Should insurers pay ransoms?

2020 was the year of the pandemic; COVID-19 is the ever-present example that comes to mind, affecting people and economies, worldwide. However, the proliferation of ransomware has also made pandemic-like headlines, with the number of attacks having increased by 97% over the past two years (phishme.com), costing businesses over $20bn in 2020 (purplesec.us).

The ongoing damage caused by ransomware has, in turn, provoked some commentators to lobby governments in an effort to illegalise the payments of ransoms. Amongst others, Ciaran Martin, the former head of the UK’s National Cyber Security Centre (‘NCSC’) was highly critical of the insurance industry in an article for the Guardian, suggesting that insurance was “inadvertently funding cyber crime” owing to the coverage for ransom and extortion payments under cyber insurance policies. Suggestions have also been made that the cyber insurance industry would not support these sorts of reforms, owing to cyber crime being “good for business.”

My riposte to these criticisms aligns with those of my peers in the cyber insurance space; that the insurance industry would happily support these legal reforms, should there be any evidence that the changes would halt the march of ransomware incidents. Sadly for everyone, it’s highly unlikely that banning the payments of ransoms would prevent or reduce the number of ransomware attacks. I have two main arguments for why:

There is no evidence that suggests that businesses who have cyber insurance are any more likely to pay ransoms than those who are uninsured.

The stark reality is that it’s quite possibly the opposite. Cyber insurance is a phenomenally good product; long before any discussions of ransoms being paid, those with coverage will benefit from rapid-response IT forensic teams to analyse the commercial and legal decision of whether to pay the ransom or not, and experienced operators to handle and guide the business through any and all negotiations. Businesses without insurance are, perhaps, more likely to panic and pay owing to the lack of objective experience in handling these situations. I’d go as far as suggesting that uninsured businesses actually represent better targets for these malicious attackers.

Worldwide, the uptake and penetration of cyber insurance remains incredibly low

CFC Underwriting suggests it’s as low as 15%. Businesses still seem more adverse to physical perils such as fires, floods and physical theft, than they are to the risks involving their intangible assets. Any suggestions that limiting the potential response of cyber policies would have a macro-impact on the frequency of ransomware attacks, serves only to ignore the other c.85% of vulnerable businesses that don’t have the insurance in place.

In my opinion, cyber insurance is a critical piece of risk management infrastructure for all businesses. As an industry, we are able to aggregate and learn from developments in the cyber crime and ransomware space, to ensure that our response to it remains up to date. Remaining effective in protecting customers is at the very core of insurance, and removing such an important element of cyber insurance from its offering is reckless, especially at a time when it is needed the most.