Cyber insurance isn't helping with cybersecurity, and it might be making the ransomware crisis worse

Allowing organizations to claim back ransom payments could be making the problem of ransomware worse - but cyber insurance could be used to help improve security, says RUSI research paper.

By: Danny Palmer

Ransomware is one of the biggest cybersecurity issues facing organizations today but, as claims mount and cyber insurers look at the coverage they are offering, changes may be coming.

Cyber insurance is designed to protect organizations against the fallout of cyberattacks, including covering the financial costs of dealing with incidents. However, some critics argue that insurance encourages ransomware victims to simply pay the ransom demand that will then be covered by the insurers, rather than have adequate security to deter hackers in the first place. Insurers argue that it's the customer that makes any decision to pay the ransom, not the insurer.

It isn't illegal to pay cyber criminals a ransom demand but law enforcement agencies warn that doing so will give the gangs funds to launch more attacks.

According to a research paper examining cyber insurance and the cybersecurity challenge by defense think tank Royal United Services Institute (RUSI), this practice isn't just encouraging cyber criminals, it's also not sustainable for the cyber insurance industry, which warns ransomware has become an existential threat for some insurers.

"To date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organizations' cybersecurity practices," RUSI said. And it warned: "Cyber insurers may be unintentionally facilitating the behavior of cyber criminals by contributing to the growth of targeted ransomware operations."

Ransomware is one of the most significant cyber threats that organizations face today – as National Cyber Security Centre (NCSC) CEO Lindy Cameron recently said in a speech at RUSI – because attacks continue to increase in complexity and cyber criminals are demanding larger ransoms.

Refusing to pay the ransom can lead to months of downtime and huge costs for organizations that attempt to restore their networks from scratch – and according to RUSI, some ransomware victims and their insurers will pay the ransom because they see it as the lowest cost option for restoring networks.

"There are widespread concerns that insurers are fueling ransomware attacks by paying ransom demands. Paying ransoms is not currently illegal, and it is often cheaper to pay off extortionists than it is to rebuild IT infrastructure or cover losses from business interruption," said the paper.