To pay or not to pay? Ransomware blame game ramps up
Insurers can be an easy target when things go wrong – and responses to the current ransomware epidemic illustrate the point perfectly.
Ransomware attacks have swelled, in number and size, and last week pressure was building on insurers for reimbursing ransomware payments.
Having insurance cover makes it easier for attacked businesses to pay up, and paying ransoms feeds the problem – so the logic goes. Giving money to criminal gangs is never a good thing, so insurers should stop doing it.
Is it really that simple? Industry experts suggest not – for a variety of reasons which we’ll detail later.
But last week a report from the government-funded Cyber Security Cooperative Research Centre (CSCRC) called for a ban on insurers “making ransom or extortion payments”.
The report cited “evidence from overseas” showing that cyber crooks will find a list of insured businesses and work through them one-by-one, demanding the exact amount covered by the insurance.
Whether this has ever happened in Australia is not made clear.
“Many cyber insurance policies offer explicit coverage for extortion and ransom payments,” the report says.
“This is problematic, serving to feed the criminal enterprise of ransomware gangs, especially those that prey on insured organisations.
“While ransomware payment should not be criminalised, there is merit in moves to ban the payment of ransoms by insurance providers.”
The report also recommends that a cyber checklist be provided to SMEs, and suggests that holding cyber insurance can lead to complacency on security.
The CSCRC’s report was followed a day later by the Commonwealth Government’s Ransomware Action Plan, which flags a 15% increase in attacks in the last year.
“The Australian Government does not condone ransom payments being made to cybercriminals,” Home Affairs Minister Karen Andrews says in the plan’s introduction.
“Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk.”
The plan doesn’t mention insurers – but it does pledge to introduce mandatory ransomware incident reporting, and a stand-alone offence for all forms of cyber extortion.
The Insurance Council of Australia says it supports measures which help businesses improve cyber security, such as cyber-risk health checks, and also backs the reporting of ransomware payments.
It says coverage provided by insurers for ransomware “varies across industry in line with each insurer’s risk appetite”, but leaves the door open for change.
“Such products will continue to evolve in line with community expectations and commercial considerations,” a spokeswoman told insuranceNEWS.com.au.
Brokers and underwriting agencies which specialise in cyber cover have been more forthright.
Marsh points out only 15-20% of businesses globally purchase cyber cover, so to say insurance fuels ransomware is “not accurate”.
There’s also a subtle but important point to make that it isn’t insurers that pay ransoms, or decide to pay ransoms – it’s clients.
“Ransomware attacks occur because hackers are very successful at what they do and enough businesses pay them to make it profitable for the criminals to continue,” Marsh Head of Cyber, Pacific, Kelly Butler told insuranceNEWS.com.au.
Rather than instilling complacency or a willingness to pay, having insurance “gives the client the best possible chance of not [paying] the ransom demand”.
Troy Filipcevic, CEO and Founder of cyber specialist underwriting agency Emergence, agrees that ransomware attacks are spiralling but says “the notion that cyber insurance and the coverage of ransom payments has exacerbated this type of attack is untrue”.
“The narrow focus purely on ransomware payments, in my opinion is a simple view to a complex problem,” he tells insuranceNEWS.com.au.
“The payment of ransoms only looks at part of the problem and doesn’t consider the broader context of what the impact of a cyberattack has on a business.
“Cyber insurance policies typically cover more than ransoms, including cyber event response costs that include digital forensics, legal help, notification costs and PR costs to name but a few. Business interruption, and reputational damage and potential third party claims are all aspects of a cyberattack that could stem from a ransomware event.”
Mr Filipcevic says in reality only a small percentage of ransom demands are paid.
“If the business has good backups, strong incident response plans and responds swiftly the business can often deal with the cyber threat without paying the ransom.
“My view is that cyber insurance and, where required, the payment of ransoms, is a critical piece of the response and resilience of the business to pick themselves up and get back to business in a timely manner.”
Lawyers are also sceptical of efforts to solve a complex problem with overly simple solutions.
Wotton + Kearney Partner Kieran Doyle argues that banning insurers from covering ransom payments is not the answer to “an ever growing threat”.
“It does not follow that the existence of an insurance policy itself will cause an insured to pay a ransom,” Mr Doyle says.
“In our experience many businesses, particularly SMEs, are simply focused on making decisions that will keep them afloat – regardless of who is picking up the bill.”
Insurers need to be sensitive to an insured’s needs in a crisis, he says.
“The path is open to insurers to exclude ransom payments cover from cyber insurance policies. However, such terms are unlikely to be very attractive to brokers and insureds in the current climate and [are] unlikely to have the desired effect of curbing the rise in ransomware attacks.
“Instead, future reform can be focused on two priorities – identifying and prosecuting cybercriminals, and incentivising businesses to be better prepared for ransomware and other cyber incidents.”
Solving the problem won’t just come down to what cover insurers are, or are not, offering.
That would be too easy.
Tackling ransomware will also require hard work from businesses, governments and law enforcement agencies to mitigate the risk and drive down the number of attacks.