Ransomware in 2021: Three Trends Cyber Insurers are Seeing Now

Lauren Winchester is Vice President of Smart Breach Response for Corvus Insurance. In this role, Lauren guides policyholders of all sizes through cyber security incidents, ensuring efficient coordination of counsel, digital forensics firms, and other key incident response resources. She also manages Corvus’s risk mitigation services, such as tabletop exercises and incident response planning, that are designed to minimize the frequency and severity of data breaches. Lauren has handled over 1,000 cybersecurity incidents for organizations in healthcare, financial services, higher education, retail, professional services and more.

The nation-state hack of SolarWinds, thought to be an act of espionage, has stolen the cybersecurity headlines so far in 2021. But if your work involves cyber liability we don’t have to explain that it’s ransomware that remains the major story from the perspective of those in the trenches. This particular category of malware may not be responsible for the majority of claims filed under cyber liability policies, but the eye-popping figures associated with these claims means they are the focus of any insurer offering coverage for cyber events. (According to broker Lockton, in 2020 ransomware caused 15% of claims, but 95% of the amounts paid.)

As has always been the case with cybersecurity and cyber insurance coverage, the only constant is change. What presented the most concern to underwriters regarding ransomware in 2019 is not the same as it is now. Staying ahead on the trends can help underwriters, brokers and policyholders to make critical adjustments to coverage, risk mitigation steps and claims management. The following are three of the major trends in ransomware in 2021.

Rising demands, rising costs – but perhaps a break in the clouds

Growth in total numbers of reported ransomware attacks has thankfully not kept up the torrid pace observed in 2019. But costs have exploded. As NetDiligence found, in 2019 overall costs of a ransomware attack increased 57% — more if business interruption costs are added. The growth in cost was driven in no small part by the ransom demands themselves, as the average ransom grew by a whopping 276% (3.75x) to reach $175,000.

The latest data, going up through the last quarter of 2020, showed that this trend continued through most of the year, finally tapering off in the last quarter. A report from Coveware put the average ransom payment at $154,108 for Q4 2020, a significant 34% drop from the previous quarter, but still much higher than figures reported throughout previous year (Coveware’s data, different from NetDiligence, found average ransom to be less than $100,000 at the end of 2019).

It’s too early to say that one quarter redefines a more than two year trend, but it’s an encouraging sign that the average ransom payment may not continue to grow inexorably. In the meantime, the major story remains that the dollar figures we’re dealing with from ransomware operators are in a much different ballpark than they were just a couple of years ago. Corvus regularly sees demands in the 7 figure range, and 8 figure demands are unfortunately not uncommon.

Amid this gold rush of criminal ransom activity, the focus is increasingly on the largest ransoms — the ones really driving up the average, which sometimes reach into seven figures. These are amounts that would have made for the ransomware story of the year just recently. It’s rumored that Foxconn, the electronics giant, received a demand for $34 million in November 2020 — and that’s hardly the only eight-figure demand fueling the rumor mill.

With these figures, fewer of the victims are choosing to pay up, taking the risk of starting from scratch with whatever unencrypted data or backups that managed to avoid attack. In answer, some ransomware groups may start to pull demands back to earth; others however, instead turn to other tactics to leverage their demands, which leads us to the next trend: exfiltration.


You’ll recognize the names from headlines if you follow cybersecurity: Ryuk, Sodinokibi, Maze. These were three of the most active strains of ransomware in 2020, whose operators have successfully stolen data from victims as a way to increase leverage in the ransom negotiation. (Maze later shut down as its operators moved on to using derivatives of the original software).

In some cases, attackers have been able to make money by auctioning off stolen data, even when they were thwarted in their attempt to get a ransom from the victim. Others have gone “back to the well” to get a second ransom by threatening to release sensitive data. A troubling new trend of using this exfiltrated data to contact customers or employees directly is starting to be reported (see next section). Exfiltration was used by roughly half of all ransomware attacks in 2020, according to Coveware.

While first experimented by a handful of ransomware actors, most notably the Maze group, the success of the tactic has led to others taking it up. Emisoft reports that at least 17 ransomware groups were observed using exfiltration (or at least threatening it) by the end of 2020. Nearly 30% of Corvus ransomware claims in 2020 involved a threat of data exfiltration.

