Last Updated 6/12/2023

Issue: Ransomware, sometimes called cyber extortion, is a type of malicious software that infiltrates computer systems and locks them down. Typically, the data or system is then held hostage by encryption until payments are made or other demands are met. Once the data or system has been frozen, the hacker directs the victim to pay a sum of money (ransom) to regain access to the device or data. Ransomware is a type of cyber-attack that can infect virtually any type of computer, including desktops, laptops, tablets and smart phones. The goal of the hackers is not to destroy or permanently encrypt the data, but to secure fast payment of the ransom. 

Ransomware attacks are on the rise and are considered an escalating threat for the foreseeable future. As of 2021, between 50 and 75% of ransomware attack victims are small businesses. Small businesses are primary targets, as they typically spend less on security, making it easier to hack into the systems. State insurance regulators are concerned about the possibility of businesses and individuals being victimized by ransomware attacks and encourage the public to take steps to guard against potential attacks. One of the steps is to consider the purchase of a cybersecurity insurance policy. Many cyber policies cover ransom money, extortion-related expenses, and repair costs. But it is important to notify your insurer before you pay a ransom, otherwise it may not be covered. 

Background:  According to the FBI, in 2022 The Internet Crime Complaint Center (IC3) received 800,944 complaints, with reported financial losses of $10.3 billion. Of these, 2,385 were identified as ransomware complaints with adjusted losses exceeding $34.3 million. Additionally, according to Kaspersky, in the first ten months of 2022, the number of users attacked by targeted ransomware nearly doubled, as compared to the same period in 2021.

The number of people and businesses at risk are increasing every year. Anyone can be a target of ransomware: individuals, government entities, hospitals, private businesses, and municipalities of all sizes. Most ransomware is delivered by phishing emails which imitate a legitimate agency to solicit personal information from the recipient. 

Although the temptation to pay the ransom is great, the FBI warns this carries its own risks. There is no guarantee the data will be restored after the ransom is paid. Ransom demands can be incredibly costly and are rising, with average demands increasing 500% from 2020 to the first half of 2021. The average ransomware payment is also increasing, rising from $312,000 in 2019 to $570,000 in 2020. Premiums for cyber insurance policies that cover ransomware payments are climbing as well, with double-digit increases every month in the first quarter of 2021. 

There is also evidence victims who have paid ransoms are often targeted again as hackers share information about successful attacks. A 2021 study from Cybereason found that 80% of organizations that paid a ransom were later targeted by a second attack.  

Ransomware demands are almost always required to be paid in digital currencies like bitcoin, the world's largest cryptocurrency, or virtual money that is not issued or guaranteed by any government. Criminals like these currencies because they are easy to use, and they allow the extortionists to remain anonymous. Demands can range from the equivalent of a few hundred dollars all the way into the millions of dollars. Damages often go beyond financial consequences; many victimized businesses of publicized ransomware attacks suffer hits to reputation and customer trust. 

Although data breach notification laws in many states require entities to notify consumers if their data has been access or stolen, it's not always clear if ransomware attacks are subject to the same disclosure rules. This means many ransomware attacks go unreported. 

Status: A 2022 survey found that while ransomware attacks have increased, a minority of respondents had an insurance policy that covers ransomware attacks. Cyber insurance policies often cover ransomware attacks, but premiums for these policies have increased substantially in recent years. Some business policies, like business interruption or extortion policies, may cover losses related to a ransomware event. Individuals or organizations with lenient cyber security practices are often considered softer targets than, for example, banks whose digital infrastructure and encryption tend to be more sophisticated and secure. Therefore, having strong data backup and security protocols can be a deterrent to this type of cybercrime. 

Both the government and business communities are working hard to address the rising threat of ransomware. The NAIC adopted the Insurance Data Security Model Law at the Fall 2017 National Meeting. The purpose of the model is to "establish standards for data security and investigation and notification of a breach of data security". As of June 2023, 21 states have adopted the model. It is important to note that the Insurance Data Security Model Law only applies to insurers. 

At the 2021 Summer National Meeting, the NAIC membership announced the formation of a new standing committee on cybersecurity by the end of the year to monitor developments in this area. 

The U.S. Department of Health & Human Services issued a factsheet on ransomware for the Health Insurance Portability and Accountability Act (HIPAA). Both the Federal Trade Commission and the Department of Homeland Security have also released guidance for consumers and businesses on best practices to avoid ransomware attacks.