argue with them because they know the cost-benefit of that.”