The Zurich Insurance Group warns it might no longer cover cyber attacks due to the heavy costs associated with such incidents.
The chief executive officer (CEO) of one of Europe's largest insurance companies, Zurich Insurance Group, warned this week that cyber attacks could become "uninsurable" shortly due to the high costs associated with covering such threats. According to comments from Zurich's CEO published by Financial Times (FT), the insurance industry is increasingly incapable of underwriting losses associated with cyber attacks, advocating instead for government-run "private-public schemes" for "systemic cyber risks that can't be quantified." He alluded to similar systems for addressing earthquakes and terror attacks.
The CEO identified cyber attacks as a greater risk for insurance coverage than health pandemics and natural disasters, costing insurance companies hundreds of millions of dollars in coverage each year. In response, some companies have increased the prices of their policies and premiums or limited coverage under existing policies. Notwithstanding these steps, Zurich's CEO claimed that the private sector could only absorb certain losses from cyber attacks.
In the above-referenced comments, Zurich's CEO addressed the growing financial strain on economies by hackers and other threat actors, which cybersecurity insurance policies attempt to address. Businesses of all sizes can purchase this type of insurance, providing coverage for data breaches, cyberattacks, and ransomware incidents, among other threats. In addition, it can cover the costs associated with responding to and recovering from these incidents, including legal fees, public relations efforts, and the cost of notification and credit monitoring for affected individuals. Some cybersecurity insurance policies even provide coverage for business disruptions.
While this policy can help companies financially recover from cyber attacks, ransomware groups, and other malicious actors may attempt to take advantage of insured entities. Cybercriminals may believe that insurance coverage enables victims to pay ransoms. Indeed, threat actors whom Cybersixgill observed on the underground advertising access to corporations specifically mentioned that targeted entities carry ransomware insurance. Based on these advertisements, insurance coverage appears to be a selling point when selecting potential victims for cyber attacks.
As a June 2022 report from the U.S. Government Accountability Office (GAO) documented, targeted entities may not be the only victims of large-scale attacks, with cyber incidents affecting firms linked to initial victims. As an example, the GAO report discussed the infamous Colonial Pipeline ransomware attack as an example of a "single cyber incident" that "ripple[d] across the critical infrastructure with catastrophic consequences."
Such incidents have led the U.S. government to consider a federal cyber insurance response as part of or separate from the existing public-private insurance program for acts of terrorism. In his comments to FT, Zurich's CEO appeared to support such efforts, claiming that private insurance coverage is reaching its limits concerning underwriting losses from cyber attacks. In addition, according to Zurich's CEO, the U.S. government correctly discourages ransom payments, a strategy he believes disincentivizes cyber attacks.
Cybersixgill’s Investigative Portal detected threat actors advertising access to victims carrying cybersecurity insurance.
For example, in the following post on a Russian-language cybercrime forum, a member with a low reputation score announced admin Remote Desktop Protocol (RDP) access to the networks of a U.K.-based company. While the forum member likely omitted the target's name to avoid losing access, the threat actor indicated that the company has ransomware insurance and shows an annual revenue of over $5 million. In addition, the forum member mentioned ransomware insurance to make access more attractive to threat actors, suggesting that a target with insurance coverage may be more likely to pay a ransom.
While there were no public replies to the post, the forum member may have been contacted directly via private message, per their instructions.
Figure 1: An advertisement on a Russian-language cybercrime forum for access to the networks of a company with ransomware insurance
Cybersixgill also collected the following post on an online text-sharing website on which a guest user posted what appears to be a ransom note. While the post's author did not indicate how the content was accessed, the note informed the victim that its data was encrypted, requesting a ransom in exchange for data decryption, which reflects the gang's double extortion scheme. The gang also included a series of General Data Protection Regulation (GDPR) website links, ostensibly containing rules about the disclosure of private information, in an apparent effort to pressure the company into paying.
The ransomware gang also specifically referenced ransomware insurance and encouraged the victim to double-cross its provider by disclosing to the gang its maximum coverage under the policy and other key terms of the insurance agreement. The gang promised not to demand a ransom that exceeded the policy's coverage, characterizing the scenario as a win-win for the victim and the gang. This message shows that ransomware gangs think they know how the cyber insurance process works, attempting to take advantage of it by turning victims into accomplices.
Figure 2: A ransom note mentioning ransomware insurance
Finally, Cybersixgill collected the following post from a member of a notorious cybercrime forum on which a threat actor with a low reputation score leaked a 10.2 GB insurance company database. According to the forum member, the data in this leak was stolen during a cyber attack that resulted in the theft of four million rows of data, including full names, phone numbers, email addresses, and physical addresses, among other information. This stolen Personal Identifiable Information (PII) appears to belong to the company's customers or employees and could be misused by threat actors in spearphishing schemes and identity fraud. This post generated a dozen reactions, with other forum members expressing interest and gratitude.
Figure 3: An insurance company's database leaked on a cybercrime forum
The comments by Zurich Insurance Group's CEO regarding cyberattacks becoming uninsurable reflects the massive financial damage wrought by threat actors.
While insurance companies may be unable to cover these costs soon, eliminating the possibility of insurance for incidents such as ransomware attacks, that development may disincentivize threat actors, some of whom appear to target insured entities specifically. According to activity, Cybersixgill observed on its Investigative Portal. In addition, some threat actors believe that insurance increases the likelihood of ransom payments.
While the ransomware groups are likely to continue their attacks even if insurance companies stop covering cyber incidents, ending coverage could decrease the volume of ransomware attacks. Authorities and security researchers agree that complying with cybercriminals' demands, even based on the premise that an insurance company absorbs the financial costs, incentivizes future attacks.
Since prevention is generally less costly than mitigation and recovery efforts, organizations should invest in robust cybersecurity plans that include effective preventative measures and incident response plans. This can mitigate the risk of a ransomware attack and reduce the likelihood that attackers will succeed, whether or not insurance is involved.