Q&A: Ransomware Settlements and Cyber Insurance | Fortinet Blog 

Ransomware is top of mind for many organizations. According to a FortiGuard Labs Threat Landscape Report, ransomware incidents increased nearly eleven-fold from 2020 to 2021. Not surprisingly, as a result, more organizations are looking into cyber insurance, which covers certain types of losses suffered from a cyberattack and pays out settlements to the attackers.

FortiGuard Labs’ Derek Manky and Jim Richberg, Fortinet Field CISO for the Public Sector, offer their perspectives on current ransomware trends, cyber insurance, and how organizations can better defend against and recover from attacks. 

Can you give us an overview of what is happening with ransomware today?

Derek Manky: Ransomware offers a low-investment, high-profit business model that’s irresistible to cybercriminals. It is a growth industry in part due to the increase in Ransomware-as-a-Service (RaaS). In addition to customizing ransomware toolkits for business affiliates, some operators have also begun selling access to compromised corporate networks, making it that much easier for less-technical criminals to get involved. What is worse is that they are actively targeting insiders by offering compensation for access to networks.

Another alarming trend we’ve seen at FortiGuard Labs is an increase in the volume of attacks. For example, the percentage of organizations detecting botnet activity jumped from 35% to 51% by the mid-year mark. In addition to the increase in volume, attacks are also becoming more aggressive. Cybercriminals have been adding levels of extortion to get victims to pay, including combining traditional ransomware file encryptors with threats of publicly exposing internal data, adding a DDoS attack to create additional confusion and panic, and reaching out to a victim’s customers and stakeholders. We also predicted that destructive wiper malware threats will be added to the list of extortion strategy.

How do these trends relate to cyber insurance?

Jim Richberg: Cyber insurance is growing as an industry, and I think part of it is because ransomware has become so prolific. Insurance can sound like an easy answer to the problem of ransomware. Getting insurance in order to pay a settlement if you fall victim to ransomware is a lot easier for boards to understand than going into the various reasons why your cybersecurity efforts aren’t working to thwart attacks. Cyber insurance is particularly attractive to small and medium-sized organizations that don’t have the means to self-insure and are not confident that their security is likely to withstand attack. Many large enterprises do what it takes to bring their level of risk down to a level they can live with and afford. Going under the assumption that eventually they’ll be targeted, they may even include ransomware settlements in the incident response budget.

How do settlements play a role in ransomware?

Derek Manky: Cybercriminals are preferentially targeting companies that have cyber insurance because if the insurance company is paying out the ransomware settlement, it’s more likely the attackers will get the money. The classic approach to reconnaissance is that cybercriminals blueprint the network and organization, looking for vulnerabilities and other points of entry. But now, they’re not just scanning your networks; they’re scanning public records. With government, the budget is part of public record, so it’s easy for bad actors to determine whether or not the agency has insurance.

With private sector organizations, it’s a little different. But often there is public information and social media that cybercriminals can use to perform reconnaissance. It’s becoming yet another tool in their toolset. Because cybercrime has become a more organized enterprise model with affiliates (RaaS), cybercriminals are going where the money is. Ransomware negotiation is a growing business fueled by payment and insurance. It is part of why ransomware is becoming more prevalent than other types of attacks like distributed denial-of-service (DDoS).

What should you do to protect yourself?

Jim Richberg: Organizations need to take an architectural approach to security to protect themselves across their ever-expanding and evolving attack surface and defend against increasingly sophisticated tactics. Because no single technology can protect an entire network, Fortinet brings together all the necessary technologies to provide the right level of protection where it’s needed, using a cybersecurity mesh platform called the Fortinet Security Fabric. The mesh concept has gained a lot of attention over the past year, but Fortinet has been defending organizations through its integrated and automated Fabric since 2016.

It’s important for organizations to control who and what can connect to the network through zero-trust access, defend endpoints using endpoint detection and response (EDR), and protect the converged physical network through security-driven networking, and the virtual extension of the network into the public cloud with adaptive cloud security. 

In addition to technology, organizations need to invest in cybersecurity training. People are a significant potential threat vector to organizations. To prevent intrusions, employees need to be educated about the risks of phishing, so they can better recognize fake websites and suspicious emails.

Another side effect of robust security is that if you can demonstrate that you have a strong security posture, you might get better rates when you start looking into cyber insurance. Much like having a smoke alarm makes it less likely that a fire will spread and burn down your house, implementing best practices in terms of security reduces the potential for an intrusion to turn into a devastating breach. In both situations, you’re less of a risk to the insurer, and this is likely to be reflected as lower insurance premiums.

Is insurance a panacea?

Jim Richberg: The big warning here needs to be that just because you have cyber insurance doesn’t mean you’ve got nothing to worry about. Insurance doesn’t make your organization bulletproof or absolve you from needing to have the type of robust security I mentioned.

I think of cyber insurance as a double-edged sword. Although it’s good to have cyber insurance, as Derek pointed out, it can make you more of a target for cybercrime. And beyond that, you’re not transferring all of the risk to the insurance company. Yes, the insurance pays the ransomware settlement, but it doesn’t compensate you for the damage to your company reputation, intellectual property losses, or the reduction in sales from publishing your data publicly or contacting customers to tell them their data was compromised.

Derek Manky: For cybercriminals, ransom settlements from insurers can be a more predictable revenue stream than they’ve had before. It may be a reason we’re seeing the ecosystem become faster, more robust, and cohesive. Cybercriminals are going to keep coming back for more. They know that companies that have insurance can net them a nice quick payout. We knew that this cybercrime ecosystem existed, but now they’re negotiating and setting up customer support centers. With toolkits for affiliates, they’re setting up an enterprise model, versus the more ad hoc attacks we saw in the past.

Jim Richberg: I think another thing to consider is that cyber insurance isn’t like car insurance where you’re insuring against an accident. With car insurance, the people around you want to avoid an accident just as much as you do; another driver usually isn’t trying to hit you on purpose! But cybercriminals are specific and malicious. Ransomware is never an accident. 

Learn more about how Fortinet Security Fabric solutions protect the entire organization against ransomware attacks as well as from infection and spread.