Two of the most consistent trends in cybersecurity for the past few years have been increases in ransomware attacks and the growing demand for cyber insurance. These two areas of growth are not unrelated; as the frequency of ransomware attacks has soared, so too has demand for insurance policies that can help organizations cover the costs of those attacks. But more cyberattacks also mean more claims, driving up costs for insurers and forcing insurance companies to significantly raise the premiums on policies as they adjust their risk models to the constantly evolving threat landscape. None of that is particularly surprising for a relatively new insurance product—as the risks change, and underwriters’ understanding of them changes accordingly, it makes sense that the pricing would shift and coverage might be altered. What’s different—and important—when it comes to coverage for ransomware, however, is that at least a portion of these insurance payments goes directly to fueling the very criminal activity that insurers and their policyholders are trying to tamp down on.
When insurers first began offering coverage for cybersecurity incidents more than twenty years ago, coverage was largely focused on data breaches and third-party costs like litigation brought by the individuals affected by a large breach of customer personal information. Over the years, the range of cybersecurity threats that businesses must protect themselves against has expanded significantly, and organizations have become increasingly worried about first-party coverage for the costs they bear directly in the event of a security incident. These direct costs include lost business due to computer systems being down, hiring digital forensics firms to help investigate a breach, or paying a ransom to attackers that have held data and computer systems hostage. When policyholders have coverage for all of these first-party costs, they may rely on their insurer to give them guidance about what to do in the event of a ransomware attack. Should they take several weeks to restore their systems manually and file a claim for lost business due to that downtime? Or should they pay the ransom and file a claim for it instead?
After the ransomware attack on Colonial Pipeline, for instance, Joseph Blount, the company’s president and CEO, testified before the House Homeland Security Committee that his CFO had been in touch with their insurer prior to deciding to pay a ransom worth $4.4 million. Blount added that he had filed a claim for the ransom payment, part of which was later recovered by law enforcement. It’s difficult to know what exactly goes on in the consultations between policyholders and their insurers, but it’s not hard to imagine that insurers sometimes calculate that it will be cheaper to cover a ransom payment than pay for all the potential resulting losses from refusing to pay it. It’s the same calculus that motivates many ransomware victims who don’t have insurance coverage to make these payments: if the attacker really does provide a decryption key immediately, paying it is often cheaper and easier than restoring compromised computer systems.
The problem with this logic is that ransom payments fuel these ransomware organizations’ future crimes and profits, keeping them in business. And while it’s understandable that individual victims might not want to consider the longer-term implications of making these payments, it’s less clear why insurers and regulators have been so unwilling to consider the bigger picture when it comes to trying to stop ransomware. Insurers, who are increasingly bearing the costs of ransomware incidents, are in a strong position to tamp down on ransom payments and refuse to cover them in order to make ransomware attacks a less lucrative business model for criminals. But so far, only one insurer in the world has decided to do so. Last year, AXA said it would stop reimbursing customers in France for extortion payments under its cyber insurance policies. AXA didn’t do this in an attempt to drive down rates of ransomware, but rather because the company was concerned that French regulators were going to crack down on ransomware coverage.
And yet regulators—both in France and countries like the United States that continue to suffer significant losses due to ransomware—have remained silent on the question of whether or not insurers should be allowed to cover ransom payments. Moreover, no other insurers have followed AXA’s lead in dropping coverage for these payments. Even as premium prices rise, it seems probable that more and more of that money is going directly to cybercriminals, leaving us further than ever from being able to put a dent in the rising rates of ransomware.
Josephine Wolff is an associate professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy.