Insurance for ransomware payments is getting harder to come by
Jun 4, 2021

Insurance for ransomware payments is getting harder to come by

Hackers often target companies with insurance because they're more likely to pay hackers' often multimillion-dollar demands.

Throughout the pandemic we’ve seen hospitals, pipelines and other critical infrastructure hit with ransomware attacks. Just this past week, meat processor JBS and a ferry operator in Massachusetts were targets. Hackers often go after companies with insurance because they know those companies are more likely to pay their often multimillion-dollar demands.

It’s a topic for “Quality Assurance,” where I take a second look at a big tech story. I spoke with James Rundle, who covers corporate cybersecurity at the Wall Street Journal. He says the increase in attacks has had a real impact on the cyber insurance market. Premiums are rising, and some insurers won’t cover ransom payments anymore. The following is an edited transcript of our conversation.

A headshot of James Rundle, who covers corporate cybersecurity for the Wall Street Journal.
James Rundle (Photo courtesy Veronica Rundle)

James Rundle: Cyber insurance has been around for a long time. But it’s really only the last few years that it’s ramped up, and the big players have really got involved. But unfortunately for them, the just sheer ramp up in attacks is causing a lot of companies to claim on their policies. And it’s causing huge losses for insurance companies who haven’t, perhaps, modeled the risk properly in the past and understood what their liabilities would be through to the simple fact they can’t predict that ransomware will become this popular. So yeah, we’re seeing insurance companies either limiting what they will cover, as we saw with AXA in France, that was for French customers and very closely related to government discussions, but also in terms of what they’re charging customers, what they’re expecting from customers in terms of their cyber defenses as well.

Amy Scott: What do you think the impact could be if more insurers don’t cover these payments or charge more? Do you think fewer hackers would get paid?

Rundle: I think the bigger impact is going to be on the companies themselves. So they have typically used insurance and ransomware insurance in particular, as a bit of a safety net. In the past, they’ve thought, “If we do get attacked, at least our insurance company is going to cover that.” With restrictions in coverage and limits on what insurance companies will cover, companies are now going to have to take a much stronger look at their own cybersecurity defenses and say, “OK, are we investing properly here to ensure that we’re not leaving our front door unlocked, because our insurance is not going to cover anymore?”

Scott: And do you think that if it gets harder to insure these kinds of payments, companies will make sure all the doors are locked?

Rundle: I think so. I mean, it comes down to any other kind of insurance. If you walk out of your house and you leave your front door open and you get burgled, your insurance company is not going to cover it. So what do you do? You make sure you lock your door when you walk out. And that’s dramatically simplifying it, but the same logic applies to cybersecurity. And having at least some form of cybersecurity in place is just the cost of doing business.

Scott: And it’s not just ransomware, right, that is disrupting business? I was stunned by a figure in one of your recent stories from Johnson & Johnson, which said it deals with more than 15 billion cyber incidents a day.

Rundle: Yeah, it’s remarkable the level of the assaults that companies do face. And 15.5 billion is a big figure, but it’s not uncommon. I’ve heard from insurers, I’ve heard from banks, and I have heard from other major companies that they face similar kinds of threats every day. And not all of those are determined attacks, but a significant proportion are, and the U.S. in particular is under fire from cyberattacks.

Scott: You’ve been covering this for a while, but it seems the world is paying more attention to ransomware in recent weeks. Is that having any effect on how negotiations are playing out between hackers and their targets?

Rundle: I think so. The profile has definitely been raised. And we saw the group that was responsible for the Colonial Pipeline incident shut down over it. Now, whether they’ll reform under a different name is another story. But we are seeing that companies are getting better at responding to ransomware. They’re getting better at recovering the data and not having to pay that part of the ransom. But also, what we are seeing is that criminals have evolved as well. So they’re not just looking at files and giving you a decryption key for the money. They’re also taking your data hostage and saying, “All right, well, you might be able to recover. But if you don’t pay, then we’re going to publish your data instead.” So it’s a constant game of cat and mouse.

Scott: The Biden administration has said it’s coming up with a plan to fight back, but we don’t have a lot of details. What do you see as the role of government here versus the individual companies that are often the targets?

Rundle: I think the government has a very strong role to play here. And from our reporting we’ve spoken to people who’ve said that they do have certain tools at their disposal, which can help with this problem. A lot of ransomware operators, a lot of general cyber criminals operate in countries where their presence may not be acknowledged, but it is at least tolerated, particularly in Eastern Europe. We’ve seen a lot of the recent high-profile cyberattacks come from gangs based in Russia, for instance. And the government does have powers at its disposal, whether that’s through sanctions, through other State Department powers, through policy change or through other means to at least hold countries accountable for having these people within their borders and not do anything about it. That being said, a lot of government officials that I speak to stress the point that the government can only do so much. At the end of the day, it is up to companies to protect themselves, to make sure that all their windows and doors are locked, and that they’re not just open targets readily accessible to people with nefarious intent.

Scott: There’s some thinking that cryptocurrency is actually contributing to this problem, that if there were tighter regulations, it would be harder for these hackers to operate. What do you think about that?

Rundle: Cryptocurrency is a central pillar of the business model for ransomware gangs. Before Bitcoin and everything else, they used to commit wire fraud and use money mules. But now, the ease at which people can buy Bitcoin or Monero or another kind of cryptocurrency means that this is now an integral part of how this happens. And in terms of regulation, there has to be some action, whether it’s imposing stricter money laundering laws or customer requirements on exchanges, or on services that allow you to transmit cryptocurrency. Or whether it’s looking at international cooperation and forming some sort of consensus around how transactions can be traced. It’s definitely an area of discussion. Recommendations from current and former officials have been made. And it’s something that we expect to see definitely moving forward.

Related links: More insight from Amy Scott

Reporter Rachel Monroe has a fascinating piece in this weeks’ New Yorker about the business of negotiating with ransomware attackers. It takes a unique set of skills, which cybersecurity expert Kurtis Minder taught himself by taking Master Classes on negotiating and reading books by ex-hostage negotiators. Often he’s not just bargaining with the cyber criminals, but the very upset clients who hire him. In Monroe’s story, I learned that the first known ransomware attack was in 1989, when a floppy disk was mailed to thousands of public health researchers containing what it said was an informational program about AIDS. The disk also contained malicious software that locked victims’ files and demanded they send $189 to a P.O. box in Panama. Fairly cheap by today’s standards. Last month, Colonial Pipeline paid $4.4 million to restore service.

And Reuters reports that the U.S. Department of Justice is giving more priority to ransomware investigations. Guidance sent Thursday to federal prosecutors said information should be coordinated with a new task force in Washington in order to track and make connections between cases around the country. The special process is similar to how the department coordinates investigations of terrorism, showing just how worried officials are about these attacks.

The future of this podcast starts with you.

Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.

As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.

Support “Marketplace Tech” in any amount today and become a partner in our mission.

The team

Molly Wood Host
Michael Lipkin Senior Producer
Stephanie Hughes Producer
Daniel Shin Producer
Jesús Alvarado Associate Producer