Between a rock and the Dark Web

By Miranda Maxwell

If I pay one penny now, I’ll have 14 kidnapped grandchildren.” That was the reaction of multi-billionaire oil tycoon J. Paul Getty in 1973 when kidnappers demanded $US17 million in exchange for one of his grandsons.

Almost 50 years on, cyber crime ensures the debate over whether to concede to ransom demands rages on, and the Getty family case still perfectly encapsulates the conundrum these payments present – an issue that has never dominated the minds of executives and insurers more than in 2021.

Global broker Aon describes ransomware as now “truly weaponised” and calculates a 500% increase in average insured losses since the start of 2017 and a 350% increase in Australian cyber incidents. Cyber premium increases of up to 40% are on the cards this year, Aon says, with the global cyber insurance market set to reach $US14 billion in 2022.

Capacity has commenced a “slow but steady retraction globally and locally,” and in the Australian market, where gross written premium in cyber cover sits near $US110 million, capacity has been withdrawn “for those organisations that cannot convince markets that their security programs adequately address ransomware risks”.

“Underwriting practices are adapting to the velocity and impact,” Aon notes. “Markets are increasingly empowered to walk away from an organisation that cannot adequately explain their security investment strategy.”

For Kieran Doyle, the Cyber Leader at law firm Wotton + Kearney, all organisations, particularly those that are data-rich, “have to assume they are a target”.

“Ransomware brings even the largest organisation to its knees,” he says.

True. An Insurance News article in March warning of the exposure of critical infrastructure to ransomware attacks proved to be prophetic, with US company Colonial Pipeline suffering a ransomware attack in May that cost it the equivalent of $US4.4 million in bitcoin.

The company was forced to close down its pipeline operations between Houston and the southeastern United States after its computer system was compromised. The payment was made within hours, with the hackers then supplying a software application to restore the system.

The chaos created by that single cyber attack has woken even the most complacent business to the very real dangers of cyber criminals

“It is now visible in the community beyond just headlines,” Clyde & Co Partner John Moran tells Insurance News. “It really impacts individuals.”

Ransomware is defined as malicious software designed to block access to data or a computer system until specified conditions are met.

Typically, threat actors compromise a system and exfiltrate confidential information. They then encrypt it and extort a ransom. Once paid, a decryption code is provided to recover access.

If no ransom is paid, they auction the data on Dark Web marketplaces.

Cybercrime is unusually problematic because the perpetrators can “case the joint” virtually, unhindered by geographic boundaries.

“You’d be an absolute mug to walk into a bank with a balaclava these days,” Mr Doyle says. “Now you only hear about someone sitting in front of their computer on the other side of the world holding a poor little SME in this country to ransom for their business.”

The official advice of The Australian Cyber Security Centre is that companies should never pay a ransom as there is no guarantee cyber criminals will decrypt files once it is paid.

However, research suggests one in three Australian victims do cave in to the hackers, with ransomware costing the nation $1.4 billion last year, according to security firm Emsisoft.

Cyber crime is now reported to be the fastest growing form of crime in the US and globally. Research firm Cybersecurity Ventures predicts cybercrime costs will reach $US10.5 trillion by 2025 in what some describe as the greatest transfer of economic wealth in history.

Such big numbers are impacting insurance capacity and igniting regulators, with Australian Prudential Regulation Authority (APRA) Chairman Wayne Byres dubbing cyber “arguably the most difficult prudential threat”.

“Given the nature of the issue, we all need to move with speed,” Mr Byres says.

But how? Home Affairs Secretary Mike Pezzullo has confirmed the Federal Government is planning a mandatory reporting regime for ransoms paid to cyber criminals, while the UK is exploring making ransom payment illegal.

But this will merely funnel ransomware activity elsewhere, critics say.

“You have to remember these gangs are businesses, they are corporates, so they will look to diversify their model,” Mr Moran says. “The financial harm that arises will pop up in some other form.”

Ransoms currently average in the hundreds of thousands of dollars, though increasingly there are much larger demands. For example a $US50 million demand against PC manufacturer Acer was ordered in cryptocurrency.

The 2021 question on everyone’s lips: should businesses give in, or even be allowed to give in, to these faceless cyber ransoms?

