How cyber insurance shapes risk: Ascension and the limits of lessons learned

In May 2024, the news broke that Ascension, a St. Louis-based nonprofit healthcare system, had been hit by a ransomware attack that interrupted access to electronic records, disrupted use of other medical systems, and forced the diversion of ambulances to alternative hospitals across several states.

While neither the victim nor the government have attributed the attack, CNN reported that the Black Basta cybercriminal group was responsible. 

As with the recent Change Healthcare breach, the Ascension attack marked yet another notch in the accelerating cadence of major cybercrime incidents impacting American industry. Now, security teams are — and rightly should be — asking what lessons need to be learned, in particular what assumptions are safe to bring into forward-looking risk modeling efforts and which might be unsafe?

Most often, this question is asked and answered around analysis the technical and institutional details of an incident. For instance, how did the architecture of the victim’s IT systems shape the scope of the eventual compromise? How substantially were analog alternatives able to mitigate access issues for customers?

Those who are geopolitically conscious often focus attention on the threat actor. Does this attack signal a shift in what we know of Black Basta’s strategic focus, or the techniques deployed?

CISOs need to learn the right lessons from major incidents

But there’s another angle worth considering. Ransomware attacks on dispersed networks such as those of Ascension and Change Healthcare highlight the important role that insurer and insurance policy dynamics play in defining cyber risk.

The cyber insurance market continues to face serious growing pains. At the same time, insurer products and response decisions have rapidly normalized expectations around incident response for some kinds of victims in a way that might not mitigate risk for all.

In other words, the response posture of rapid payment and even quick collaboration with federal law enforcement incentivized by insurance conditions may not work for the average company. At the very least, differences in cyber insurance provisos make it hard for industry to locate common standards of approach.

CISOs and other cybersecurity professionals not only need to think better about these impacts, but they would also do well to take an active role in standardizing cyber insurance practice, thus making it easier to learn the right lessons from major incidents. 

The rapid growth and disruptive influence of cyber insurance

Cybersecurity is a core area of homeland security and professionals in that arena are perhaps more intimately familiar with the risk dynamics of the insurance business than others. But the insurance industry, perhaps surprisingly, has only relatively recently grown to such a size that it now substantially impacts risk management for cyber teams and those they answer to.

Prior to the mid-2010s, cyber risk was often conceived of quite narrowly in private industry. Either it was a question of systems malfunction and IT errors or a highly unique threat to companies with distinct data, such as credit card information held by retailers.

The 2010s saw global cyber threats to non-state targets become so pervasive that major insurers turned to the development of new policy instruments for coping with digital insecurity.

Several events have particularly contributed to this, not least threat incidents like NotPetya and regulatory developments like the passage of the European Union’s GDPR, with the result that cyber insurance premiums have grown by almost 25 times since just 2015. 

One size doesn’t fit all: the insurance view of cyber risk

Most major healthcare network system attacks in recent years have featured a payout, with the verified $22 million Bitcoin payment made by Change Healthcare’s parent company UnitedHealth Group (UHG) among the most recent examples. More significantly, rapid payment is logical from the primary perspective that impacts the victim’s risk outlook during a crisis — that of the insurer.

If risk is uncertainty that one can put a price on, then insurance companies rely on data about threat behavior and danger potentialities to construct a functional view of probability across risk categories. Car accidents, for example, are notoriously straightforward to model statistically, given decades of data from all parts of the developed world available for analysis. Cyber risk, by contrast, is less straightforward and suffers from a relative shortage of available examples.

Past insurance models don’t necessarily apply to cyber threats; among other things, there’s a perpetual insurer concern about the unique “everywhere all at once” scenario with cyber that you don’t get with car accidents or major ecological hazards.

A cyber incident might involve multiple clients being hit simultaneously. It may also involve multiple formats of data security or systems access disasters overlapping. The dual threat of ransomware and more traditional coercion evident in the Change Healthcare incident is a limited example of this.

What’s criminal and what’s political can change insurance outcomes

Another concern for insurers is the delineation between criminal and political (or warlike) threats to their clients. The NotPetya ransomware attack in 2017 is not only an example of cybersecurity’s significance for modern society, but also of the limits of insurer willingness to cover expansive digital hazards.

The snack company Mondalez International famously entered litigation with its insurer, Zurich American Insurance, over unwillingness to cover losses in excess of $188 million. Zurich denied the claim made by Mondalez because NotPetya fell within their definition of a “hostile or warlike” act.

