Ransomware banner

Increasing ransomware attacks demands action from (re)insurers

The rise in frequency and severity of ransomware incidents calls for a response from the (re)insurance industry. Conor Husbands – Specialty Underwriter, and Devin Page – Head of Specialty, Hiscox Re & ILS explain more…

Against the backdrop of the global disruption inflicted by the COVID-19 pandemic, cyber criminals have ramped up ransomware attacks and the theft of sensitive information to demand ever growing ransoms. This trend shows no sign of slowing down either and, for the (re)insurance industry, is beginning to reveal itself in mounting losses and capacity withdrawal.

While (re)insurers are well used to recognising and pricing for changing risks, the increases in ransomware incidents the market is witnessing today, both in their frequency and severity, dwarf the scale of typical trends, where many years of compounding increases are often required to produce market-turning results. It’s a big challenge for the industry that needs underwriters to take a proactive stance to ensure the long term sustainability of the cyber insurance and reinsurance market.

Ransomware continues the upward swing

Hiscox’s CyberClear Centre – in partnership with Kivu – warns of a 200% increase in the size of ransomware payments from H1 2019 to H1 2020.[1] Reinforcing this research, Coveware  has recorded a 60% quarterly increase, increasing by a factor of 30 in under two years.[2] Other recent studies by leading cyber carriers, brokers and research firms report similar statistics.

Why is this happening? Fundamentally, the financial incentives for criminal actors to monetise cyber infiltration are simply too vast for enterprising hackers not to gravitate towards them. Only last year, the GandCrab gang announced they were retiring from the ransomware marketplace claiming to have amassed a cumulative US$2bn in extortion payments.[3] In a recent interview, a representative of the Sodinokibi or REvil gang claimed to have extracted over $100,000,000 in extortion payments in recent years.[4]

There are, of course, other, secondary factors at work: It’s often mentioned that the shift of business operations to digital and remote working platforms in response to the pandemic has offered an expanded attack surface for hackers targeting virtual private network (VPN) vulnerabilities. In addition, traditional cybercrime tools wielded by gangs have evolved in 2020, making attacks much harder to fend off: doxing (data exfiltration) and even distributed denial of service (DDoS) attacks are now being used as alternative ways to blackmail targets. Our ransomware bulletin with Kivu identifies over ten active gangs using these new tactics.

An ever-evolving threat

The systemic nature of the risk means that a single vulnerability or exploit can have a significant impact before the (re)insurance market has the chance to react by changing pricing or terms, despite the dedicated efforts of those in the industry. It’s a form of serial correlation – with each loss the probability of subsequent losses increases, leading to a rapid aggregation of claims over time. In our opinion this threat of clusters of losses is best protected by way of aggregate reinsurance structures – an area where Hiscox specialises.

Allowing cedants to aggregate up losses without multiplying retentions gives them more certainty over their recovery, and avoids debates over the definition of an event or loss occurrence. A changing threat environment is therefore inscribed in the very essence of the peril and the product sold.

At Hiscox Re & ILS, we are continually revising our own view of risk and pricing approach to ensure we are in step with the changing risk, and able to support our clients in this uncertain environment.

How should the industry react?

Reassuringly, there are signs that appropriate measures can help to curtail the ransomware threat. Insurers imposing exclusions, sub-limits or coinsurance provisions on extortion payments, and securing warranties around back-ups, two-factor authentication and other controls, are just a few examples of effective tactics.

Underwriting controls such as these can be a potent defensive measure. However, even with these controls in place, the threats faced by insurers from this rapidly changing risk underscores the need for a comprehensive reinsurance purchase.

From our standpoint as reinsurers, a constantly evolving risk requires a constantly evolving approach. At Hiscox Re & ILS, we are continually revising our own view of risk and pricing approach to ensure we are in step with the changing risk, and able to support our clients in this uncertain environment. Understanding the composition of a cedant’s book of business is more important than ever, with the potential for vast differences in the impact of ransomware attacks.

We are partnering closely with cedants who have recognised the threat, and have taken action to protect themselves and are supporting their clients with cyber security training and education. Some markets still seem to be adopting a wait-and-see approach to ransomware, suspending judgement until the extent of the losses becomes clearer. In our opinion, the rapidity and scale of the threat rules that out as a defensible strategy and insurers and reinsurers must respond as swiftly as possible.

Reasons to be upbeat

Whilst the short-term prognosis may seem gloomy, there are reasons to be upbeat. For those willing to make difficult underwriting decisions, there is a real chance to outperform competitors and, in the medium-term, the market will inevitably turn and adapt to this new risk.

Without the intervention of regulators or law-enforcement, decisive action and the curtailment of coverage may be the only feasible antidote to ransomware. But if the response is commensurate with the scale of the potential impact, the long-term result could be a much more robust market for all of us – and another demonstration of the value of cyber insurance and reinsurance products.


Find out more about our specialty reinsurance team and their product offering here.


[1] Kivu Consulting (2020). “Trends in Ransomware and Doxing H1 2020 Review.” Available here

[2] Coveware, Inc. (2018). “Coveware Global Ransomware Marketplace Report.” Available here. Coveware, Inc. (2020). “Ransomware Attacks Fracture Between Enterprise and Ransomware-as-a-Service in Q2 as Demands Increase.” Available here.

[3] Krebs, B. (2019). “Who’s Behind the GandCrag Ransomware?” Krebs on Security. Available here.

[4] Ransomware | Russian OSINT video. Available here.  



  • Insights and opinions