Five decades ago an ear and lock of hair from his grandson did eventually persuade J. Paul Getty to cough up a couple of million dollars to retrieve his grandson; it was the maximum amount that could be tax-deducted. Today it is not body parts but livelihood and reputation that is used to motivate harried executive victims to pay up.

Attackers are now likely to be operated by organised crime or even state-sponsored rather than sole operators. They engage in professional correspondence with victims, negotiating deals and spelling out the business risks.

“You are not just dealing with people that are operating out of their garage,” Insurance House Group Managing Director Jay Fereday says. “This now is officially something every business owner needs to factor into their planning and their consideration.”

Two years ago Insurance House refused to negotiate with cyber attackers in an incident which Mr Fereday estimates cost the business millions of dollars in just days despite the company being well prepared. Its specialist IT security and consulting advisers recommended locking down systems and deploying backup strategies.

“If we hadn’t done the work that we had done prior, our only option might have been to have paid,” Mr Fereday tells Insurance News.

“I am sympathetic for anyone that is in the position of having to deal with it. Your only option might be to in fact pay, but then you are negotiating and at the whim of criminals and you don’t know what you are exposed to at that point.

“You do not know who you are dealing with. It is its own issue and it offers a unique problem for everyone to be constantly aware of.”

Former UK National Cyber Security Centre Chief Executive Ciaran Martin is one who recommends banning ransomware payments. He says attacks are being fuelled because insurance “emboldens” ransomware attacks – a problem that will “only get worse”.

But London-based CFC Underwriting Chief Information Officer Graeme Newman tells Insurance News that blaming insurers for a rise in cyber crime is “lazy thinking” and “misguided”.

“That is far, far too simplistic,” says Mr Newman, who has two decades of experience in cyber insurance. “The problem is more nuanced and more complex than that.”

Less than 15% of global businesses purchase cyber insurance, so targeting ransom cover policies would be to “ignore the other 85% of businesses who face the same problem without insurance”.

“What we should be doing is helping them to follow the money trail and catch the perpetrators,” he says, recommending more be done to clamp down on cryptocurrency exchanges and a licensing system to regulate any payments.

“Otherwise you just drive this underground and take it totally out of the purview of law enforcement.”

Mr Fereday supports the trend noted by Aon to differentiate risks and not reward “those who have decided to put their head in the sand, stay on the old systems they always had, not update those appropriate modern controls”.

“That’s where I think the industry probably needs to go,” Mr Fereday says. “If you really have done nothing to support and secure environment, you probably should expect to pay a higher premium if you want the cover.”

Accenture estimates cyber insurance and risk-mitigation services will generate $770 million in new insurance sales by 2025.

“It’s a different skillset from your classic underwriting,” Accenture Insurance Managing Director Gareth Shaw tells Insurance News. “It is this model to move toward prevention – and what skills and capabilities insurers need to offer that service – rather than just underwriting and claims as and when it happens.”

At cyber specialist underwriting agency Emergence, Founder and Chief Executive Troy Filipcevic says cyber is now the number one risk that businesses face.

“We’re definitely seeing an increase in ransomware; they’re coming thick and fast,” Mr Filipcevic tells Insurance News. “We’re helping lots of clients respond to a lot of incidents and claims so we know that people are getting impacted and we know what the ramifications are.”

Emergence says businesses should deploy multi-factorial authentication, have strong back-ups in place and frequent “air gaps” – back-ups disconnected from the network.

A manufacturing client of Emergence was recently attacked and ordered to pay three bitcoins, worth around $180,000, but managed to bargain the ransom down to two coins. In another attack, $US1 million was paid.

Both these ransoms were covered by cyber insurance.

“If an insurer came out and said we are not going to pay them anymore it would be suicide because everyone will move their cyber business to people that are paying ransoms,” Mr Filipcevic says, adding that market education needs to achieve “bigger cut-through”. This is particularly important for Australia’s 2.6 million SMEs, which are at once the most vulnerable and the most unprepared.

“Uptake is a major issue,” he says. “A fraction of the market is buying cyber insurance. It’s a very under-utilised cover. Customers and boards of businesses need to start taking this seriously and start making sure adequate protection is in place.”

Insurers play an important role in illuminating ransomware risks for insureds, and Wotton + Kearney’s Mr Doyle recommends the industry should concentrate more on mitigation and education to reduce insured losses.

“There is more of a space there for insurers in that pre-loss consulting and risk engineering and mitigation. In theory it should reduce losses and create better risks.”