Cyber ransoms: To pay or not shouldn't be the question
Ransomware poses a serious threat to global business, and criminals are ditching ID theft and social engineering and moving to extortion.
The sudden rise of ransomware attacks over the last 18 months has led to a resurgence of criticism in the media aimed at the cyber insurance market, accusing insurers in this space of funding cybercrime and calling on governments to make their reimbursement of ransom payments illegal. What this criticism has in common is an underlying allegation that this move would not be supported by the insurance industry — that somehow it would fundamentally destroy the value proposition of the product and service cyber insurers provide, and we would prefer this crime continue to develop “because it’s good for business.”
I can’t claim to speak on behalf of the insurance industry, but having been involved in cyber insurance for almost 20 years now, I can say with some certainty that this is not how the industry thinks. In fact, I’d make a fairly large wager that most (if not all) of my peers would happily support a bill to make the reimbursement of ransoms illegal, if — and only if — that would solve the problem. Unfortunately, I don’t think it would.
Would insurers pay?
Let’s leave aside for one minute the practicality of enacting — and enforcing — such a law; it feels that targeting insurers as the source of the problem is fundamentally misguided. Less than 15% of global businesses purchase this kind of insurance, so to suggest that eliminating part of it would fix what is now a global issue would be to ignore the other 85% of businesses that face the same problem without insurance.
There is no evidence to suggest that businesses who purchase cyber insurance are more inclined to pay a ransom demand than those without, in fact in my experience, it is quite the opposite. Armed with insurance, a company can avail itself of the appropriate experts to guide them through the issue and support them through the recovery process. In the absence of this, most small businesses assume they have no other option but to pay.
Furthermore, to suggest that there are no laws in place already to prevent payments is fundamentally wrong. The U.S. government has rightly reminded the industry of global sanctions laws, which make it illegal to facilitate payments to entities on the OFAC SDN list (and foreign equivalents). We are steadily seeing more entities related to cybercrime being added to these lists, and with insurers being regulated entities and most having U.S. assets, this is already a powerful incentive to seek alternatives to paying ransoms.
Addressing the ransomware threat
There is no doubt that ransomware poses a serious threat to global business. Increasingly emboldened criminals are ditching their old tactics of ID theft and social engineering and moving to the more lucrative business of extortion. Furthermore, the economic damage caused by ransomware is often many multiples of the billions the criminals are stealing, making this the worst form of financial crime. It is a problem that needs to be stopped.
But there are many reasons why this crime continues to develop.
One is that cryptocurrencies make it possible to launder billions of dollars with little fear of being caught. More must be done to clamp down on the exchanges that wittingly or unwittingly facilitate this crime.
Another is that the media continues to demonize businesses that fall victim to this crime, making them fear the accompanying negative publicity, which in turn fuels the desire to pay rather than be “outed”. We must recognize that this is a crime and the only party that ought to be shamed is the perpetrator.
The recent tough privacy regulations being enacted across the world is another reason this crime is growing. The accompanying fines and potential route for statutory damages are making it even more lucrative for criminals to steal. Businesses now fear the financial consequences of the data being leaked, making this one of the most common tactics in the evolving crime of extortion. We must stop seeking to punish the victims and instead focus on preventing the crime.
Cyber insurance has a critical role to play in tackling ransomware. There are already close connections between the industry and global law enforcement, with threat intelligence being shared and data being gathered. By following carefully structured paths and involving the right professionals, we can ensure that payments are only made when absolutely necessary and that law enforcement are kept informed so they can use the intelligence gathered to track and ultimately catch the perpetrators.
As an industry, we are committed to doing all we can to ultimately eradicate this vile by-product of the digital age. And with almost $1 trillion in policy limits exposed, I don’t think there is any other part of the economy that has a stronger motivation to make it happen!
Graeme Newman is chief innovation officer at CFC, an early pioneer of cyber insurance in the Lloyd’s market. He is at the forefront of the rapidly developing cyber insurance market, leading CFC’s development of new insurance products in this area, as well as their cyber underwriting and claims approach and the innovation of tech solutions. He can be reached at gnewman@cfcunderwriting.com. Opinions shared are those of the author.
Related: