Protocol | Fintech

Ransomware fueled insurers’ profits. It’s coming back to haunt them.

Paying off cyber ransoms made business sense — until it didn't.

A gas station pump that has a yellow sign on it that says "sorry out of service"

The Colonial Pipeline ransomware attack hit fuel supplies up and down the East Coast.

Photo: Sean Rayford/Getty Images

Idealists don't last long in the insurance industry. The sector has learned time and again that misaligned incentives lead to bad behavior: If you sell fire insurance, someone will eventually commit arson. If you price life insurance based on a medical checkup, arthritic grandpas will cut weight like they're about to go 12 rounds against Floyd "Money" Mayweather.

But insurers don't bemoan the human condition: They adapt to it. To remain profitable while discouraging unwanted behavior, insurance companies can raise premiums, set higher deductibles or allocate more funding to fraud detection.

Ransomware is rewriting the insurance rulebook. The rampant growth in digital extortion is confounding insurers, with losses from claims widening. An organized attack hit 200 businesses on Friday alone, security researchers said. And the phenomenon has also raised questions about whether the industry has itself to blame.

Cyber policies often explicitly cover ransom payments, or offer optional coverage. And some observers believe that by making it easier to just pay ransoms, insurers helped birth a highly-organized, multinational crime industry that generates billions of dollars annually. The same factors that once made the sector attractive to insure — its rapid growth, ambiguous risk profile and speedy claim resolution — have helped create a monster that insurers don't seem equipped to contain on their own.

Instead, government policy will likely be needed to save insurers, and their clients, from themselves. The trouble is that there's no easy way to put the cat back in the bag. Every policy prescription, from limiting ransom payments to hunting down crypto wallets, comes with its own set of challenges and unintended consequences. Without a silver bullet, many experts believe the proliferation of attacks should be addressed by governments in close collaboration with insurers and the corporations they seek to protect.

A good thing winding down

Prior to 2020, ransomware coverage stood out as one of the most attractive insurance sectors. Traditional coverage areas such as home and automotive insurance tend to grow at the same rate as the overall economy. Cyber insurance has grown at a far more rapid pace: Direct written premiums for property/casualty cyber insurance, which often include ransomware coverage, more than doubled from just over $1 billion in 2015 to $2.3 billion in 2019, according to Fitch Ratings.

"Cyber insurance is actually one of the few growth markets," Gerry Glombicki, a director at Fitch, told Protocol. Glombicki said that emerging lines of business tend to be more profitable before competitors rush in and push margins down.

Accordingly, cyber insurers enjoyed a long streak of handsome profits as their sector grew. Fitch data shows that insurers' direct loss ratio — a measure of the proportion of premiums that get paid back out to clients — never surpassed 50% between 2015 and 2019.

This room for profitability came in part because nobody knew how to price ransomware risk. With home and auto coverage, insurers have access to reams of data for pricing. Predicting the likelihood, frequency and cost of ransomware attacks proved to be much more difficult. To account for this uncertainty, insurers built a buffer into their premiums.

That proved to be a smart strategy, as the direct loss ratio nearly doubled in 2020 to reach 73%, up from 47% the year prior. Several prominent cyber insurers even reported standalone cyber insurance direct loss ratios for the U.S. market above 100%. Sompo Group reported a 114% direct loss ratio in 2020, and AIG reported 101%.

Janet Ruiz, a director of strategic communication at the Insurance Information Institute, noted a marked change in ransom payouts during this time period. "In 2018, losses were more in the hundreds of dollars," Ruiz told Protocol. "Now we're seeing up to tens of millions of dollars on some of the largest ransomware attacks."

One reason for the increased payouts is hackers have developed more-sophisticated methods of attack that can halt a company's operations entirely, versus just seizing data and threatening to disclose it. Operational downtime is often easier to price than a data breach, so it became easier for executives to justify paying a ransom.

This dynamic played out in late May's ransomware attack on JBS, the world's largest meat-processing company. The ransomware gang REvil was able to breach JBL's IT systems and halt operations at 13 of its plants. The company eventually paid an $11 million bitcoin ransom. Even though it said that the "vast majority" of its facilities were operational at the time of the payment, JBS explained that it paid up to prevent the risk of data being stolen.

Publicly-traded companies must disclose cyber breaches. But there aren't consistent requirements across private and public companies for reporting ransomware attacks and payments, so it can be difficult to gauge how often they occur. Still, many industry experts believe the frequency of attacks has also increased in recent years.

Ransomware-as-a-service is another driver of this trend. It allows hackers to develop code for a ransomware attack and then sell it to another criminal organization. The buyers were often criminal groups that wouldn't otherwise possess the technical know-how to perform an attack. It's significantly lowered the barriers to entry, while spreading the risks — ironically, financial concepts insurers could appreciate.

Some industry experts believe that the ease of payment helped drive ransomware revenue up in recent years.

Professor Josephine Wolff is a prominent proponent of this theory. As a professor of cybersecurity policy at The Fletcher School at Tufts University, Wolff researches ways to make cyber crime less profitable.

"There's a more controversial claim that's been made — that by covering these payments, the insurers are actually driving more ransomware to be directed at their clients," Wolff said. "I haven't seen a lot of strong evidence behind it."

Rather than ask whether hackers target those with insurance, Wolff thinks we should be asking whether having ransomware coverage makes it easier to pay. "There I worry the answer really is yes — that knowing that you purchased this insurance … turns the payment of the ransom into a standard cost of doing business," Wolff said. "It's the same way that if I got into a fender bender, I would just go to my insurance and say, 'OK, this is what I have insurance for.' Now there's an equivalent idea with ransomware."

The importance of securing a payment helps explain why some ransoms can seem small relative to the size of the business at stake. Colonial Pipeline, for instance, "only" ended up paying a $4.4 million ransom to fend off the attack that took down a 2.5-million-barrel-per-day piece of infrastructure.

Wolff cited Colonial Pipeline's decision to consult with its insurer in ransom negotiation proceedings: "That was not a decision made independent of the insurance context." She added, "I do worry about that — that insurers, in some cases perhaps even more than their clients, have an incentive to say, 'Let's sort of resolve this as quickly and as cheaply as possible.'"

Glombicki of Fitch noted that ransomware hackers want to get paid, but not to such an extent that they elicit undue attention. He said hackers are searching for a "sweet spot where you can maximize your profits but not really bring legislative and regulatory authority on you — and not kill the company, either."

A unified front

If hackers were once flying under the radar, they are now big, bright, obnoxious green dots hovering on the legislative agendas of policymakers worldwide. The question has now become what to do about it.

The French are leaning toward a guillotine-sharp solution: Cut off the money flow. Politicians at their Senate roundtable earlier this summer signaled their intention to ban ransomware payments altogether.

In response, Axa, one of the largest global insurance groups, announced that it would no longer write new ransomware policies for customers in France. In a statement to Protocol, Axa said it had "deemed it appropriate to suspend marketing until the consequences of these analyses are drawn and the framework for insurance intervention is clarified."

There are significant concerns surrounding an outright ban on ransom payments. Hackers often target hospitals and critical infrastructure, so not making a payment could result in significant human suffering, even deaths. Bearing that cost for the sake of preventing future attacks is a politically dangerous argument to make.

One workaround would be to ban corporations from paying ransoms, while still allowing hospitals and critical infrastructure administrators to comply with hackers' demands in high-stakes scenarios. However, that could just lead to making hospitals and critical infrastructure prime targets.

Even for companies, banning ransom payments could take a serious human toll. A ransomware attack could run a corporation into bankruptcy, leaving hundreds or thousands of employees without jobs. It could also expose clients' sensitive data.

"If you're a company, we want be careful not to ask you to commit suicide," said James Andrew Lewis, a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies, a nonprofit policy research center. "If the only thing you have to offer a victim is 'Don't pay,' that's not attractive. But if you can make it part of a larger package of ransomware measures, I think it makes sense."

Recovery of cryptocurrency wallets is one of the newest tools in that package of ransomware measures. Last month, the Justice Department announced that the FBI recovered over half of the Colonial Pipeline ransom. On the surface it looked like a potential breakthrough — the ransomware industry can only exist if it has access to untraceable cryptocurrency payment systems.

"Cryptocurrencies themselves are not a silver bullet for avoiding this kind of disruption," Lewis said. He added that many of the lessons learned in dealing with general money laundering can be applied to ransomware payment tracing. "The basic lesson is follow the money … and identify where you can interfere with the flow."

What else can companies do? As is often the case, one of the most effective measures also happens to be the least exciting: cyber hygiene.

"A lot of this stuff is just the basics," Glombicki of Fitch said. "It's turning on multifactor authentication, it's making sure your employees don't fall for phishing scams, it's updating your patches."

It's tempting to believe companies will independently choose to upgrade their defenses in response to the growing threat of ransomware attacks. Lewis doesn't see it that way: "Companies figure out 'How much am I likely to lose?' [and] 'How much would it cost me to upgrade my defenses?'" he said. "If it costs more to upgrade than to just pay, they just pay."

That brings us back to Wolff's assertion that insurers stimulate the ransomware sector by making payments "a standard cost of doing business." Customers might not love it, but insurers could ultimately lower the attractiveness of ransomware by hiking cyber insurance premiums.

Already insurers are grading their clients' cyber hygiene practices, raising deductibles for companies with riskier profiles and in some cases asking them to partially self-insure. As ransomware costs continue to rise, insurers will continue to shift the cost of attacks back to the corporations. This might be painful for clients in the short term, but overall it could help diminish the prevalence of attacks.

The government could even accelerate this trend by limiting payouts or adding friction to the insurance settlement process.

"You don't want to tell your customer, 'I won't pay you,'" Lewis said, "but if you can say, 'Uncle Sam won't let me pay,' that's always better."

One thing that's certain is that demand for ransomware coverage is not going away. Sam Hodges, CEO of Vouch Insurance, noticed that more companies have been asking for cyber insurance and doing so earlier in their lifecycle. "You see all these events happening," Hodges said, "and it's only rational to think, 'What if this were to happen to me?'"

There's no quick fix to ransomware attacks, but a multifaceted approach — along with increased general awareness — could diminish the scale of the industry.

"The ransomware guys have put themselves in a bad position," Lewis said. "I was talking to a senior European intelligence official about a month ago and he said, 'Look, ransomware has become a national security threat in Western nations.' And so once you get into that arena, the ransomware folks are facing a much tougher set of competitors. And countries will be more willing to cooperate with each other to tamp down ransomware."

Wolff struck a more cautious note: "I go back and forth between feeling like we are only making very, very, very small, slow incremental steps towards cracking down on this. And then sometimes feeling like, 'Oh, we're so close to doing something big.'" She said whether the government steps up to take more impactful measures depends on the nature of the next wave of high-profile attacks.

And to any idealists still reading: There will be a next wave. Insurers can be sure of that.

Protocol | Policy

5 things to know about FCC nominee Gigi Sohn

The veteran of some of the earliest tech policy fights is a longtime consumer champion and net-neutrality advocate.

Gigi Sohn, who President Joe Biden nominated to serve on the FCC, is a longtime net-neutrality advocate.

Photo: Alex Wong/Getty Images

President Joe Biden on Tuesday nominated Gigi Sohn to serve as a Federal Communications Commissioner, teeing up a Democratic majority at the agency that oversees broadband issues after months of delay.

Like Lina Khan, who Biden picked in June to head up the Federal Trade Commission, Sohn is a progressive favorite. And if confirmed, she'll take up a position in an agency trying to pull policy levers on net neutrality, privacy and broadband access even as Congress is stalled.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

If you've ever tried to pick up a new fitness routine like running, chances are you may have fallen into the "motivation vs. habit" trap once or twice. You go for a run when the sun is shining, only to quickly fall off the wagon when the weather turns sour.

Similarly, for many businesses, 2020 acted as the storm cloud that disrupted their plans for innovation. With leaders busy grappling with the pandemic, innovation frequently got pushed to the backburner. In fact, according to McKinsey, the majority of organizations shifted their focus mainly to maintaining business continuity throughout the pandemic.

Keep Reading Show less
Gaurav Kataria
Group Product Manager, Trello at Atlassian
Protocol | Workplace

Adobe wants a more authentic NFT world

Adobe's Content Credentials feature will allow Creative Cloud subscribers to attach edit-tracking information to Photoshop files. The goal is to create a more trustworthy NFT market and digital landscape.

Adobe's Content Credentials will allow users to attach their identities to an image

Image: Adobe

Remember the viral, fake photo of Kurt Cobain and Biggie Smalls that duped and delighted the internet in 2017? Doctored images manipulate people and erode trust and we're not great at spotting them. The entire point of the emerging NFT art market is to create valuable and scarce digital files and when there isn't an easy way to check for an image's origin and edits, there's a problem. What if someone steals an NFT creator's image and pawns it off as their own? As a hub for all kinds of multimedia, Adobe feels a responsibility to combat misinformation and provide a safe space for NFT creators. That's why it's rolling out Content Credentials, a record that can be attached to a Photoshop file of a creator's identity and includes any edits they made.

Users can connect their social media addresses and crypto wallet addresses to images in Photoshop. This further proves the image creator's identity, but it's also helpful in determining the creators of NFTs. Adobe has partnered with NFT marketplaces KnownOrigin, OpenSea, Rarible and SuperRare in this effort. "Today there's not a way to know that the NFT you're buying was actually created by a true creator," said Adobe General Counsel Dana Rao. "We're allowing the creator to show their identity and attach it to the image."

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Protocol | China

Why another Chinese lesbian dating app just shut down

With neither political support nor a profitable business model, lesbian dating apps are finding it hard to survive in China.

Operating a dating app for LGBTQ+ communities in China is like walking a tightrope.

Photo: Nicolas Asfouri/AFP via Getty Images

When Lesdo, a Chinese dating app designed for lesbian women, announced it was closing down, it didn't come as a surprise to the LGBTQ+ community.

It's unclear what directly caused this decision. 2021 hasn't been kind to China's queer communities; WeChat has deactivated queer groups' public accounts and Beijing has pressured charity organizations not to work with queer activists.

Keep Reading Show less
Zeyi Yang
Zeyi Yang is a reporter with Protocol | China. Previously, he worked as a reporting fellow for the digital magazine Rest of World, covering the intersection of technology and culture in China and neighboring countries. He has also contributed to the South China Morning Post, Nikkei Asia, Columbia Journalism Review, among other publications. In his spare time, Zeyi co-founded a Mandarin podcast that tells LGBTQ stories in China. He has been playing Pokemon for 14 years and has a weird favorite pick.

The Oura Ring was a sleep-tracking hit. Can the next one be even more?

Oura wants to be a media company, an activity tracker and even a way to know you're sick before you feel sick.

Over the last few years, the Oura Ring has become one of the most recognizable wearables this side of the Apple Watch.

Photo: Oura

Oura CEO Harpreet Rai swears he didn't know Kim Kardashian was a fan. He was as surprised as anyone when she started posting screenshots from the Oura app to her Instagram story, and got into a sleep battle with fellow Oura user Gwyneth Paltrow. Or when Jennifer Aniston revealed that Jimmy Kimmel got her hooked on Oura … and how her ring fell off in a salad. "I am addicted to it," Aniston said, "and it's ruining my life" by shaming her about her lack of sleep. "I think we're definitely seeing traction outside of tech," Rai said. "Which is cool."

Over the last couple of years, Oura's ring (imaginatively named the Oura Ring) has become one of the most recognizable wearables this side of the Apple Watch. The company started with a Kickstarter campaign in 2015, but really started to find traction with its second-generation model in 2018. It's not exactly a mainstream device — Oura said it has sold more than 500,000 rings, up from 150,000 in March 2020 but still not exactly Apple Watch levels — but it has reached some of the most successful, influential and probably sleep-deprived people in the industry. Jack Dorsey is a professed fan, as is Marc Benioff.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Latest Stories