Last Updated 6/23/2020
Issue: Ransomware, sometimes called cyber extortion, is a type of malicious software that infiltrates computer systems and locks them down. Typically, the data or system is then held hostage by encryption until payments are made or other demands are met. Once the data or system has been frozen, the hacker directs the victim to pay a sum of money (ransom) to regain access to the device or data. Ransomware is a type of cyber-attack that can infect virtually any type of computer, including desktops, laptops, tablets and smart phones. The goal of the hackers is not to destroy or permanently encrypt the data, but to secure fast payment of the ransom.
Ransomware attacks are on the rise and are considered an escalating threat for the foreseeable future. In 2018, Beazley Breach Response Services reported that 70 percent of ransomware attacks were targeted towards small businesses. Small businesses are primary targets, as they typically spend less on security, making it easier to hack into the systems. State insurance regulators are concerned about the possibility of businesses and individuals being victimized by ransomware attacks and encourage the public to take steps to guard against potential attacks. One of the steps is to consider the purchase of a cybersecurity insurance policy. Many cyber policies cover ransom money, extortion-related expenses, and repair costs. But it is important to notify your insurer before you pay a ransom, otherwise it may not be covered.
Background: According to the FBI, in 2018 The Internet Crime Complaint Center (IC3) received 351,937 complaints, with reported financial losses of $2.7 billion. Of the 351,937 complaints, there were 1,493 ransomware complaints with losses of just over $3.6 million. Moreover, according to TechRepublic “Business detections of ransomware rose 365% from Q2 2018 to Q2 2019, the report found, while consumer detection decreased by 12%.” As a result, the number of people and businesses at risk are increasing every year.
Anyone can be a target of ransomware: individuals, government entities, hospitals, or private businesses. In the past year, municipalities have been victims of ransomware. According to the Insurance Journal, this year there have been 55 ransomware attack on state, local, and county governments. This estimates for approximately 60% of all attacks this year. Most ransomware is delivered by phishing emails which imitate a legitimate agency to solicit personal information from the recipient.
Although the temptation to pay the ransom is great, the FBI warns this carries its own risks. There is no guarantee the data will be restored after the ransom is paid. Even though not paying the ransom is recommended, some companies are instead paying the ransom as part of their insurance coverage. For example, earlier this year Lake City, Florida was a victim of a ransomware attack. After receiving approval from their insurer. Lake City paid $460,000 in order to restore their systems. Since they had cyber insurance, the city only had to pay a $10,000 deductible. Although, there is some evidence victims who have paid ransoms are often targeted again as hackers share information about successful attacks. Recent studies have shown that business leaders today pay a lot more than people expect to only hope to get their files back. IBM conducted a survey of 600 U.S. business leaders to get their feedback on what they would do if faced this kind of situation. The results concluded that 70% of these leaders have in fact paid a ransom to regain access back to their business files. Of the companies responding to the survey, nearly half of them have paid more than $10,000, and 20% of them paid more than $40,000.
Ransomware demands are almost always required to be paid in digital currencies like bitcoin, the world's largest cryptocurrency, or virtual money that is not issued or guaranteed by any government. Criminals like these currencies because they are easy to use, and they allow the extortionists to remain anonymous. Demands can range from the equivalent of a few hundred dollars all the way into the millions of dollars. Damages often go beyond financial consequences; many victimized businesses of publicized ransomware attacks suffer hits to reputation and customer trust.
Although data breach notification laws in many states require entities to notify consumers if their data has been access or stolen, it's not always clear if ransomware attacks are subject to the same disclosure rules. This means many ransomware attacks go unreported.
Status: Many cyber insurance policies cover ransomware. Some other business policies, like business interruption or extortion policies, may also cover losses related to a ransomware event. Individuals or organizations with lenient cyber security practices are often considered softer targets than, for example, banks whose digital infrastructure and encryption tend to be more sophisticated and secure. Therefore, having strong data backup and security protocols can be a deterrent to this type of cybercrime.
Both the government and business communities are working hard to address the rising threat of ransomware. The NAIC adopted the Insurance Data Security Model Law at the Fall 2017 National Meeting. The purpose of the model is to "establish standards for data security and investigation and notification of a breach of data security". For 20202, the Innovation and Technology (EX) Task Force has been charged to continue to monitor the developments in cybersecurity and implement the Insurance Data Security Model Law (#668). As of Spring 2020, eight states have adopted the model. It is important to note that the Insurance Data Security Model Law only applies to insurers.
The U.S. Department of Health & Human Services issued a factsheet on ransomware for the Health Insurance Portability and Accountability Act (HIPAA). Both the Federal Trade Commission and the Department of Homeland Security have also released guidance for consumers and businesses on best practices to avoid ransomware attacks.
Committees Active on This Topic
The Cybersecurity Landscape
May 2016, NAIC Insurance Summit Presentation
How to Protect Your Networks from Ransomware
U.S. Government Interagency Report
Fact Sheet: Ransomware and HIPAA
U.S. Department of Health & Human Services
Incidents of Ransomware on the Rise
Federal Bureau of Investigation
Media queries should be directed to the NAIC Communications Division at 816-783-8909 or firstname.lastname@example.org.