This line in the sand was significant for Zurich and for insurers broadly due to the fear of being liable for an incident whose scope went beyond pre-assessed clients to include the clients’ partners, contractors, customers, and even the communities they operated within.

How does this relate to Ascension’s crisis? Simply put, healthcare network systems are well-defined attack surfaces that initial insurer standard practices in the United States have coalesced around. Yes, they have dispersed infrastructures, but hospitals and broader healthcare facility networks are also commonly bound by regulatory requirements that constitute cohesive boundaries for risk management, particularly when it comes to existing standards of documentation for quantifying the loss of operational capacity.

Moreover, the heightened threat profile of healthcare victims — due to being well-resourced, highly sensitive to IT systems disruption, and subservient to strict data security regulation — incentivizes insurers to be proactive and to attempt to set market expectations about outcomes for both private and public sector decision-makers that might be damaging to the bottom line elsewhere.

Unfortunately, this singular character of cyber risk for healthcare providers and other critical infrastructure conglomerates connects with a narrower definition of risk than applies for most actors in the US economy.

The unique situation of some industries limits lessons learned

As research has supported, simple cost-benefit conditions among victims incentivize immediate payment to cyber criminals unless perfect mitigation with backups is possible and so long as the ransom is priced to correspond with victim budgets. Any delay incurs unnecessary costs to victims, their clients, and — cumulatively — to the insurer. The result is the rapid payment posture mentioned above.

The singular character of cyber risk for these companies also sets limits on the lessons that can be learned for the average CISO working to safeguard organizations across the vast majority of America’s private enterprise.

In a broad sense, the exceptionalism of insurer relations with these operators of critical infrastructure highlights key questions about the nature of operational risk that can be answered on a case-by-case basis.

For the most likely threat profiles facing your firm, what’s the likelihood that you will be impacted as one among many victims? To what degree is your firm targetable for political value versus more conventional financial gain?

The details of Ascension’s recovery will naturally provide some data on best practices. Detangling encryption across diverse server infrastructure can take weeks but might be sped along by coupling decryption with examination of existing servers for enduring vulnerabilities.

The better focus for CISOs in the near term might be to think more clearly about how to standardize conceptions of insurable risk across the landscape of American industry. Otherwise, the limitations of lessons to be learned from major events like this will remain significant.

How CISOs can act to standardize understanding of risk

CISOs and the decision-makers they answer to can immediately act to improve the risk management situation for their organization by addressing insurers directly, particularly with the goal of collective agreement on the fundamentals of American national cybersecurity in mind.

First, security professionals in collaboration with legal staff would do well to reject policy provisos that are unique to the company context and demand that insurers be clear and detailed about what qualifies for coverage without contextualization. Common terminology for rigidly designating covered events can only serve to benefit industry cybersecurity writ large and force insurers away from narrow policy regimes for the most prominent targets that mislead the rest.

Second, in order to better comply with insurance stipulations and to understand the likelihood of future claim coverage, CISOs should work to secure underlying risk data from insurers. Doing so would reduce the gap between risk expectations among the insured and eventual outcomes dictated by the insurer.

Perhaps most significantly, government agencies are natural partners for such a demand, as standardizing risk assurance postures and avoiding rapid-payout norms that weaken deterrence by encouraging criminal action harms national security.

Third, CISOs across the board should support firmer discussions with the federal government about increasingly strict and even punitive rules for limiting the payout of criminal fees. Limiting criminal incident payouts would remove the incentives for consistent high-tempo strikes on major infrastructure providers, which the federal government could compensate for in the near term by providing better resources for Sector Risk Management Agencies and beginning to resolve the abnormal dynamics surrounding the insurer-critical infrastructure relationship.

Finally, in addition to the ever-relevant step of improving information sharing with industry peers and being receptive to proffered resources from federal partners, CISOs should show interest in insurance products that provide cluster coverage to a loose affiliation of organizations with similar characteristics, like a homeowner’s association (HOA) for industry.

Such coverage would go some way towards ameliorating insurer concerns about complex cyber threat conditions that produce runaway liability and could be layered on top of more conventional coverage.

Perhaps most importantly, aligning our formal delineation of risk closer to the reality of digital risk dynamics in the third decade of the 21^st century in this way will — as with these other recommendations — dramatically improve the ability of the CISO to see something like the recent Ascension hack and parse clear, actionable takeaways from irrelevant detail.