Cyber Insurers Struggle to Cover Evolving Ransomware Attacks


July 21, 2023

World map

Cyber insurance carriers are struggling to provide effective coverage in an evolving ransomware threat landscape where operations are more commonly focused on data theft and extortion and don’t always include a ransomware payload.

Groups like KaraKurt and RansomHouse have focused solely on data extortion for some time, with other traditional ransomware operators like BianLian and more recently Cl0P following suit in many attacks.

“Over the course of 2022, CrowdStrike discovered that 71% of all recorded attacks were malware free. When it came to ransomware activity, the cybersecurity vendor observed a 20% increase in the number of threat actors using data theft and extortion without deploying ransomware,” Tech Target reports.

“For cyber insurance carriers that play a significant role in ransomware response, that means re-examining policy requirements and the incident response process as well as applying increased focus on data security. Even though ransomware attacks that see no encrypted systems are generally less disruptive and costly, enterprises are facing further reductions in coverage and increased costs amid this shift.”

Takeaway: There are so many issues around how best to approach insuring against losses stemming from cyberattacks; it's a difficult subject to encapsulate, especially regarding coverage for ransomware attacks.  

On the macro level, it's about accurately quantifying risk in an area where the risk factor is constantly changing as threat actors constantly improve their capabilities and mature their business models.

As it stands, insurance companies have not been able to put their finger on the magic equation that allows for affordable policies for both the insured and the insurer. Ransomware attacks vary in severity; ransom demands range from tens of thousands to tens of millions of dollars; differing organizations handle different kinds of sensitive data that put them in different liability categories; organizations use a wide range of endless combinations of security solutions, each filling one small gap in protection, all of which need to work together to prevent a disruptive event.  

This is a really complicated ecosystem.

Then there is the issue of being in compliance with the terms of the policy. If an organization practices a checkbox approach to security compliance, they may have all the boxes checked as far as the required controls being in place, but they may be surprised to find that a claim is denied because of common issues like misconfigurations or the inability to patch against vulnerabilities in a timely manner.  

Then there is the data exfiltration issue; most ransomware attacks today include data exfiltration prior to the encryption of systems. The kind of data that was compromised can be a major variable in potential losses to the victim organization.  

Regulated data like personally identifiable information (PII) can be especially problematic from a liability perspective, and we are seeing more and more lawsuits following data loss events associated with ransomware attacks.  

The loss of intellectual property that could impact the viability and competitiveness in the market of a business over time is extremely hard to quantify, and likely not covered by cyber insurance.

In short, customers are facing more restrictive policies with add-ons for covering ransomware-related losses, more comprehensive audits of security controls, and ever-increasing premiums, while insurance providers are facing a crunch on pricing the policies accurately to cover the losses they see in the real-world, which are continuing to grow.

More focus needs to be placed "left of boom" - at initial ingress, command & control (C2), lateral movement, data exfiltration, and so on. If we are doing our jobs right, and stop an attack at these earlier stages, then we would not even know it was a ransomware attack, just another run-of-mill intrusion event.

As well, there is not enough focus on what comes after "boom" - how the organization can plan for the failure of security controls and be positioned to respond efficiently and effectively to a future ransomware attack, making the organization and its operations as resilient as possible by reducing the potential for mass disruption.  

Detecting and blocking the ransomware payload is really important, but we know we can't be 100% on this, so if we put more emphasis on detecting and blocking what comes before the ransomware and what steps to take after it, this will go a long way to better quantifying risks and stabilize the very volatile cyber insurance market. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.