Committees Active on This Topic

Additional Resources

The Cybersecurity Landscape
May 2016, NAIC Insurance Summit Presentation

How to Protect Your Networks from Ransomware
U.S. Government Interagency Report

Fact Sheet: Ransomware and HIPAA
U.S. Department of Health & Human Services

Incidents of Ransomware on the Rise
Federal Bureau of Investigation

Contacts

Media queries should be directed to the NAIC Communications Division at 816-783-8909 or news@naic.org

Sara Robben
Statistical Advisor
816-783-8230

NAIC Center for Insurance Policy and Research (CIPR)

CIPR Homepage

Ransomware

Last Updated 9/7/17

Issue:
Regulators are concerned about the possibility of businesses and individuals being victimized by ransomware attacks. They encourage the public to become aware of them and take steps to guard against them. One of the steps is to consider the purchase of a cybersecurity insurance policy.

Ransomware, sometimes called cyber extortion, is a type of malicious software that infiltrates computer systems and locks them down. Typically the data or system is then held hostage by encryption until payments are made or other demands are met. Once the data or system has been frozen, the hacker directs the victim to pay a sum of money (ransom) to regain access to the device or data. Ransomware is a type of cyber-attack that can infect virtually any type of computer, including desktops, laptops, tablets and smart phones. The goal of the hackers is not to destroy or permanently encrypt the data, but to secure fast payment of the ransom.

Ransomware attacks are on the rise and are considered an escalating threat for the foreseeable future. Although not new, ransomware has gained popularity as a method of attacking businesses and other large organizations because the payoffs are higher.

Background:
According to the FBI, an average of 4,000 ransomware attacks occurs every day with damages hovering around $1 billion annually. That number is up 300% from 2015. Anyone can be a target of ransomware: individuals, government entities, hospitals, or private businesses. Recently, healthcare organizations have been especially high-profile targets. Most ransomware is delivered by phishing emails which imitate a business or government agency to solicit personal information from the recipient.

Although the temptation to pay the ransom is great, the FBI warns this carries its own risks. There is no guarantee the data will be restored after the ransom is paid. Additionally, there is some evidence victims who have paid ransoms are often targeted again as hackers share information about successful attacks.

Ransomware demands are almost always required to be paid in digital currencies like bitcoin, the world’s largest cryptocurrency, or virtual money that is not issued or guaranteed by any government. Criminals like these currencies because they are easy to use, and they allow the extortionists to remain anonymous. Demands can range from the equivalent of a few hundred dollars all the way into the millions of dollars. Damages often go beyond financial consequences; many victimized businesses of publicized ransomware attacks suffer hits to reputation and customer trust.

Although data breach notification laws in many states require entities to notify consumers if their data has been access or stolen, it’s not always clear if ransomware attacks are subject to the same disclosure rules.  This means most ransomware attacks go unreported.

Status:
Many cyber insurance policies cover ransomware. Some other business policies, like business interruption or extortion policies, may also cover losses related to a ransomware event. Individuals or organizations with lax cyber security practices are often considered softer targets than, for example, banks whose digital infrastructure and encryption tend to be more sophisticated and secure. Therefore, having strong data backup and security protocols can be a deterrent to this type of cybercrime.

Both the government and business communities are working hard to address the rising threat of ransomware. The Cybersecurity (EX) Working Group adopted the Insurance Data Security Model Law at the Summer 2017 National Meeting. The purpose of the model is to "establish standards for data security and investigation and notification of a breach of data security". The model will be considered by the Executive Committee and Plenary at the Fall 2017 National Meeting. There is work being done at the federal level as well. A number of federal agencies have issued statements on ransomware. The U.S. Department of Health & Human Services issued a factsheet on ransomware for the Health Insurance Portability and Accountability Act (HIPAA). Both the Federal Trade Commission and the Department of Homeland Security have also released guidance for consumers and businesses on best practices to avoid ransomware attacks.