Committees Active on This Topic

Additional Resources

The Cybersecurity Landscape
May 2016, NAIC Insurance Summit Presentation

How to Protect Your Networks from Ransomware
U.S. Government Interagency Report

Fact Sheet: Ransomware and HIPAA
U.S. Department of Health & Human Services

Incidents of Ransomware on the Rise
Federal Bureau of Investigation

Ransomware Prevention and Response

Ransomware Awareness

Contacts

Media queries should be directed to the NAIC Communications Division at 816-783-8909 or news@naic.org

Sara Robben
Statistical Advisor
816-783-8230

NAIC Center for Insurance Policy and Research (CIPR)

CIPR Homepage

Ransomware

Last Updated 12/06/18

Issue:
Regulators are concerned about the possibility of businesses and individuals being victimized by ransomware attacks. They encourage the public to become aware of them and take steps to guard against them. One of the steps is to consider the purchase of a cybersecurity insurance policy.

Ransomware, sometimes called cyber extortion, is a type of malicious software that infiltrates computer systems and locks them down. Typically, the data or system is then held hostage by encryption until payments are made or other demands are met. Once the data or system has been frozen, the hacker directs the victim to pay a sum of money (ransom) to regain access to the device or data. Ransomware is a type of cyber-attack that can infect virtually any type of computer, including desktops, laptops, tablets and smart phones. The goal of the hackers is not to destroy or permanently encrypt the data, but to secure fast payment of the ransom.

Ransomware attacks are on the rise and are considered an escalating threat for the foreseeable future. Although not new, ransomware has gained popularity as a method of attacking businesses and other large organizations because the payoffs are higher.

Background:
According to the FBI, an average of 4,000 ransomware attacks occurs every day with damages hovering around $1 billion annually. That number is up 300% from 2015. Moreover, according to SecureList, "The number of ransomware attacks on businesses tripled in 2016, jumping from one attack every two minutes in Q1 to one every 40 seconds by Q3". As a result, the number of people and businesses at risk are increasing every year.

Anyone can be a target of ransomware: individuals, government entities, hospitals, or private businesses. Recently, healthcare organizations have been especially high-profile targets. Most ransomware is delivered by phishing emails which imitate a business or government agency to solicit personal information from the recipient.

Although the temptation to pay the ransom is great, the FBI warns this carries its own risks. There is no guarantee the data will be restored after the ransom is paid. Additionally, there is some evidence victims who have paid ransoms are often targeted again as hackers share information about successful attacks. Recent studies have shown that business leaders today pay a lot more than people expect to only hope to get their files back. IBM conducted a survey of 600 U.S. business leaders to get their feedback on what they would do if faced this kind of situation. The results concluded that 70% of these leaders have in fact paid a ransom to regain access back to their business files. Of the companies responding to the survey, nearly half of them have paid more than $10,000, and 20% of them paid more than $40,000.

Ransomware demands are almost always required to be paid in digital currencies like bitcoin, the world's largest cryptocurrency, or virtual money that is not issued or guaranteed by any government. Criminals like these currencies because they are easy to use, and they allow the extortionists to remain anonymous. Demands can range from the equivalent of a few hundred dollars all the way into the millions of dollars. Damages often go beyond financial consequences; many victimized businesses of publicized ransomware attacks suffer hits to reputation and customer trust.

Although data breach notification laws in many states require entities to notify consumers if their data has been access or stolen, it's not always clear if ransomware attacks are subject to the same disclosure rules. This means most ransomware attacks go unreported.

Status:
Many cyber insurance policies cover ransomware. Some other business policies, like business interruption or extortion policies, may also cover losses related to a ransomware event. Individuals or organizations with lax cyber security practices are often considered softer targets than, for example, banks whose digital infrastructure and encryption tend to be more sophisticated and secure. Therefore, having strong data backup and security protocols can be a deterrent to this type of cybercrime.

Both the government and business communities are working hard to address the rising threat of ransomware. The NAIC adopted the Insurance Data Security Model Law at the Fall 2017 National Meeting. The purpose of the model is to "establish standards for data security and investigation and notification of a breach of data security". To date, South Carolina has adopted the model and several other states are considering similar legislation. There is work being done at the federal level as well. A number of federal agencies have issued statements on ransomware. The U.S. Department of Health & Human Services issued a factsheet on ransomware for the Health Insurance Portability and Accountability Act (HIPAA). Both the Federal Trade Commission and the Department of Homeland Security have also released guidance for consumers and businesses on best practices to avoid ransomware attacks.