Average ransomware payments nearly doubled in the first half this year but companies expecting their insurance company to pay up could be in for a nasty shock, a specialist cyber insurance broker has warned.

Businesses – small and medium enterprises (SMEs) in particular – had come to appreciate the value of a cyber risk policy after more than a year in which the COVID-19 pandemic had forced them to embrace e-commerce and adapt to operating in a tech-reliant state that has been called ‘survival mode’.

Yet this dependency had also made them prime targets for cybercriminals, whose ongoing success pushed average ransomware demand up from $1.1m ($US847,000) last year to $6.8m ($US5.3m) in the first half this year, according to new research by Palo Alto Networks security researchers.

Insurers often step in to negotiate with ransomware gangs – part of the reason the average negotiated payment is sitting at around $732,000 ($US570,000), up 171 per cent from last year – but the knowledge that victims won’t be paying ransoms themselves could be driving cybercriminals to demand larger sums.

Some have suggested insurers are intentionally paying ransoms to build up the popularity of cyber insurance, although rapid ransom growth may have tempered their enthusiasm.

In May, global insurer AXA announced it would no longer cover ransomware payments for companies in France, which pay the second-highest amount of ransomware in the world, behind the US.

Recent suggestions that Australian insurers could be legally banned from making ransomware payments could well help break the cycle locally – but such a policy would also expose affected businesses to the risk that a single ransomware strike could force them to draw a six-figure ransom from their cash flow.

The results could be catastrophic for small businesses, which could find themselves in financial strife if they can’t access the cyber insurance they need.

Meena Wahi, a cyber insurance broker with Cyber Data Risk Managers, told Information Age that such a ban could cripple an industry that is only now becoming mature enough for underwriters and actuaries to properly understand its risk.

Companies applying for cybersecurity insurance were once required to fill out exhaustive questionnaires about their security practices, Wahi explained, but “underwriters in London are now happy to give quotes based on just a website address and client revenue figures... my job is getting easier in terms of being able to promote cyber insurance.”

Although cyber insurance covers other cybercrime-related expenses – such as hiring disaster-response providers, forensics teams, and covering business interruption expenses – Wahi believes banning ransomware payments would make the policies much harder to sell.

“If insurers back out of ransomware I would have a hard time claiming to some of our clients about the benefits of a cyber policy,” she said.

To pay or not to pay?

Discussions about whether to pay ransomware cartels continue to divide business and security experts – with the former often choosing to pay despite exhortations not to by cyber experts who are concerned it just perpetuates a damaging business model.

Cybersecurity executives have been fired for paying ransoms, while other business executives have gone public to explain why they decided to fork over millions in hopes of getting their data back.

Some Australian insurance companies have suggested the increasing frequency of ransomware claims is behind a “notable acceleration” in premiums and could gut the nascent industry before it can build up a big enough premium pool to maintain itself.

“It’s still early days for cyber insurance,” Dr John Selby, head of research and training with privacy consultancy Privcore, noted during an AISA presentation earlier this year where he said the cyber insurance industry was in an “existential battle”.

“There have been a lot of attacks over a lot of years that have caused insurers to lose sleep,” he said, noting that “insurance needs to be a sustainable long-term bargain, and we’re not there yet” because the industry still lacks enough historical data to manage risk as well as it does in other areas.

“Cyber modelling for catastrophic losses is still in its infancy and... with the amount of money demanded to pay out ransomware claims going up every quarter, the ability to price [policies] accurately is a challenge for insurers who sell you a policy at one point in time.”

Such concerns recently led Liberal MP Tim Wilson to suggest that he would back legislation banning such payments because “allowing insurance to reimburse for ransoms just incentivises criminal behaviours, while also increasing premiums for other cyber risks”.

The possibility of such a ban – which would mark a dramatic change from current Australian law in the area – has been greeted with scepticism by insurance industry figures questioning whether Wilson understands how the industry works.

Actuarial evolution has helped insurers learn how to cover all kinds of challenging risks in the past, and Wahi believes the growing body of data around ransomware events will help insurers build a sustainable model to cover them.

Short of government intervention, she said, most insurers are unlikely to back away from ransom payments altogether because it would simply push them out of a market that, global insurance giant Aon has predicted, will grow from $7.15b last year to be worth $18.2b this year.

“I think the market will rationalise where there will be some key underwriting agencies that will have direct positioning in the cyber insurance market,” Wahi said.

“Some players will just fall away and be sidelined, but those who say they won’t cover ransomware are effectively saying that cyber is not part of their long-term agenda.”