The more prevalent bitcoin ransomware attacks become, the merrier it gets for insurance firms that offer cyber-liability insurance coverage. The City of Baltimore has become the latest example of this emerging trend.
According to The Wall Street Journal, city officials on Wednesday authorized the purchase of cyber-liability insurance coverage worth $20 million. The Maryland city will be covered under two plans by two insurance firms – Chubb Insurance and AXA XL Insurance.
Chubb Insurance will provide an annual cyber-liability cover that will cost Baltimore $500,103 in premiums. AXA XL Insurance will also provide a similar cover but at a lower premium – $335,000. The total premiums will amount to $835,103, with an assessment being conducted yearly.
The development comes roughly five months after the city came under a ransomware attack that disabled its computer systems affecting police services, billing systems and real estate transactions. The hackers demanded 13 bitcoin to provide the decryption software.
While cyber-liability insurance policies vary by case, they can cover hackers’ extortion demands. Per The Wall Street Journal, Baltimore’s cyber-liability cover will include making ransom payments.
According to Chubb Insurance, ransomware attacks increased by 84% from 2017 to 2018. KPMG, on the other hand, has predicted that the global cyber insurance market has been experiencing yearly growth of between 20% to 25%. Worth $2.5 billion in premiums in 2015, this is expected to balloon to $7.5 billion by 2020. By 2025 this is projected to rise to $20 billion.
Given a choice between reviving a breached computer network at a massive cost and paying a ransom, which is usually a couple of bitcoin, it is easy to see what choice insurance companies will make in the case of a cyber attack.
Public bodies operate differently. Earlier this year, the U.S. Conference of Mayors passed a resolution unanimously opposing paying ransoms after an IT security breach. The FBI has also discouraged the payments of cyber ransoms arguing that it could encourage this criminal business model.
In the event of a bitcoin ransomware attack, an insurance firm won’t make an ethical or a moral decision but the best business decision. This has been borne out by a survey of 600 U.S. business leaders conducted by IBM in 2018. The survey found that 70% of the business leaders had paid a ransom after a cyber-attack. The reason this does not hit the headlines is that most ransomware attacks are never reported.
In June, the cyber-insurer of Riviera Beach City in Florida paid a ransom of 65 bitcoin with the city only paying a $25,000 deductible. The costs of the recovery in this case were estimated to be in the millions. In the case of Baltimore, the recovery costs were estimated to be over $18 million. In the latter case, hackers had demanded $104,000 at the current bitcoin price.
So while cyber-insurance is relatively new, it’s likely to spawn unintended consequences. As Emsisoft’s CTO, Fabian Wosar, told ProPublica recently, cyber-liability insurance is fueling IT security breaches including bitcoin ransomware attacks:
Cyber insurance is what’s keeping ransomware alive today. It’s a perverted relationship. They will pay anything, as long as it is cheaper than the loss of revenue they have to cover otherwise.