There’s no compelling evidence that victims holding cyberinsurance are much more likely to pay a ransom than companies without insurance, according to a new study by the Royal United Services Institute (RUSI) in the UK.
Released July 31, the RUSI study debunks the prevailing conventional wisdom that the cyber insurance industry has driven up the rate of ransomware incidents by covering ransom payments for businesses that hold insurance. The new report contends that cyber insurance’s influence on victim decision-making has been more nuanced: while there’s evidence that cyber insurance policies exfiltrated during attacks are used as leverage in negotiations to set higher ransom demands, the conclusion that ransomware operators are deliberately targeting organizations with insurance has been overstated.
“Cyber insurance is not fueling the ransomware epidemic by encouraging victims to pay ransoms, but it’s also not instilling ransom discipline in insureds across the market,” concludes the 84-page RUSI report. “This reflects a lack of collective action on ransomware response and a failure to share best practices more widely. However, there’s growing evidence that insurance is playing a more positive role in raising minimum cyber security standards, particularly among SMEs.”
Industry experts contacted by SC Media tend to agree with the views expressed in the RUSI report.
Kurtis Minder, founder and CEO at GroupSense who is also a ransomware negotiator, said that the idea that cyber insurance has made the ransomware problem worse is simply not true, especially since companies can prevent many of these attacks with better cyber hygiene.
“My observation is that the prevalence of cyber insurance has helped with prevention measures in the industry," said Minder. “Insurers require more stringent controls and are validating them. I don’t think the insurers are driving up ransom behavior.”
The narrative that cyber insurance providers are the catalyst of ransomware is a dangerous oversimplification of the facts, said Manu Singh, vice president, risk engineering at Cowbell. Singh said most cyber insurers offer risk management resources and access to industry-leading security professionals and vendors to strengthen the cybersecurity posture of an organization, with the goal of reducing the likelihood of the organization needing to pay a ransom.
“The cyber insurance industry has certainly evolved throughout the years from a risk-transfer option to now driving the cybersecurity change that’s needed for organizations to decrease both the frequency and severity of ransomware and data exfiltration incidents, including ransom payment as well,” said Singh.
Emily Phelps, director at Cyware, said with the increase in the size and frequency of ransomware attacks, organizations must examine their resiliency, and cyber insurance providers must rethink their operational model. Phelps said the better prepared organizations are to maintain business continuity in case of an attack, the less likely they'll feel compelled to pay attackers the ransom.
“Cyber insurance companies can become a valuable partner as they increase focus on payment alternatives to protect organizations from negative impacts,” said Phelps. “Since cyber insurance isn't necessarily a major factor in determining if an organization pays the ransom in the event of an attack, then it indicates companies are concerned with resiliency and continuity and feel obligated to pay the attackers to move forward. Fundamentally, we want to ensure that companies, insured or not, have the ability to safeguard their business in case of an attack, whether or not they pay the ransom.”
According to RUSI, the paper does not advocate for an outright ban on ransom payments or for stopping insurers from providing coverage for them. Instead, it makes the case for interventions that would improve market-wide ransom discipline so that fewer victims pay ransoms, or pay lower demands.
RUSI recommendations on dealing with ransomware
First, to increase oversight of ransomware response, insurers should use policy language to require that insureds and incident response firms provide written evidence of negotiation strategies and outcomes. And second, as a way to develop and drive ransomware response best practices, insurers should select specialist ransomware response companies for panels that meet a set of predefined minimum requirements. These should include the following:
- A proven track record of both achieving regular outcomes that do not result in ransom payments, and of operational relationships with law enforcement and cybersecurity agencies.
- Conduct sanctions risk assessments.
- Comply with anti-money-laundering laws and Financial Action Task Force (FATF) standards.
- Ensure payment firms that make payments on behalf of UK victims are registered with relevant financial authorities in the UK (this could apply to the US and other nations as applicable).