Cyber insurance isn’t helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers
Ransomware is one of the biggest cybersecurity issues facing organisations today but as claims mount and cyber insurers look at the coverage they are offering, changes may be coming.
Cyber insurance is designed to protect organisations against the fallout of cyber attacks, including covering the financial costs of dealing with incidents. But some critics argue that insurance encourages ransomware victims to simply pay the ransom demand which will then be covered by the insurers, rather than have adequate security to deter hackers in the first place. Insurers argue that it’s the customer that makes any decision to pay the ransom, not the insurer.
It isn’t illegal to pay cyber criminals a ransom demand but law enforcement agencies warn that doing so will give the gangs funds to launch more attacks.
According to a research paper examining cyber insurance and the cybersecurity challenge by defence think tank Royal United Services Institute (RUSI), this practice isn’t just encouraging cyber criminals, it’s also not sustainable for the cyber insurance industry, which warns ransomware has become an existential threat for some insurers.
“To date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organisations’ cyber security practices,” RUSI said. And it warned: “Cyber insurers may be unintentionally facilitating the behaviour of cybercriminals by contributing to the growth of targeted ransomware operations.”
Ransomware is one of the most significant cyber threats which organisations face today – as National Cyber Security Centre (NCSC) CEO Lindy Cameron recently said in a speech at RUSI – as attacks increase in complexity and cyber criminals demand larger ransoms.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Refusing to pay the ransom can lead to months of downtime and the huge costs for organisations that attempt to restore their network from scratch – and according to RUSI, some ransomware victims and their insurers will pay the ransom because they see it as the lowest cost option for restoring networks.
“There are widespread concerns that insurers are fuelling ransomware attacks by paying ransom demands. Paying ransoms is not currently illegal, and it is often cheaper to pay off extortionists than it is to rebuild IT infrastructure or cover losses from business interruption,” says the paper.
Some ransomware gangs are even actively seeking to target victims with cyber security policies, because they believe that’s the best way to guarantee they’ll make money from encryption campaigns.
However, according to the RUSI report, cyber insurance can actually play a role in actively disrupting the ransomware business model, by encouraging policy holders to improve their defences in order to do as much as possible to prevent them from falling victim to a ransomware attack in the first place.
The paper suggests that insurance should require ‘minimum ransomware controls’ as part of any ransomware coverage.
These controls include timely patching of critical vulnerabilities in external-facing IT structure, enabling multi-factor authentication on remote access services, limiting lateral movement by adopting network segmentation and implementing procedures to ensure regular backups are created.
And theres is some evidence that change is coming. According to a recent story in the Financial Times, insurers are already increasing premiums and putting in place stricter demand in terms of the cybersecurity strategies used by companies that want to buy cyber insurance. The Washington Post has also reported that insurers are demanding great security and cutting back the amounts of cover they are willing to offer.
All of these recommendations could prevent a ransomware attack from happening in the first place, or mitigate the damage a ransomware attack could do – meaning that in the event of falling victim to a ransomware attack, paying the ransom would be an absolute last resort, rather than being signed off as the simplest thing to do.
It would also reduce risks for the cyber insurance industry going forward, reducing the need for insurance firms to support pay outs of millions for decryption keys following a ransomware attack.
“The impact of ransomware on the cyber insurance industry emphasises the need to address some of these issues and questions sooner rather than later. As some insurers risk being overwhelmed by losses, the industry and governments need to react quickly to ensure adequate protection and coverage for businesses,” the researchers said.
However, at least right now, the availability of cyberinsurance doesn’t seem to be helping improve cybersecurity. “Interviewees from across government, industry and business consistently stated that the positive effects of cyber insurance on cyber security have yet to fully materialise,” the report said, adding: “Most of the market has used neither carrots (financial incentives) nor sticks (security obligations) to improve the cyber security practices of policyholders.”
MORE ON CYBERSECURITY
- Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens next
- White House urges US companies to take ransomware seriously
- Ransomware: How the NHS learned the lessons of WannaCry to protect hospitals from attack
- Colonial Pipeline CEO tells Senate decision to pay hackers was made quickly
- Ransomware: A company paid millions to get their data back, but forgot to do one thing. So the hackers came back again