By: Vishaal “V8” Hariprasad
In 1975, the Argentina grain exporter Bunge & Born paid $60 million to free a kidnapped executive. That ransom payment remains the largest ever paid for a single person, but his case marked the beginning of the end for high-profile hostage events. The reason? Insurers began offering kidnap and ransom insurance. The policies not only promised to reimburse ransoms but helped corporations with needed resources such as crisis managers and negotiators to get hostages to safety and to keep ransom costs in check.
Today, major multinational corporations stare down a similar, if less physically tangible, threat. Ransomware is not just a form of cybercrime but a malevolent industry unto itself. With malware deployed to infiltrate networks and encrypt files, bad actors can essentially immobilize operations, create reputational damage and even physically harm people. More concerning, the bar has been lowered for entry with ransomware-as-a-service (RaaS). It no longer takes a skilled operator to carry out the attack—just bad intentions and access to a licensed service.
Just as in the 1970s, criminals have seized an opportunity to exploit corporate wealth, and it will be up to the insurance industry to help modulate a situation that is spiraling out of control. In this new, digital version of the hostage crisis, the insurance industry is uniquely positioned to play a leadership role, de-escalate the panic, and again help global corporations rise above terrorism and fear.
An Evolving Threat Requires an Evolving Defense
Experts predict that a ransomware attack will occur every 11 seconds in 2021, with global damages from ransomware to hit $6 trillion. No sector is immune, which is why leading corporations joined to create The Ransomware Task Force, with Resilience serving as co-chair to help develop policy solutions for this growing scourge.
While public policy certainly has a role to play, cyber insurance can be more instrumental in effecting change on the ground. Cyber insurers have already become one of the most important drivers for cyber security, requiring policy holders to meet standards of care and providing resources that can help both guard against ransomware attacks and respond to them in a timely manner that saves money, protects data and avoids costly regulatory violations and other liabilities.
An Unfair Rap
Yet, some want to blame the escalating ransomware crisis on cyber insurance. Last year, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) stated in an official advisory that “companies that facilitate ransomware payments to cyber actors on behalf of victims…encourage future ransomware payment demands.” They included cyber insurance companies in their list of these facilitators and warned that ransom payments may “embolden cyber actors to engage in future attacks.” Instead of buying cyber insurance to manage and transfer the risk of ransomware, OFAC recommended that institutions wait to contact the relevant government agencies in the event of an attack.
The focus on ransom payment facilitators distracts from the sources of cybercrime, how targets are chosen—rarely targeted for who they are but for their vulnerability—and the reasons these schemes are increasingly profitable. The rise of cryptocurrency, the mounting consequences of data leaks and last year’s sudden shift to work-from-home are all contributing to ransomware’s growth.
There is no evidence that insured firms are more likely to pay out ransoms—and it’s not up to the insurer to make that decision. In fact, victims with good cyber insurance may be less likely to pay ransoms, because insurers provide technical and legal experts to help identify the best method of recovery. And because firms must often prove their security bona fides as a precondition of insurance, a hardening cyber insurance market is slowly raising the bar for cybersecurity across industries.
While making ransomware payments fully illegal sounds great in theory, like most simple solutions it falls apart in practice. It places an outsized amount of blame on the victim and does nothing to protect victims of future attacks. Insurance can put the economic incentives in place to encourage, if not compel, better security practices while providing a safety net in times of need.
While there are cases where options like secondary data restoration are viable, some ransoms do ultimately need to be paid. Ransomware actors are experts at applying pressure on their victims, including by threatening to release stolen confidential data to the public. Often, the victim doesn’t have the resources to make this judgment call—the victim needs practiced experts to help it through the process and the economic and technological resources to handle the fallout. In other words, the victim needs insurance.
Mitigating Risk—for Everyone
On the micro level, responsible cyber insurance can both insure and secure, transferring and mitigating risk through incentives that keep insureds up to date on an ever-changing threat landscape.
For enterprise clients, there may be effective in-house cyber security but challenges in budget justification. For SMEs, the resources an insurer can provide are invaluable. For victims of a ransomware attack, those resources can include forensic services, incident response, legal expertise, repairs and recovery cost. Insurance would also cover business interruption loss and other losses that could otherwise be financially devastating. It may also include the ransom payment, but not always.
On a bigger scale, cyber insurers can collect and share data on all cyber events—continuing to insure against ransomware and collectively pool and spread this risk. As we’ve all seen with catastrophic ransomware events in the past year, such as the Colonial Pipeline fuel shutdown, such events can have massive ripple effects.