Businesses and government bodies have been terrorised by a spate of ransomware attacks in the last 18 months, with many victims choosing to pay the ransom. As a result, a growing number of organisations have chosen to mitigate the risk of ransomware by taking out insurance, so they have the funds available to pay the ransom should they fall prey to an attack. Not only has this practice been criticised as incentivising organised crime, it may also increase the likelihood that an organisation is attacked, according to comments attributed to a ransomware group member earlier this year.
What is ransomware insurance?
Insurance against cyberattacks is a growing industry. A study published last month by the US Government Accountability Office cited data from insurance provider Marsh McLennan, saying that 47% of its clients had cybersecurity coverage last year, up from 26% in 2016.
Cyber insurance as a whole has its critics. Bharat Mistry, technical director at security company Trend Micro, describes it as an ‘easy cop-out’. “What I mean by that is, rather than spend the time, money and effort in shoring up cyber defences, a company can go to ‘good enough’, and then just get cyber insurance on top to give that extra sticking plaster, so that if something does occur they can default back on that cyber insurance policy.”
But ransomware insurance have proved especially controversial. In an interview with The Guardian earlier this year, former head of the UK’s National Cyber Security Centre (NCSC) Ciaran Martin said that insurers providing this service are effectively funding organised crime. “You have to look seriously about changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry,” Martin said.
Last month, insurance giant AXA announced that it will no longer offer insurance for ransomware attacks in France, after French officials shared their concerns on the practice. “The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay,” a prosecutor had said at a hearing. (AXA was itself struck by a ransomware attack a week later).
The Association of British Insurers has defended ransomware insurance following Martin’s remarks, saying that while insurance was no substitute for effective cybersecurity, it can protect affected businesses from financial ruin.
Back in 2019, Marsh McLennan also rebuffed criticism of the practice. “Ransomware victims are rarely ‘targeted’,” it said at the time. “More often, attackers target a specific but widespread vulnerability that will distribute ransomware to the maximum number of potential victims.
“Insurance hardly creates an incentive for extortionists. Ransomware demands usually top out at five figures and, for many businesses, that cost is a nuisance.”
Since 2019, however, the practice of ransomware has evolved. Recent research shows it is becoming more targeted and resulting in higher ransoms. And there is now evidence that ransomware groups specifically target organisations that have insurance.
Does ransomware insurance increase cyber risk?
In March, cybersecurity intelligence provider Recorded Future published an interview with a purported member of REvil, one of the most prominent ransomware groups. When asked whether the group targets insured companies, the individual replied: “Yes, this is one of the tastiest morsels. Especially to hack the insurers first – to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
An insured company is viewed as an easy target, explains Jason Hill, head of research at security company CyberInt. “Big-game hunter ransomware groups will likely see insured victims as a quick win, allowing prompt ransom payment with the minimum of fuss,” Hill says. “An uninsured victim will require some level of encouragement to pay, such as the double extortion tactic, which increases the workload for the ransomware group and could still end in non-payment.”
Attackers also use cyber insurance policies to determine how much ransom to demand, adds Jamie Hart, cyberthreat intelligence analyst at security company Digital Shadows. “It’s likely that these threat actors, when they’re negotiating a ransom payment, aren’t going to negotiate much lower than what the coverage actually is,” he adds. “They’ve been in the [victim’s] network, they’ve seen it, and they’re going to argue that [the victim] has coverage and they can afford to pay.”
Should ransomware insurance be banned?
Perhaps in response to these criticisms, some insurance providers are demanding that clients have certain measures in place, such as back-ups, data segmentation and multi-factor authentication, before selling policies that cover ransomware. But Mistry argues that this is not enough to substantially reduce the risk of ransomware attacks, and that insurers should mandate penetration testing before covering their clients against them.
“Before you take out an insurance policy, if you get a red team or pen test assessment of your environment done, you know exactly what your exposure looks like. None of that is being mandated at the moment,” he says. Mistry is hopeful that this next step is on the horizon, however. “I think insurance companies will go down that route.”
It would be more impactful if the insurance industry were to follow AXA’s lead and withdraw ransomware insurance altogether, argues Stefano De Blasi, threat researcher at security company Digital Shadows. “Without the assurance of having the ransom cost reimbursed, many companies may decide to invest in robust back-up plans and strengthen their defences rather than paying exorbitant ransoms to cybercriminals.
“Additionally, ransomware operators may lower their [ransom] requests to increase the chances of companies paying out from their pockets and ensuring a steady revenue stream to finance further criminal operations,” he adds.
So far, there has been little indication that policymakers support the idea of an outright ban on paying ransoms or insuring against them. Peter Yapp, former deputy director of the NCSC and now a partner at law firm Schillings, has argued that such bans are unlikely to work.
“I know from the crisis management work we do in the kidnap, ransom and extortion arena that when people rather than data are involved, this does not work in practice,” he wrote in a guest article for the Society for Computers and Law. “Total bans and non-concession policies have not worked in the past, and have not attracted countries to sign up.”
For the time being, then, it is up to insurance providers and their customers to ensure that mitigating the ransomware risk of individual organisations does not increase the collective risk.