Ransomware and insurance: Is cyber insurance really problematic?
"Cyber insurance is problematic" and "don’t pay the ransom".
This was essentially the message of the Cyber Security Cooperative Research Centre (CSCRC) and the Australian Government in two key publications issued recently. A snapshot of the publications is set out below.
CSCRC policy paper dated 12 October 2021: "Underwritten or oversold? How cyber insurance can hinder (or help) cyber security in Australia"
Government's Ransomware Action Plan issued on 13 October 2021
A direction not to pay the ransom is easier said than done. It assumes an organisation's ability to recover and survive without paying a ransom to recover its data. But the story is rarely that simple.
1. A ban will not discourage ransomware attacks
A ban on extortion cover will not discourage ransomware attacks. Whilst it may close off one source of funding for ransomware attackers, it does not disrupt the factors that make ransomware successful, sustainable and profitable.
Ransomware gangs are fundamentally driven by commercial motivations of efficiency and profitability.1 Ransomware continues to be profitable because ransomware as a service (RaaS) has lowered the barriers to entry to perpetrating ransomware attacks. The absence of insurance cover for extortion payments is not going to stop or slow the ransomware business.
Ransomware continues to be successful and sustainable because:
- weak cyber security continues to exist across many organisations and businesses, which allows infiltration and results in many victims being held "hostage" with no choice but to pay the ransom for survival
- there is a low risk of prosecution, as the law enforcement environment is challenging and evolving
- the preferred use of cryptocurrency affords anonymity.
2. Availability of extortion cover does not mean ransom is always paid
The availability of extortion payment cover does not necessarily mean that payment will always be made by the insurer. There are conditions to be met before an insurer will make an extortion payment, including:
- express prior written consent
- a requirement (usually) that there is imminent and probable danger of serious loss or damage occurring to the insured if the payment is not made
- illegality issues. The payment will not be made if there is a contravention of any laws in the circumstances.
The payment of extortion money is often a last resort. It is a decision made in consultation with the insured, insurer, professional negotiation teams and crisis responders. It is not made lightly.
3. Banning extortion payment cover does not stop payment
A ban on ransom and extortion cover has no effect at all for any company that can (and needs to) meet any ransom from its own funds.
4. A ban penalises the insured
A ban would not penalise the ransomware gangs; it would penalise the insured.
Ransomware is a risk management problem and cyber insurance is part of a risk transfer strategy. In return for payment of a premium, insurance is taken out to take care of that rainy day when mitigation tactics fail. Whilst one cannot eliminate a cyber risk, one can eliminate the cost of it through insurance.
Banning extortion payment cover limits the insured's risk transfer options, especially during unforeseen circumstances. What if a diligent insured suffers a "zero-day" attack and perhaps for an unanticipated reason, is unable to retrieve the backup of valuable data needed for business survival?
In this instance, the availability of extortion payment cover may be critical for the survival of the business, especially an SME.
The CSCRC recommendation presupposes that all organisations are able to recover without paying a ransom, which is simply not a realistic assumption at this stage of Australia's cyber security maturity.
A ban would hardly impact the ransomware criminal; it would just be another attack that has not yielded a payment from the insured whose data has been encrypted. With double, triple and quadruple extortion tactics, the ransomware criminal may use the valuable data obtained to extract payment from others (customers, business partners, directors, employees) and move on to other victims.
5. A ban is useful only if universalised
Prohibiting extortion payments is only useful if all countries prohibit cyber insurers from making such payments. To date, only one major insurer has announced it would stop writing cyber insurance coverage in France in May 2021.
A ban on Australian cyber insurers only would have minimal effect, as cyber insurers in other countries can still make available policies with extortion payments.
Cyber insurance's role in risk mitigation and uplifting cyber security
Fundamentally, the identified "problems" of cyber insurance, if they are indeed problems, are not insurmountable. The cyber insurance industry can play a key role in the risk mitigation strategies of insureds so as to shape and improve Australia's cybersecurity maturity.
The CSCRC's recommendations for insurers to work together to develop a best practice checklist for SMEs to improve their cyber security maturity, and for insurers to work with telecommunications providers, cloud services and software providers to provide "bundled packages" of cyber security tools to uplift the cyber security of insureds, are all important steps insurers can take in uplifting Australia's cyber security maturity.
Cyber insurance brokers can, and already do, play an important part in educating and uplifting their clients' cyber security as well.
Strengthening Australia's cyber security would disrupt the ransomware business model by making conditions less favourable for easy infiltration, and minimise the chances of victims being held "hostage" by an attack and the necessity for victims to pay the ransom.
Government's role in sharpening law enforcement
The Australian Government can also play a role in uplifting the cybersecurity of Australian businesses, defending Australian businesses from attacks, regulating as well as sharpening law enforcement.
Sharpening law enforcement would make it riskier to be a ransomware criminal, thereby increasing the risk and costs compared to the profits, with the intended effect that it may thereby shrink the ransomware and cyber extortion economy.
Regulating the cryptocurrency market by making it more transparent may also result in ransomware criminals being less likely to use it as a form of payment.
Ransomware incident reporting, encouraging an increase and making more timely reporting of data breaches, as well as mandating notification of ransomware payments would also provide the government with greater oversight of the ransomware issue.
A more balanced solution
Ultimately, no cyber risk can be eliminated, and ransomware is here to stay.
Perhaps a more balanced solution and middle ground is for the extortion payments cover to continue but be subject to sub-limits and more stringent conditions on cover to reduce the likelihood of a payment being made and only under the most exceptional circumstances.
As Australia's cyber security maturity lifts, the chances of victims being held "hostage" by an attack and having to pay for a ransom should reduce dramatically.
Authors: Melissa Tan, Special Counsel and Louisa Henderson, Lawyer.
1 AGCS Cyber Insights, Ransomware trends: Risks and Resilience per Michael Daum, Senior Cyber Underwriters at AGCS, page 4.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.