Before ransomware evolved into a full-scale
global epidemic plaguing businesses, hospitals,
schools and local governments, cyber insurance
was a profitable niche industry. It was accused of
fueling the criminal feeding frenzy by routinely
recommending that victims pay up, but kept
many from going bankrupt.
Now, the sector isn’t just in the criminals’
crosshairs. It’s teetering on the edge of
profitability, upended by a more than 400% rise
last year in ransomware cases and skyrocketing
extortion demands. As a percentage of
premiums collected, cyber insurance payouts
now top 70%, the break-even point.
Fabian Wosar, chief technical officer of Emsisoft,
a cybersecurity firm specializing in ransomware,
said the prevailing attitude among insurers is no
longer: Pay the criminals. It’s likely to be cheaper
for all involved.
“The ransomware groups got way too greedy
too quickly. So the cost-benefit equation the
insurers initially used to figure out whether or
not they should pay a ransom — it’s just not
there anymore,” he said.
It’s not clear how the single biggest ransomware
attack on record, which began last Friday, will
impact insurers. But it can’t be good.
Pressure is building on the industry to stop
reimbursing for ransoms.
In May, the major cyber insurer AXA decided
to do so with all new policies in France.
But it is so far apparently alone in the
industry, and governments are not moving
to outlaw reimbursement.