The cyber-insurance vision is failing for ransomware attacks in India

Ransomware-targeted cyber-insurance solutions do not serve its primary vision of helping improve organisation cyber-security governance—only help in cyber-loss mitigation. Image: Shutterstock

There is a fast-growing market for cyber-insurance in India, if not the fastest-growing market within the Indian insurance industry. The amount of yearly cyber insurance coverage companies in India usually buy today (as of 2023) ranges from $1 million (small companies) to $200 million (large IT service providers), and it is growing at a CAGR of 35 percent for the past three years. To shield against the adverse impacts of client moral hazard and imperfect information on their organisational cyber-posture, the usual form of cyber-insurance contracts accompanies short policy periods, relatively low policy limits, and dynamic repricing. However, these cyber-insurance market practices are increasingly being called into question with the advent and rapid rise of cyber-extortion-based ransomware attacks on the Indian IT/OT industry (that are getting increasingly sophisticated over time).

According to annual studies by Trend Micro and Palo Alto Networks, India experienced about 11 percent of the total of around 14,983,271 global ransomware threats in 2022, making it the second most ransomware-targeted country in Asia. In this article, we identify three major but different ransomware attack types that are sourced from ransomware-as-a-service (RaaS) markets (a primary source of launching ransomware attacks) in India. For these attack types, we provide insights into how and why cyber-insurance products are evolving the way they are to manage the cyber risk arising from the former. The main takeaway is that the traditional form of cyber-insurance for non-ransomware attack contracts in India does not apply to ransomware attacks. Moreover, ransomware-targeted cyber-insurance solutions do not serve its primary vision of helping improve organisation cyber-security governance—only help in cyber-loss mitigation. This starkly contrasts traditional cyber-insurance products that act as a control solution to improve organisational cyber-security governance and mitigate cyber losses.

The first type of ransomware attack involves criminal software coders offloading (the main characteristic of the RaaS business) the "breaking and entering" part of the victim cyber-extortion process to third parties who share the eventual ransom proceeds with the coders (e.g., as was in the case of the Telangana and AP power utility, the BSNL, and SpiceJet ransomware attacks). The coders do not grasp third-party execution quality control, where the third parties might not even have the technical knowledge at times to help victims restore their systems post-ransom payment. As a result, the cost to the victim of restoring systems is often far higher than the ransom itself. The Indian cyber-insurance market response to such cyber-attacks is extreme hardening, with very few cyber-insurers willing to sell ransomware coverage products with stringent security conditionality, i.e., hardly promoting security as governance—in contrast, only promoting cyber-loss mitigation in their product advertising. Such Cyber-insurance products primarily connect victim clients to effective ransomware resolution services. As a result, victims often pay the ransom as part of the cyber-insurance contract policies as the low-cost option instead of only resorting to extremely costly ransomware resolution services without insurance. The outcome is a cyber-insurance market focused on cyber-loss mitigation rather than cyber-security governance.

Also read: From Kotak Life Insurance and IDFC First Bank to State Bank of India and Turtlemint, BFSI is under cyberattack

The second type of ransomware attack evolved because of the weaknesses of the first type. In other words, ransomware criminals are

1. Becoming more 'thoughtful' and professional over time in providing recovery response services,
2. Strengthening their cryptography to decrypt victim files (because IT breach responders often share off-the-shelf decryption keys publicly) and
3. Generating ransom amounts that are industry—and criticality-specific—An example is critical infrastructure being thumped larger ransoms compared to relatively societally less critical enterprises.

Examples of such attacks in India have been the UHBVN, the AIIMS New Delhi, and Haldiram's ransomware attacks. The result is that cyber-insurance markets to manage such ransomware cyber-attacks are fuelling and showcasing four salient characteristics:

1. They pay the ransoms.
2. They manage the adverse outcome of cyber-attacks by providing breach response services that bring back businesses online.
3. Provide services to improve organisational resilience to ransomware attacks.
4. Buy breach response expert services in bulk so that the pricing applied to cyber-insurance clients is significantly lower (but profitable enough for the cyber-insurer) compared to the scenario in which the client would independently approach a breach response expert without cyber-insurance.

Insurance markets to manage such ransomware are primarily focused on cyber-loss mitigation rather than improved organisational cyber-security governance.

Also read: Why ransomware groups are targeting pharma companies and the healthcare sector

The third type of ransomware attack evolved because of two reasons:

1. Organisations are slowly coming to grip with relatively simpler forms of ransomware attacks via the use of multifactor authentication (MFA) and efficient backup processing mechanisms, and
2. Attackers wanted to significantly raise the multi-party reputation and liability risks for the victim organisations.

Subsequently, these attackers spend more time exploiting critical and sensitive data within organisations (and of supply chain suppliers) and put a hefty ransom on them, attaching a credible threat of the failure to pay leading to a leak of such information in public and the darknet. Examples of such attacks include those launched through Lockbit, Conti, and Kaseya ransomware groups in Maharashtra. This has led to a double-edged sword for cyber-insurers and their clients. On the one hand, minimising liability risk via quick payments increases ransom risk; on the other hand, minimising ransom risk via refusal to pay high ransoms increases the liability risk from releasing very sensitive organisational and supply chain data. Add to this the third-party moral hazard due to the disbanding and reformation of existing ransomware groups that do not guarantee that ransom payment will not result in future sales of such sensitive data. It is precisely in such cyber-attack scenarios that the cyber-insurance agencies have:

1. Either withdrawn from offering cyber-insurance.
2. Formally excluded providing coverage for nation-state-sponsored cyber-attacks.
3. Tightened the security controls needed by potential clients before offering a cyber-insurance solution.

Consequently, the cyber-insurance capacity has decreased in the non-stand-alone market and contributed to their high prices. The outcome is a sparse cyber-insurance market for ransomware attacks focused on profit maintenance and cyber-loss mitigation without an eye on improving organisational cyber-security governance.

Ranjan Pal (MIT Sloan School of Management, USA)
Marsha Rodrigues (Christ College, India)
Bodhibrata Nag (Indian Institute of Management Calcutta, India)

[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]