Cyber Insurance - Making The Ransomware Crisis Worse

Uploaded on 2021-07-08 in FREE TO VIEW, BUSINESS-Services-Financial

Governments and businesses are struggling to cope with the scale and complexity of managing cyber risk. Over the last year, remote working, rapid digitalisation and the need for increased connectivity have emphasised the cyber security challenge. Today, ransomware is one of the biggest cyber security issues facing all organisations, but as claims mount and cyber insurers look at the coverage they are offering, changes are needed.

Allowing organisations to claim back ransom payments could be making the problem of ransomware worse, whereas cyber insurance could be more effectively  used to help improve security by encouraging policy holders to improve their security practices, says a research paper from the RUSI think tank.  

Cyber insurance is designed to protect organisations against the fallout of cyber attacks, including covering the financial costs of dealing with incidents. But insurance encourages ransomware victims to simply pay the ransom demand which will then be covered by the insurers, rather than have adequate security to deter hackers in the first place. It isn't illegal to pay cyber criminals a ransom demand but law enforcement agencies warn that doing so will give the gangs funds to launch more attacks.

'Cyber Insurance and the Cyber Challenge' is a report by RUSI that reviews cyber insurance and the cyber security challenge, which warns ransomware has become an existential threat for some insurers. "To date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organisations' cyber security practices," RUSI said. It also offers a warning. "Cyber insurers may be unintentionally facilitating the behaviour of cyber criminals by contributing to the growth of targeted ransomware operations."

Refusing to pay the ransom can lead to months of downtime and the huge costs for organisations that attempt to restore their network from scratch, and according to RUSI, some ransomware victims and their insurers will pay the ransom because they see it as the lowest cost option for restoring networks. "There are widespread concerns that insurers are fueling ransomware attacks by paying ransom demands. Paying ransoms is not currently illegal, and it is often cheaper to pay off extortionists than it is to rebuild IT infrastructure or cover losses from business interruption," says the paper. It goes on, “Although it is a societal problem, cyber insurers have received considerable criticism for facilitating ransom payments to cyber criminals...  These add fuel to the fire by incentivising cyber criminals' engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities. Growing losses from ransomware attacks have also emphasised that the current reality is not sustainable for insurers either.” 

Some ransomware gangs are even actively seeking to target victims with cyber security policies, because they believe that's the best way to guarantee they'll make money from encryption campaigns. 

However, according to the RUSI report, cyber insurance can actually play a role in actively disrupting the ransomware business model, by encouraging policy holders to improve their defences in order to do as much as possible to prevent them from falling victim to a ransomware attack in the first place. The paper suggests that insurance should require 'minimum ransomware controls' as part of any ransomware coverage.

In the event of falling victim to a ransomware attack, paying the ransom would be an absolute last resort, rather than being signed off as the simplest thing to do.

It would also reduce risks for the cyber insurance industry going forward, reducing the need for insurance firms to support pay outs of millions for decryption keys following a ransomware attack. "The impact of ransomware on the cyber insurance industry emphasises the need to address some of these issues and questions sooner rather than later. As some insurers risk being overwhelmed by losses, the industry and governments need to react quickly to ensure adequate protection and coverage for businesses," the researchers said.

Right now, the availability of cyber insurance doesn't seem to be helping improve cyber security. "Interviewees from across government, industry and business consistently stated that the positive effects of cyber insurance on cyber security have yet to fully materialise," the report said, adding that "Most of the market has used neither carrots (financial incentives) nor sticks (security obligations) to improve the cyber security practices of policyholders."

Although a well-functioning cyber insurance industry could improve cyber security practices  it is not a silver bullet for the cyber security challenge. It is important to remember that the primary purpose of cyber insurance is not to improve cyber security, but to transfer residual risk. It should be one of many tools that governments and businesses can draw on to manage cyber risk more effectively, not the only one.

As ransomware and cyber crime in general have increasingly become a national security threat, including direct threats to life as in the case of attacks against hospitals, it’s clear that government action is required. 

RUSI:       Reuters:    MIT:    IT Security News:      Malware.News:       ZDNet: 

You Might Also Read: 

In The Age of Risk, Cyber Security Is The Leading Concern:

 

« SANS & AWS Marketplace Webinar: (Re)Defining XDR In AWS
EU Says That UK Data Protection Rules Are ‘Adequate’ »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

UK Cyber Week Expo & Conference

UK Cyber Week Expo & Conference

Award-winning event organiser ROAR B2B announces the launch of UK Cyber Week and its inaugural event on 4 and 5 April 2023 at the Business Design Centre, London.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Magnet Forensics

Magnet Forensics

Magnet Forensics' family of digital forensics products are used globally by thousands of law enforcement, military, government and corporate customers.

Information Technology Association of Canada (ITAC)

Information Technology Association of Canada (ITAC)

ITAC is the voice of the Canadian ICT industry and are dedicated to making Canada a world class, cutting-edge digital society.

Fieldfisher

Fieldfisher

Fieldfisher's Technology, Outsourcing & Privacy Group has class-leading expertise in privacy, data & cybersecurity, digital media, big data, the cloud, mobile payments and mobile apps.

a1qa

a1qa

a1qa specializes in the delivery of full-cycle software QA and application testing services.

Bastille

Bastille

Bastille’s patented software and security sensors bring visibility to devices emitting radio signals (Wi-Fi, cellular, IoT) in your organization.

CyberDefcon

CyberDefcon

CyberDefcon is an independent organization dedicated to the pursuit of making the internet a safer place.

Qubitekk

Qubitekk

Qubitekk has developed quantum cryptography solutions for the machine-to-machine (M2M) communications market.

PKWARE

PKWARE

PKWARE is a global leader in business data security, providing encryption and compression solutions to enterprise customers and government entities around the world.

Merlin Cyber

Merlin Cyber

Merlin is a premier cybersecurity platform that leverages security technologies, trusted relationships, and capital to develop and deliver groundbreaking security solutions.

AXA XL

AXA XL

AXA XL is the P&C and Specialty Risk Division of AXA. Professional insurance products include Cyber Insurance.

MENAInfoSecurity

MENAInfoSecurity

MENAInfoSecurity is a regional leader in information security solutions, assurance services and managed services.

Savanti Consulting

Savanti Consulting

Savanti provides practitioner-led cyber security services tailored to meet each organisation’s unique requirements.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

Guardian Digital

Guardian Digital

Guardian Digital makes email safe for business. Threat-ready business email protection. Fully supported.

Grip Security

Grip Security

Grip Security provides comprehensive visibility, governance and data security to help enterprises effortlessly secure a burgeoning and chaotic SaaS ecosystem.

Radiance Technologies

Radiance Technologies

Radiance solutions provide technological advantage and operational superiority for our nation in the areas of intelligence, cyber and advanced weapon systems.