Last Updated 6/12/2023
Issue:Ransomware, sometimes called cyber extortion, is a type of malicious software that infiltrates computer systems and locks them down. Typically, the data or system is then held hostage by encryption until payments are made or other demands are met. Once the data or system has been frozen, the hacker directs the victim to pay a sum of money (ransom) to regain access to the device or data. Ransomware is a type of cyber-attack that can infect virtually any type of computer, including desktops, laptops, tablets and smart phones. The goal of the hackers is not to destroy or permanently encrypt the data, but to secure fast payment of the ransom.
Ransomware attacks are on the rise and are considered an escalating threat for the foreseeable future.As of 2021,between50 and 75% of ransomware attackvictimsaresmall businesses.Small businesses are primary targets, as they typically spend less on security, making it easier to hack into the systems. State insurance regulators are concerned about the possibility of businesses and individuals being victimized by ransomware attacks and encourage the public to take steps to guard against potential attacks. One of the steps is to consider the purchase of acybersecurityinsurance policy. Many cyber policies cover ransom money, extortion-related expenses, and repair costs. But it is important to notify your insurer before you pay a ransom, otherwise it may not be covered.
Background:According to the FBI, in 2022 The Internet Crime Complaint Center (IC3) received 800,944 complaints, with reported financial losses of $10.3 billion. Of these, 2,385 were identified as ransomware complaints with adjusted losses exceeding $34.3 million. Additionally, according to Kaspersky, in the first ten months of 2022, the number of users attacked by targeted ransomware nearly doubled, as compared to the same period in 2021.
The number of people and businesses at riskareincreasing every year.Anyone can be a target of ransomware: individuals, government entities, hospitals, private businesses, and municipalities of all sizes. Most ransomware is delivered byphishing emailswhichimitatea legitimate agency to solicit personal information from the recipient.
Although the temptation to pay the ransom is great, the FBI warns this carries its own risks. There is no guarantee the data will be restored after the ransom is paid.Ransom demands can be incredibly costly and arerising, withaverage demands increasing500% from 2020 to the first half of 2021.The average ransomware payment is also increasing, rising from $312,000in 2019 to $570,000 in 2020.Premiums for cyber insurance policies that cover ransomware paymentsare climbing as well, withdouble-digit increasesevery month in the first quarter of 2021.
Thereisalsoevidence victims who have paid ransoms are often targeted again as hackers share information about successful attacks.A2021study from Cybereasonfound that 80% of organizations that paid a ransom were latertargeted by a second attack.
Ransomware demands are almost always required to be paid in digital currencies like bitcoin, theworld's largest cryptocurrency, or virtual money that is not issued or guaranteed by any government. Criminals like these currencies because they are easy to use, and they allow the extortionists to remain anonymous.Demandscan range from the equivalent of a few hundred dollars all the way intothe millionsof dollars. Damages often go beyond financial consequences; many victimized businesses of publicized ransomware attacks suffer hits to reputation and customer trust.
Although data breach notification laws in many states require entities to notify consumers if their data has beenaccessor stolen, it'snot always clear if ransomware attacks are subject to the same disclosure rules. This means many ransomware attacks go unreported.
Status: A 2022 survey found that while ransomware attacks have increased, a minority of respondents had an insurance policy that covers ransomware attacks. Cyber insurance policies often cover ransomware attacks, but premiums for these policies have increased substantially in recent years. Some business policies, like business interruption or extortion policies, may cover losses related to a ransomware event. Individuals or organizations with lenient cyber security practices are often considered softer targets than, for example, banks whose digital infrastructure and encryption tend to be more sophisticated and secure. Therefore, having strong data backup and security protocols can be a deterrent to this type of cybercrime.
Both the government and business communities are working hard to address the rising threat of ransomware. The NAIC adopted theInsurance Data Security Model Lawat the Fall 2017 National Meeting. The purpose of the model is to "establish standards for data security and investigation and notification of a breach of data security". As of June 2023, 21 states have adopted the model. It is important to note that the Insurance Data Security Model Law only applies to insurers.
At the 2021 Summer National Meeting, the NAIC membership announced the formation of anew standing committee on cybersecurity by the end of the yearto monitor developments in this area.
TheU.S. Department of Health & Human Servicesissued afactsheet on ransomwarefor the Health Insurance Portability and Accountability Act (HIPAA). Both theFederal Trade Commissionand theDepartment of Homeland Securityhave also released guidance for consumers and businesses on best practices to avoid ransomware attacks.
