Ransomware evolves to affect severity; BI remains ‘complicated’

CHICAGO—There is “no honor amongst thieves” when it comes to ransomware.

During a panel on claims developments here at Advisen’s Cyber Risk Insights Conference, CNA Insurance cyber industry leader Brian Robb said ransomware attacks have evolved. At the start of the ransomware trend, organizations that paid up would receive encryption keys to get data back.

Now, said Robb, there have been situations in which the thieves only returned a partial encryption key following payment, and then asked for more cryptocurrency.

Brett Anderson, breach response services manager for Beazley, said the online thieves are using tools to “scan systems to see the impact they are having [with the ransomware], and then they make a request based on that.”

David Finz, senior vice president at Marsh, said frequency is down but severity is up for ransomware claims. The panel concurred. Anderson said antivirus and email filtering are stopping simple attacks, so when a client calls, “most of the time it’s the real thing.” Luke Tenery, senior managing director at Ankura Consulting Group, said there has been an increase in the diversity of ransomware attacks.

Business interruption remains tough

Anderson said there has certainly been an uptick in cyber-related business interruption claims, including contingent business interruption. Each claim is “complicated” and handled “case-by-case,” he said.

The computation of a baseline to income loss remains challenging, said Finz, because the timing could coincide with another variable. In other words, was there another factor within or outside the company that could have affected income during the same time?

Robb said extra-expense claims are “straightforward” but income loss is “speculative.” He added CBI “scares the heck out of” him. “I understand why it’s important, but it’s scary. Controls and evaluations will get better,” he said.