How are cyber-insurance companies assessing ransomware risk?

Colonial Pipeline recently shelled out $4.4 million to recover its data following a ransomware attack that forced it to shut down thousands of miles of pipeline. The decision potentially left its insurer on the hook for the bill.

Such events are of increasing concern to the firms that underwrite cybersecurity for large organizations. In fact, French insurer AXA announced on May 9 that it would no longer support ransomware claims, raising questions about how the industry would address cyber extortion going forward.

How should cyber insurance companies assess and mitigate ransomware risk in this dynamic and volatile environment? Phil Edmundson, founder and CEO of Boston-based Corvus Insurance, a commercial insurer that uses data science to analyze IT vulnerabilities and help businesses prevent breaches from occurring, explains.

Dark Reading: How do ransomware attacks impact your risk models?
Edmundson: We follow the activities of cybercriminals very closely. We look at recent data from a variety of third-party providers around the average ransomware payment and the number of ransomware events that are reported. The number of actual cases is underreported. We look really closely at developments in the types of technology that cybercriminals are using.

There are about two dozen cybercriminal gangs that account for most of the ransomware events. They identify themselves by name. They do that, in part, to be able to negotiate ransom payments with credibility. The only way that insurers or organizations can gain the trust to do that is because they see a pattern of fulfillment. We study the types of vulnerabilities that are being used to succeed in ransomware.

Dark Reading: How does a cyber insurance company typically address ransomware claims?
Edmundson: Corvus is very different in this regard. We have built our own software to analyze the IT security defenses of organizations. That allows us to … [identify] vulnerabilities ahead of time and [work] with our policyholders to block those vulnerabilities. But we’re not perfect at that.

To read the complete article, visit Dark Reading.