If you’ve ever questioned whether cyber insurance enables ransomware attackers, the AXA attack in 2021 is proof that it does. AXA, an Asia-based insurance company, decided to stop covering ransomware damage in France. The response? A week later, it got hit by a ransomware attack.
The hacker collective responsible, AVADDON, turned up the heat by launching a distributed denial-of-service (DDoS) attack against AXA’s websites in Malaysia, Thailand, Hong Kong, and the Philippines. The additional attacks were meant to pressure AXA into paying up. AVADDON claimed to have taken 3TB of data and planned to leak it if AXA didn’t pay up in 10 days or less. Among the data was information about claims, payments, and medical reports, as well as bank account information, passports, ID cards, and more.
Attacking as a Business Strategy
According to Avast Security Evangelist Luis Corrons, the AXA attack was an example of cybercriminals “defending” their business model. Many companies decide to carry cyber insurance primarily because ransomware attacks are prohibitively expensive, and knowing that insurance can kick in and cover the expense—like in a fender bender or flooded basement—is necessary for peace of mind.
If insurers discontinue ransomware coverage, companies will have to fork up the cash themselves, potentially decimating the revenue streams of ransomware syndicates worldwide. Put simply, the AXA attack was cybercriminals’ message to insurers: “Listen, we need you. If you try to get out of the game, there will be consequences.”
Cyber Insurance Makes the Ransomware Situation Worse
Clearly, insurance companies play a key role in why ransomware attacks are profitable for cybercriminals. But is it possible that they’re making the ransomware problem worse for everyone?
To understand why ransomware criminals are attracted to cyber insurance, you have to think like a criminal. Imagine, for instance, you’re a kidnapper wanting to make a quick $25,000. You have two targets in mind—a random guy on the street and a gentleman from a famous, rich family. Which one would you go after? Obviously, the one from the rich family because you know he can provide the $25,000 you’re after.
It’s likely that the random guy has $25,000 in his account. His spouse, friends, or family may also have that much or far more. But it’s also likely that they don’t have it. So to increase your chances of getting paid, you’d go after the target that you know has deep pockets.
It’s the same with ransomware hackers. They go after targets with the financial backing to pay up.
Ransomware Hacker: Companies with Insurance Are Tasty Morsels
A cybercriminal working with REvil, the group responsible for the infamous Kaseya attack, dropped some interesting gems in an interview in 2021, saying that a company with cyber insurance is, “one of the tastiest morsels.”
The same attacker also revealed that they “hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
This means hackers use an insurance company’s client portfolio as a shopping list, picking and choosing which ones to attack. So even if a company keeps the fact they have cyber insurance a secret, hackers would still know through the insurer’s customer list.
Easy Ransomware Settlements Drive Attack Frequency
Cyber insurance is much like a liability policy, says Catherine Rudo, VP of Cyber Insurance at Nationwide. Everyone needs it, but not in the same way. And unlike other forms of insurance, the ransomware payment process is relatively painless, with the insurance company even acting as an intermediary in some cases. Adds Rudo, “If a customer chooses to pay the ransomware, the insurance company will pay it, and the insurance company will sometimes facilitate [the payment].”
Paying the ransom to recover stolen data ASAP makes sense for both the insurer and the company that’s been victimized. Damages won’t be as severe, and the claim amount won’t be as high. But a ransomware settlement process that’s relatively easy is a double-edged sword. Once an attacker knows an insurance company is quick to pay up, they’re more likely to target its client base.
Cyber Insurance Is Not Sustainable Anymore
On the surface, cyber insurance may sound like something every well-meaning company should take advantage of, but in the overall scheme of things, it’s like painting a target on organizations’ backs, making them easy prey for ransomware attackers. Further, with cyber insurance premiums skyrocketing as the number of attacks continues to surge, it has become unsustainable for many companies.
Cyber Insurance May Not Cover Reputational Damage
Aside from the financial blow companies have to endure after a ransomware attack, there’s the reputational damage they also have to contend with. An attack may cause them to lose the trust of investors, customers, and the general public—which, in turn, can lower their brand’s value and diminish their client base. Often, cyber insurance doesn’t cover this kind of loss.
This means a company may have to take out an additional policy, one that covers reputational damage. This is known as “reputation insurance” and is designed to help organizations recoup financial losses as a result of a tarnished image or negative press.
A Better Solution: Shrink Your Attack Surface
Instead of adding ransomware coverage to your business insurance policy—and attracting attackers in the process—it may be better to implement cybersecurity strategies that bolster your defenses and minimize your organization’s attack surface. This may involve the following:
1. Educate Employees About the Risks
If employees know how to handle the cyberattacks that can pave the way for ransomware, you can effectively shrink your attack surface. For example, each employee that can spot a phishing email, which is designed to trick them into revealing sensitive information, is one less target for a hacker.
You can also teach employees about the kinds of sites they should avoid. For instance, a fake site that looks genuine but has a URL that doesn’t match the business may be either designed to steal information or disseminate ransomware.
2. Use Firewalls to Prevent Employees from Visiting Dangerous Sites
A firewall can block sites according to a wide range of criteria, making it impossible for employees using your network to access certain web pages. You can also manually blacklist sites that could pose a threat, making it less likely for people to stumble upon ransomware in their everyday browsing.
A firewall can also inspect the contents of data packets as they flow into your system. For instance, because ransomware has been known to use .ink files, you could use a firewall to prevent data with these kinds of files from entering your network.
3. Use the Principle of Least Privilege to Limit Access to Sensitive Areas of Your Network
When you implement least privilege principles, you only provide access to areas of the network that an employee absolutely needs to do their job. For example, someone in HR may be granted access to a database that holds employee information but could be blocked from accessing corporate bank account information.
4. Segment Your Network
You can use firewalls to segment your environment, strategically positioning them like virtual blockades surrounding different portions of your network. By tweaking the settings of each firewall according to the assets it’s trying to protect, you can make it extremely hard for attackers to penetrate certain sections of your network. For example, if a customer database gets information from a customer relationship management (CRM) system, you can set up a firewall that whitelists that URL—blocking all other traffic from other sites.
Can Cyber Insurance Survive Without Diplomatic Support?
The insurance industry may need diplomatic support to stay afloat. With ransomware becoming an extremely expensive problem, cyber insurers have started scaling back their coverage. This comes as no surprise—not only has the number of attacks increased, but so have the settlement amounts. From 2020 to 2021, the average payment jumped 82% to $570,000 per settlement.
Amid this backdrop, governments must join forces in a diplomatic effort to combat the ever-growing ransomware problem. For example, the U.S. Department of Justice (DOJ) has started partnering with global counterparts to bring down ransomware criminals. More of these kinds of efforts can provide a buffer for insurance companies.
Want Cyber Insurance? Bolster Your Defenses
Cyber insurance still has its place, particularly because it can help insulate a company from certain kinds of attacks and the resulting fallout. But companies can no longer regard cyber insurance as a means to plug holes in their security defenses. Insurers have learned their lesson the hard way and are now tightening security requirements before initiating or renewing policies. As the threat landscape evolves, cyber insurance also evolves. Even if an insurer grants you coverage, it’s possible that premiums and coverage may change come renewal time.
As for your insurer, make sure they’re doing their end of the bargain. You don’t want them getting hacked and, in turn, your company getting hacked because attackers found it on their clients’ list.