Responding to situations where data was exfiltrated has created another layer of complexity in breach response, so, as ever, the selection of experienced teams or coaches in managing response is critical.


Typically a ransom demand is communicated through the screen of a hijacked device — thus the only people who know the specifics of the demand are employees of the victim organization, and then perhaps only select employees. But we are seeing a new trend in the way that threat actors leverage their ransom demands: by going straight to broader groups of employees of the organization or their customers to create an environment of urgency and perhaps even panic among affected groups.

By involving customers, or the employees of the organization, the threat actors hope to effectively recruit an army of individuals afraid of their data being publicized or experiencing fraud to further pressure a victim organization to comply with their demand. Messages sent by attackers even include calls to action, such as: “Call or write to this store and ask to protect your privacy!” The threat actors attempt to paint companies as irresponsible to their customers for not meeting their demands and potentially putting personal data at risk.

This data that enables this kind of tactic is normally sourced from attacks where unencrypted data is exfiltrated (stolen) from a company’s network. That data then becomes a tool extortionists use to broaden the scope of their attack. BleepingComputer reported on ransomware actor “Clop,” who used the tactic of directly emailing customers at a bank, a maternity store, and a manufacturer of jets. In the case of the jet manufacturer, Bombardier, Clop threatened to go to journalists first — but Bombardier had already been public about the hack. That’s when the threat actor decided to escalate the situation, and emailed customers directly.

We’re likely to continue to see a push and pull between attack trends and defenses. As more companies work to mitigate the impacts of ransomware by implementing IT security measures that limit how attackers can move within their systems, attackers are coming up with novel ways to increase leverage with whatever encryption or exfiltration they can accomplish.

Checklist for Becoming Cyber Secure

Mark Bassingthwaighte, Esq.

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, the
nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the
company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.

NOTE: This material is intended as only an example which you may use in developing your own form.  It is not considered legal advice and as always, you will need to do your own research to make your own conclusions with regard to the laws of your jurisdiction.  In no event will ALPS be liable for any direct, indirect, or consequential damages resulting from the use of this material.

Checklist for Becoming Cyber Secure

This checklist is intended to help those who have a desire to become more cyber secure know where to start. It may also be helpful in identifying areas of concern that can and should be discussed with IT support personnel. Most importantly, be aware that cybercrime attack vectors will continue to change and evolve as will the sophistication of the attacks. Becoming cyber secure is an ongoing process, not a once and done effort. That said, here are the basics; and note that when the word “devices” is used, this word is meant to include computers, servers, all mobile devices and any home computers that are being used for work.

____ Cyber criminals often target older devices and software, so keep hardware and software as current as possible because newer devices and applications typically include improved security features. Also note that software which is no longer supported, meaning security updates are no longer issued, cannot ethically be used.

____ Keep your server in a locked room because physical security matters!

____ Install robust Internet security software suites on all devices.

____ Utilize effective intrusion detection systems.

____ Use a spam filter.

____ Disable popups through browser configurations and/or install an ad blocker on all devices.

____ Keep all software on all devices up to date by promptly installing all critical security patches as they are released.

____ Determine where all office data is stored by creating a network diagram and make sure this diagram remains current because it will be useful to digital forensic experts in the event of a security breach.  In addition, this diagram can and should be used to create a security policy that responsibly addresses every situation where any data resides.

____ Identify all laws and regulations which may apply to your data in order to make sure you are in compliance with these laws and regulations. For example, does your firm hold data which is governed by HIPAA, HITECH or Sarbanes Oxley? Do you hold personally identifiable information?

____ Password protect all devices.

____ Use two-factor authentication when and wherever possible. This is particularly important with all banking and financial sites.

____ Develop a password policy that mandates the use of strong passwords (or passphrases) if the device or application will accept them.  Strong passwords are defined as being 16 characters or more in length using a combination of uppercase and lowercase letters, numbers, and special characters.  Note: Every application and device in use should have its own unique password and no password should ever be reused once changed.  The use of a password manager can make this task easier and more secure than, for example, storing passwords in a file labeled “passwords” or writing them down and placing that list in a desk drawer.

