Black Basta Ransomware Has Extracted Over $100 Million From its Victims
Joint research by Elliptic and Corvus Insurance has identified at least $107 million in Bitcoin ransom payments to the Black Basta ransomware group.
Welcome to another edition of our Cyber Coverage Explained series. This week, we're discussing sub-limits and coinsurance as it impacts our current market. For more coverage explainers, you can find our past posts on Social Engineering and Crime Coverage, Business Interruption, and Contingent Business Interruption.
Cyber insurance isn’t new, but in contrast to insurance industries that date back centuries, it maintains a youthful glow. Since the early days of cyber in the 1990s, the industry has responded to new risks in real-time to match an increasingly digital-focused world.
This leaves us seeing a lot of “firsts” for cyber insurance that other markets had the opportunity to deal with long before. Consider how in the past homeowners insurance and property insurance responded to monumental hurricane seasons by introducing special deductibles; that’s where Cyber is now in its response to ransomware and other covered perils.
Today, we’re exploring a couple of the ways standard cyber coverage can be amended as the industry matures and responds to changing cyber risks. Namely, we’re covering the growing prevalence of sub-limits and coinsurance in policies where there may not have been a few years ago (and where you should expect to see them).
The demand for cyber insurance is rising consistently. According to Marsh, 42% of their clients purchased cyber insurance in 2019, which is more than double the number from 2014. More organizations are dedicating the time and funds to protect themselves from threat actors, through stronger cyber hygiene best practices and the transfer of risk with insurance.
Why the surge in interest? Most of us who have turned on the news this past year — even the digitally adverse — could probably answer that. Ransomware feels like it’s everywhere.
In the case of Colonial Pipeline, we saw how much high-profile attacks like this can cost. The largest fuel pipeline in the United States was left paying Eastern European threat actors a $4.4 million dollar ransom.
In other instances, such as Microsoft Exchange, Kaseya, and now Log4j, we've seen both the long-term impacts of zero-day vulnerabilities and the ongoing risk to downstream customers. Grappling with the continued threat of supply chain risks, several insurers placed sub-limits on policyholders with Log4j exposure. However, important to note, that’s nearly everyone.
Last January, AIG introduced ransomware coinsurance across all accounts, requiring policyholders to take on half the cost for digital extortion losses. This is after other carriers introduced new sub-limits in an attempt to combat the increase in expensive ransomware claims.
All that, and social engineering tactics are only getting more sophisticated. The evolution makes it harder for anyone to play defense.
Plus additional costs stemming from business interruption, forensic services, legal teams, and more.
In response, policyholders are tasked with taking on more responsibility for these risks. Cyber underwriters are looking at organizations to do their part in preventing losses; they want to see better security controls paired with tighter coinsurance clauses. The theory is there’s an incentive for policyholders to take action faster when the financial burden is more likely to impact them and result in lost income. With their businesses' money on the line (through coinsurance), they may notify their cyber insurance company faster in the event of suspicious activity to speed up the response.
As cyber insurers look for ways to cope with the current hard market, brokers should keep a keen eye on how the introduction of sub-limits and/or coinsurance percentages will impact potential claims for their clients.
Expectations of policyholders will vary as insurers determine how to deal with risk differently, but expect to see both sub-limits and coinsurance become more popular. Some insurers may be accommodating if the insured shows that they have exceptional controls and are willing to spend more in premium, but others may face ransomware extortion sub-limits nonetheless. It’ll come down to weighing the options for what works best for each organization on a case-by-case basis.
What’s most important for underwriters, brokers, and the insured (collectively!) is that specifications are clear and policyholders know exactly what will be expected from them if there is a claim.
Typically, you’ll find sub-limits alongside coverages that pair with the most costly or common claims. Below, most of the examples we’ve listed are tied to ransomware — but as cyber insurers adjust to the unpredictability of the market, you may find that less popular coverages or add-ons are met with sub-limits as well (i.e: bricking).
The market is constantly evolving and readjusting to the current threat landscape. But that doesn’t take away your agency to find the coverage that works best for your client. For example, while some sub-limits may be unavoidable as we combat the hard market, look for insurers that have consistent coverage elsewhere and are willing to work with policyholders hands-on to improve their controls. However, avoid sub-limits or coinsurance clauses that seem too much like a knee-jerk reaction to specific ransomware events.