The search for answers to the ransomware epidemic in the wake of the Colonial Pipeline hack has turned up an unlikely scapegoat: insurance. The assertion that the “explosion of ransomware cases has been fueled by the rise of cyber insurance” has quickly become accepted wisdom among commentators and, more worryingly, policymakers. The prominence afforded cyber insurance belies its still modest scale: despite several years of rapid growth, dedicated cyber risk policies are purchased by relatively few organizations (33 percent in the United States, according to one survey), and globally only a “tiny minority” of cyber risk is insured.

The payment of ransom through insurance does raise important questions for public policy and risk management, but the analysis should approach insurance as a vital part of the solution to managing cyber risk, not a root cause of the problem.

A Problem That Affects Everyone

Every major cyber attack reveals new facets to the challenge of how best to secure the world’s digital economies. The Colonial incident has surfaced two in particular: the threat to physical infrastructure (especially the importance of separating the operational technology that controls critical functions from back-office information technology), and the legitimacy of ransom payments to criminals. Insurance can be part of the solution to both problems, but intensifying criticism could prompt insurers already spooked by rising claims to withdraw cover altogether—as the major European insurer AXA has announced it plans to do in France.

Nick Beecroft
Nick Beecroft is nonresident scholar in the Cyber Policy Initiative at the Carnegie Endowment.
More >

The lesson of the Colonial attack should be that ransomware is a strategic threat that demands diverse and multilayered defenses accessible to every part of the economy. Insurance can be one of those defenses, as it has been for centuries in other classes of risk. It can incentivize risk management, through policy requirements and pricing risk; insurance is especially important to small and medium enterprises, as it can provide expert resources to help firms prepare for and recover from cyber events.

Ransomware has developed to become the most potent form of criminal cyber attack, achieving industrial scale through the ransomware-as-a-service operating model. The success of the attack on Colonial Pipeline was therefore not surprising, but its impact did introduce a new dimension to ransomware’s disruptive potential, as its effects broke out of cyberspace to spark tangible fear in the nation. Panic buying of gasoline pushed U.S. prices to their highest levels since 2014. This effect appeared to be an entirely unintended consequence, prompting the perpetrators to first issue a statement of regret and then announce they were ceasing operations altogether. Despite their freedom of operation, it appears that organized cybercriminal groups can be constrained and ultimately deterred through a combination of negative publicity and the prospect of attracting a forceful response. This is a key insight that could be harnessed to quantify cyber risk to critical infrastructure and elevate risk management to the same sophistication as the criminals’ operations. 

Cyber Insurers Are Not the Bad Guys

Insurers and other sources of risk capital play only a marginal role in managing large cyber risks, even in the most developed market—the United States. This is not because of the scale of potential losses, but rather because of fundamental uncertainty on how to measure the risk, establish limits of liability, and manage overall exposure. The Colonial attack provides insights that could help reduce this uncertainty, enabling more robust quantification and risk modeling, and thus promoting greater participation in risk management. That is why the demonization of insurers as part of the problem is so unhelpful.

U.S. Deputy National Security Adviser Anne Neuberger’s comments, which helped put the spotlight on insurers, were nuanced and recognized the need for a thoughtful, multistakeholder response to ransomware. Payment of a ransom is understandable when all other options have been exhausted and the survival of the organization is at stake (yet although Colonial paid a ransom, their own backup restoration process was more effective than the hackers’ decryption key in restarting operations). But the payment of ransoms by insurance companies does create the potential for moral hazard—both by policyholders, who might adopt a complacent attitude to risk management, and insurers, who might calculate that paying a ransom would be cheaper than paying the full costs of investigation, data recovery, network restoration, and so on. It could also make insurance companies a prime target for criminal groups, as demonstrated by a recent attack on a division of AXA in Asia. Insurers should, therefore, carefully review their approach to ensure that their products incentivize better cyber risk management by, for example, tightening the conditions under which a ransom can be paid. 

The Need for Collective Data

The uncertainty that constrains the availability of cyber insurance has broader effects in terms of undermining resilience. Organizations’ relative preparedness for cyber events varies enormously, and even the most sophisticated ones can be breached by a weakness in a digital supply chain. This knowledge imbalance hands the initiative to cyber aggressors and means that disruptive cyber attacks can have far-reaching and unexpected consequences.

The patchwork of mechanisms to encourage good practice and share intelligence, many of which have made vital progress in their respective sectors, needs bolstering by a collective “nervous system.” One manifestation of such a system would be a Bureau of Cyber Statistics as recommended in the 2020 report of the U.S. Cyberspace Solarium Commission. The report called for the establishment of an agency tasked with collecting, analyzing and disseminating “essential statistical data on cybersecurity, cyber incidents, and the cyber ecosystem” to the private sector and the American public, in addition to federal agencies. Doing so may not be glamorous, but it would be a significant step toward creating collective knowledge at the scale needed to counter the threat of cyber attacks. 

The Colonial hack is another reminder that the threat of cyber attacks reaches every part of modern society. Insurers should scrutinize their policies to eliminate moral hazard, but this is a moment for every available tool—including insurance—to be employed to deepen resilience to cyber incidents.