____ Prohibit the sharing of user IDs and passwords with anyone, to include others within the firm.

____ Have your IT support person change the default values, for example default passwords, on all wireless routers, server operating systems, etc. because these values are freely available on the Internet.

____ Wireless networks should be set up with proper security to include enabling strong encryption. This means you must disable WEP and WPA encryption and require WPA2 encryption. If the router supports WPA3 encryption, use it. Do not overlook home networks if home computers are being used for work.

____ In order to prevent access to your firm’s confidential data, setup a properly configured wireless guest network.  No guest should ever have direct wireless access to your firm’s network.

____ Backup all data, periodically do a test restore of the backup, and store the backup in accordance with a disaster recovery plan because floods, fires and ransomware attacks happen. Backups must be encrypted if taken off site or stored in the cloud, and if using a cloud vendor, the vendor should not have access to the decryption key.

____ Any mobile device that goes off site and contains any client confidences must be password protected, should have the ability to be remotely wiped if lost or stolen, and should be encrypted. This includes jump drives, external hard drives, laptops, smart phones, and tablets.

____ Limit privileges and access as appropriate. For example, does everyone in the office need access to the firm’s financial or employment records? Can everyone download and install anything they want on any device they have access to? Can everyone make changes to the system configuration? Don’t make it easy for cybercriminals. Place limits on what people can do. Such limits can either be set up electronically via file permissions or physically via a locked door or cabinet.

____ Encrypt any email if it contains confidential information or use a secure client portal.  Check with your IT support for help with proper installation and configuration of your selected solution.

____ Encrypt all data you place in the cloud. Some cloud companies advertise that they encrypt your data but only do so while the data is in transit. You must make certain your data is encrypted “at rest” as well. Better yet, don’t rely on the cloud provider for this at all. Encrypt your data before placing it in the cloud to enable you to have control over the encryption key.

____ Read the terms of service of any third-party vendor that will hold your confidential data.  Remember, the standard of reasonableness applies. At a minimum, you need to know and understand what happens to your data while in the hands of an outside vendor in order to allow you to responsibly address any concerns.

____ Mandate that all work-related Internet sessions be encrypted and prohibit the use of unsecured open public Wi-Fi networks. This does mean that access to the office network must always occur using a VPN, MiFi, smartphone hotspot or some other type of encrypted connection.

____ Prohibit the use of any public computer for any reason. This would include the use of computer stations made available in the business center of a resort or hotel just as one example.

____ Have a policy that prohibits the jailbreaking of any mobile device that will be used for work. Jailbreaking is defined as modifying the operating system from its original state.

____ Never allow a non-employee to have access to your network absent appropriate oversight. In a similar vein, immediately cut off all avenues of access to the network for anyone who has been terminated. Terminated individuals should never have access to any office computer or network plug, even if it’s to simply download personal files, absent a trusted escort.

____ Provide mandatory data security and social engineering awareness training to everyone at the office at least every six months.

____ Develop a cyberbreach incidence response plan and provide the necessary training. At its most basic, if anyone suspects a device has been breached, teach them how to immediately disconnect from the Internet and/or the office network and instruct them to contact IT support immediately. They should never try to resolve the problem themselves!

____ Purchase a cyber liability insurance policy.

____ Check your internal and Internet-facing network security at least annually to make sure your network is secure. This can be done by having a vulnerability assessment or penetration test done.

____ Properly dispose of any device or digital media that has or had any business-related data on it. Don’t overlook digital copiers, digital cameras, memory cards, CDs, DVDs, jump drives, backup tapes, etc. All devices and media must be digitally wiped clean and/or physically destroyed. This does mean that devices cannot be given away for personal use, donated, recycled, or sold unless the entire drives have been overwritten.  Note: a restore to factory default settings is not an acceptable alternative to wiping a drive.

