Can Cyber Insurance Survive without Diplomatic Support?
Tom Johansmeyer explores the critical role for diplomacy in supporting a robust and reliable global cyber insurance market.
Businesses and municipalities have been brutalized by ransomware for the past few years, and there seems to be no relief in sight. High-profile cases like Colonial Pipeline and Kaseya tend to grab the headlines, but the problem is far more expansive. Attacks on smaller victims and more modest ransom demands don’t make the news, but they help make ransomware a problem too big for insurers to handle conventionally. To support and expand the utility of cyber insurance, diplomatic support will be crucial. State-to-state engagement can make it possible to eliminate many of the sorts of risk that are making cyber so difficult for insurers to cover.
Insurers held hostage
Many in the insurance industry had high hopes for the cyber sector. Only last year, it was expected to reach US$20 billion in annual premium by 2025, up from a mere US$5 billion at the time of the prediction. Today, with annual premium staying roughly in place, the market’s future feels a bit uncertain.
Ransomware may not be the only impediment to rapid cyber insurance market growth, but it’s certainly the most profound. In the first half of 2021, the number of ransomware attacks topped the 2020 full-year total by an eye-popping 151 percent, according to data from Threatpost, and average ransom payments surged 82 percent in the first half of 2021 to US$570,000, which comes on top of a 171 percent increase from a year before that. In fact, PCS, the team I lead at Verisk, knows of at least five ransom demands of more than US$50 million, with the highest settling at US$40 million, according to our market sources. Many in the insurance industry initially responded to the cyber challenge by providing protection for this emerging risk. The pervasiveness of ransomware, though, has stalled early growth.
The insurance community’s response to the current massive wave of ransomware attacks has been predictable. Some have reduced their allocations to the sector; others have declined to write any new business or insisted on tighter terms and higher prices. The US$20 billion forecasted for 2025 seems further away now than it did a year ago – and even before that.
Absent a market solution, many in the insurance industry have discussed the use of government backstops using the terror pool approach – like Pool Re in the United Kingdom and Gareat in France. While there can be some near-term benefits to ceding risk to such entities, diplomacy offers a more powerful government-backed solution for protecting and supporting the still-growing cyber insurance sector. Some early developments in the summer of 2021 show how diplomatic engagement – if scaled – could help get the insurance industry the breathing room it needs.
Not quiet on the Eastern Front
Reports of links between some state actors and cyber gangs are many and murky. Occasionally, credible attribution has occurred, with the most famous example, perhaps, the reported identification of the Internet Research Agency’s involvement in the 2016 U.S. presidential election. Attribution in that instance was a byproduct of the broader Mueller investigation, and there’s no guarantee the public would’ve gotten such a clear view of the situation otherwise. However, less explosive revelations have emerged periodically, showing that the risk ranges from smaller daily issues to larger, nationwide threats.
The permissive relationships between state and the non-state actors involved in ransomware attacks only exacerbates the problem. The dynamic is something short of state sponsorship – but clearly more than the self-directed enthusiasm of individual actors, as suggested by remarks made directly by Russia’s president, Vladimir Putin to reporters on June 1, 2017:
“Hackers are free people, just like artists who wake up in the morning in a good mood and start painting,” he said. “The hackers are the same. They would wake up, read about something going on in interstate relations and if they feel patriotic, they may try to contribute to the fight against those who speak badly about Russia.”
The claim of patriotic urgings among non-state cyber actors came shortly before the NotPetya cyber-attack resulted in more than US$3 billion in industrywide insured losses, according to PCS estimates, and possibly more than US$10 billion in economic damage, according to U.S. government officials.
Since NotPetya, we’ve seen that state-level engagement may have led to changes in the ransomware operating landscape. The involvement of state actors can provide considerable muscle for non-state actors when the alignment is right: Never underestimate the power of having a government on your side. On the other hand, the loss of such alignment means much more than just the bottom falling out on support or accommodation, as indicated by what appears to have happened following the Kaseya attack. At least temporarily, state-level engagement likely contributed to the dissolution of the organization involved (it’s return is not believed to involve the original actors). The threat of diplomatic pressure and other measures may have led to the – brief – impediment to ransomware activity.
The pivotal moment
The ransomware market changed with the Kaseya cyber-attack – however briefly. Reported to have affected as many as 1,500 companies, the ransom demand quickly morphed into a single “deal” of US$70 million, directed toward affected insurance companies. It seemed to be part compromise and part revenue acceleration. Ultimately, the decryption keys were provided, and there was no report of a ransom paid. Several PCS clients in the cyber re/insurance market say they have not heard about (or paid) any claims related to the attack. The speed with which the ransom demand receded to delivery of decryption with no payment suggests that other forces may have been involved.
Although it’s difficult to pin down the exact reason for presumed nonpayment, reports suggest that discussions between President Biden of the United States and President Putin of Russia led to pressure on the attacker, REvil. The opacity of such negotiations requires more assumption than certainty, particularly when one of the states involved then negotiates with non-state actors involved in an activity such as ransomware. However, anything short of state-level engagement would almost require that the delivery of decryption keys through a “trusted third party” be coincidental, an even more difficult assumption to accept given the circumstances.
As an isolated case, Kaseya’s release from the REvil attack would’ve been noteworthy. However, there’s a broader context involved. Only two months earlier, Colonial Pipeline was hit by ransomware. More than the fairly low ransom demand, the interaction reported to have occurred with ransomware gang DarkSide is telling, ultimately: “Our goal is to make money and not creating problems for society.”
Newly formed ransomware operation BlackMatter, went further than DarkSide’s apology-by-internet at the end of July. In an interview, the new ransomware gang discussed a targeting strategy focused on businesses that can afford to pay and also choosing to avoid targets that could bring extra unwanted attention: “We check each target and decide if it has potential negative consequences for us.” Again, it seems like a conscious decision was at least partially informed by diplomatic forces as much as commercial opportunity.
An alternative to honor among thieves
Can we take ransomware actors at their word? It does seem like a lot to ask. They’re in the business of disobeying the law, perhaps supported by relationships with state actors. The apex of optimism is to believe that diplomatic wrangling after Kaseya has provided for a ringfencing of certain targets as off limits. A more pessimistic view would be to assume diplomatic engagement yielded a show of restraint that will quickly shift back to broad attacks on sensitive targets.
Unfortunately, there are plenty of reasons for actors to offer false hope. BlackMatter may have spoken up to give itself breathing room. Or, maybe they are sticking to their word while other ransomware actors take advantage of critical national infrastructure targets. The attacks continue, suggesting that détente only comes narrowly at best.
Diplomatic attempts to contain the ransomware environment will take time and be fraught with stretched promises, loopholes, and backsliding. Enduring such setbacks, though, may be part of the price of overall progress. Over time, the use of diplomacy to affect even bilateral agreements on truly unacceptable ransomware targets (such as critical national infrastructure) could change the nature of the threat, how businesses could manage it, and ultimately its insurability. A red line before a subset of critical national infrastructure, even with carve-outs for espionage and state-to-state activity, could significantly deescalate the state-level ransomware situation and prevent it becoming the sort of national security threat that’s just another step on the way to kinetic manifestations.
Such an approach would only protect critical targets from state-aligned ransomware actors, and it would not be a substitute for the careful management of network security and other information technology resilience. It would at least reduce the threat, and threat reduction right now is the best we can hope for. The reduced threat environment would allow the managers of critical assets to return to treating cyber security as a business issue, rather than bear the extra burden that comes with national security. Ultimately, this comes down to a balancing act, and it’s the sort that’s well suited to state-to-state negotiation.
Tom Johansmeyer is head of PCS, a Verisk business, which estimates the industry-wide insured losses from disaster events around the world. He writes and speaks regularly on natural catastrophes, cyber attacks, and political violence events.