Quantifying Economic Losses from Cyber Events

Ephraim Stulberg, CPA, CA, CBV, CFF is a partner in the Toronto office of MDD Forensic Accountants. He specialises in the areas of business valuation, economic loss quantification and investigative accounting, and has worked on numerous matters involving first-party and third-party insurance claims, including business interruption, network interruption, fidelity, reps and warranties, D&O and general liability coverage.. He has provided expert evidence in court and at arbitration, and has worked on matters across Canada, as well as the United States, Europe, South America, the Middle East and Asia. He can be reached at estulberg@mdd.com


Yvonne Kitkarska, CPA, CBV manages the Montreal office of MDD Forensic Accountants and is fluent in both French and English. She has completed numerous assignments involving first-party and third-party insurance coverage. Yvonne is one of the leaders of MDD’s cyber insurance practice, and has completed numerous engagements related to lost profits resulting from cyber incidents. Yvonne has prepared and delivered seminars to various audiences dealing with the quantification of lost profits and business interruption insurance. She has worked on matters across Canada, as well as the United States, Europe and South America. She can be reached at ykitkarska@mdd.com.


Next to “you’re on mute”, perhaps one of the most common phrases of this past year has been “don’t click on that link”!

The risk of suffering a severe financial loss due to a cyber event has never been greater. According to Allianz’s Risk Barometer, it was the top risk facing businesses; not long ago, it barely registered in the survey (1).

The cost of a cyber-attack can be absolutely paralyzing for a business. In fact, Cybersecurity Ventures predicts cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015 (2). The costs to businesses can include direct out-of-pocket costs (such as damage and restoration of data, ransom payments, stolen money), post-attack disruption to the normal course of business, lost productivity, theft of intellectual property, theft of personal and financial data, as well as indirect costs such as reputational harm and potentially even lawsuits for data leaks involving sensitive information.

In response to this reality, more and more insurers have begun offering cyber coverage to businesses to help them protect themselves against this very important risk. Specialty insurance coverage for cyber risks is still relatively new and continually evolving. Cyber insurance often covers ransom payments, breach response and data recovery costs, liability to third parties, as well as business interruption (BI) and additional expenses.

As forensic accountants specializing in quantifying business interruption and lost profits, we have seen a large explosion in the number of cyber losses in our caseload in the past couple of years. The purpose of this article is to summarize some of our experiences, and in particular to answer the following question: How are BI losses under cyber policies different than those that have been around for decades in property policies?

Based on experience handling dozens of these losses in recent years, here are a few key factors that make quantifying losses due to cyber-attack different from other types of BI losses:

1. Variety of Impacts on Business
IT systems are so pervasive that a cyber-attack can have a seemingly infinite range of impacts on a business. We have seen impacts to online ordering, impacts to client records, impacts to inventory records, and impacts to automated manufacturing machinery.

Each of these IT problems will impact the financial results of a business in different ways. Some of these issues will lead to a loss of revenue; others will lead to an increase in operating costs; still others may not have any discernible impact on either revenues or costs, and will only create idle employee time.

What becomes particularly important in a cyber loss is understanding the cause and effect relationship between the incident and the financial impact. In a physical damage scenario, the impact is usually obvious: for example, a fire has caused a retailer to close down for a period of time affecting its ability to make sales. However, if that same retailer is the victim of a cyber incident, it does not necessarily mean they will have to close down. The retailer may be unable to access inventory records or accept automated payments while its systems are down, but it may still be able continue to sell products in the store and either accept cash or take down clients’ payment information for later processing. Revenues may be affected, but not to the same extent as if the store was completely closed down.

2. Types of Businesses Impacted
This exponential growth in cyber threats is partly as a result of a shift from a “brick-and-mortar” type of economy to a digital economy. Entities’ increasing reliance on their IT systems, as well as the emergence of more sophisticated and organized hackers, have resulted in more and more cyber-attacks.

No company is safe – attackers target large multinationals such as Marriott Hotels (3) and Equifax (4), as well as small- to medium-sized enterprises (SMEs). In some ways, SMEs are more vulnerable to cyber-attacks as they often do not have robust IT security policies and technology.

Cyber-attacks can impact a wide range of businesses, and the variety of businesses for which we have reviewed cyber losses is much broader than the types of business that suffer losses due to physical damage: examples include government bodies, not-for-profits, and professional services firms.

Consider an accounting firm. In the case of a physical damage to their offices, the business can normally continue to operate with minimal disruption and avoid or minimize business interruption losses by having employees work remotely or at another location. As the Covid-19 pandemic has shown, many professional services firms can be easily set up to work remotely. However, if the same firm loses access to its servers (e-mail, file storage servers, VPN connection), this can have a crippling effect on its ability to operate, and there may be losses of revenue, labour inefficiencies, or both.

3. Data Issues
The types of data we analyze with cyber losses can pose unique opportunities, as well as some pitfalls.

Take for example a retailer. Unlike brick-and-mortar retailers which record revenue when the customer makes a purchase, online retailers often have a lag of several days between a sales order being received and the recording of revenue (which typically does not occur until shipment). Looking solely at revenue based on shipments when analyzing losses for an online retailer may therefore yield misleading results, especially when the affected loss period is only a few days (which can often be the case with cyber losses). A more useful metric might be website traffic or revenue by order date, data that online retailers have readily available unlike their brick-and-mortar counterparts.

4. Scope of Losses
A business interruption resulting from a cyber incident is often shorter in duration than a business interruption resulting from physical damage. While in a physical damage scenario, the property needs to be rebuilt or replaced which may take some time, digital data loss can often be restored using recent back-ups. In a ransomware scenario, an expert in cyber-attacks may even advise the insured to pay the ransom and gain access to its servers right away in order to avoid or minimize any interruption to operations.

Most businesses have some form of disaster recovery protocols and back up their digital information frequently. A company’s ability to restore digital damage from back-ups often depends on how sophisticated their IT systems are and how recent the last back-up was. In some cases, it can take a few days (if back-ups are done frequently) while in other cases, it can take months (if the back-up servers were in some ways affected by the attack or if the back-ups are infrequent).

In some cases, restoring the servers does not necessarily mean that the business is no longer impacted. This is an important issue, as cyber policies normally limit the indemnity period to when the systems are restored. This may result in uninsured losses for insureds in some industries. Consider a hotel whose ability to make reservations was impacted due to a cyber incident for a period of a few weeks. Many people making hotel reservations tend to do so weeks or months before their anticipated stay. As revenues are usually only recorded once the guests have completed their stay, the inability for the hotel to make reservations does not impact its revenues until much later in time, long after the systems are restored and its maximum indemnity period has been exhausted.

Finally, while cyber business interruption losses can often take place over shorter timespans, these losses can be more extensive in geographic scope. Physical damage is unlikely to impact more than one or two locations of a business at a time, whereas a cyber-attack can cripple an entire network.

5. Insurance Policy Issues
The wording of cyber policies can be quite different than that of standard property business interruption policies. This sometimes creates confusion for insured parties. Some notable differences include:

a) The definition of “loss”
Typically, business interruption coverage that forms part of a property insurance policy will begin the calculation with the reduction in a business’s revenue, which is then adjusted to consider saved variable and fixed costs. By contrast, many cyber policies refer directly to continuing expenses, without referring to revenue losses.

b) Indemnity period.
For most businesses, a network interruption is often much shorter than a property-related interruption. As such, while property policies often have a 12 month maximum indemnity period, cyber BI coverage is often limited to 2, 3 or 4 months. Although this is usually sufficient to cover the period needed to restore the network, it may not be long enough to capture the full impact on the insured’s business, especially for businesses whose revenue recognition timing is a bit different, such as the hotel example above.

c) Waiting period
The impact of a waiting period deductible tends to be much more important in a cyber loss as the loss period tends to be shorter; therefore the losses incurred during the waiting period are more pervasive.

In conclusion, cyber-attacks are becoming more and more prevalent and prominent, and businesses are wise to protect themselves against this very real and potentially extremely damaging risk. Insurers are responding to this demand by underwriting more and more cyber policies. As a relatively new insurance product, many insurers have seen claims increase exponentially over the last few years. The number and magnitude of claims are only expected to grow with the impact of the Covid-19 pandemic on businesses who now rely more than ever on their IT systems to remain connected and continue operating (5).

This article has attempted to outline some of the particularities in quantifying cyber business interruption losses compared to standard property damage losses. As hackers continue to develop their craft, we can only imagine how this field will evolve over time.

Until then – don’t click on that link!

1 https://www.agcs.allianz.com/news-and-insights/reports/cyber-risk-trends-2020.html2 https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
3 https://www.bbc.com/news/technology-54748843
4 https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html
5 https://www.forbes.com/sites/theyec/2021/01/19/the-next-five-years-cyber-insurance-predictions-through-2025/?sh=7cfaf1a163fa