The nation’s largest property/casualty insurance organization is defending ransom payment reimbursements by insurers in a new set of principles stressing that the insurance industry wants to partner with government and business to improve cybersecurity.
The insurers say they “must be permitted to provide reimbursement coverage for the policyholder’s payment of ransom for cyber extortion,” subject to applicable sanction and other laws.
“This principle is consistent with the long-standing approach to the parallel issue of crime or kidnap & ransom coverages, which are allowed by regulators so long as those payments do not violate sanctions laws,” the American Property Casualty Insurance Association (APCIA) said in releasing its Cyber Extortion/Ransomware Guiding Principles.
Recent ransomware attacks on Colonial Pipeline, beef producer JBS USA, and CNA Insurance among others have re-ignited a debate over whether victims of attacks should pay ransom, and whether doing so encourages more attacks.
APCIA is worried that prohibitions on the reimbursement of ransom payments present “potential unintended consequences” such as eliminating a meaningful risk management resource.
Some have argued that businesses sometimes have no option except to meet the ransom demands, while stressing that the insured, not insurer, makes the call. Many businesses purchase cyber insurance because it offers ransom payment coverage and if that is not allowed, smaller businesses that could not afford the payments without insurance would be harmed far more than larger business that can pay, they contend.
A Ban Could Backfire
R.J. Lehmann, senior fellow at the think tank International Center for Law & Economics, says he does not think a ban would work and could encourage more attacks on high-value targets.
“The urge to ban ransom payments is understandable and, in an ideal world where it could be enforced nearly all of the time, perhaps it would even be a good idea. But in the real world, so long as the damage inflicted by a cyber attack is greater than the cost of the ransom, we can predict that ransoms would be paid surreptitiously. Rather than taking away the incentive to engage in such attacks, a ban on ransom payments would be likely to shift hackers focus to the highest value targets where an interruption would do the most damage to society,” Lehmann told Insurance Journal.
Others question the idea that criminals choose their victims because of the presence of insurance. Adam Lantrip, with insurance broker CAC Specialty, told Bloomberg recently that criminals are more likely to target firms with system vulnerabilities.”I don’t think it’s as binary of a process of saying, ‘This company buys cyber insurance and so I’m going to go after them,'” said Lantrip, the cyber practice leader at CAC. He said it is more likely that the attackers are looking at “who is showing the world a particular piece of technology that they know they can exploit. That’s how they narrow their target list.”
However, the Federal Bureau of Investigation and others in government have warned against businesses paying ransom out of concern it encourages more attacks.
“It is our policy, it is our guidance from the FBI, that companies should not pay the ransom,” FBI Director Christopher Wray told Congress recently.
The National Security Council has said private companies should not pay ransom, not only because doing so enriches malicious actors, but also because “there is no guarantee companies get their data back.”
Energy Secretary Jennifer Granholm has signaled that a ban on ransomware payments might be a good idea. “We need to send this strong message that paying of ransomware only exacerbates and accelerates this problem. You are encouraging the bad actors when that happens,” she told NBC news.
The New York State Department of Financial Services (DFS) this week issued new guidance on preventing ransomware attacks. DFS said that it is joining the FBI in recommending that companies avoid making ransomware payments if their networks are compromised, maintaining that larger extortion payments have “financed the development of more effective hacking and ransomware tools and added more hackers” to their ranks.”As reported, cybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry. We must all do our part to prevent ransomware incidents,” stated DFS Superintendent Linda Lacewell.
One global insurance company, AXA, announced in May it will stop writing cyber insurance coverage in France that reimburses customers for extortion payments made to ransomware criminals.
Analysts at AM Best have reported the escalation in ransomware attacks is forcing insurers to re-think their approach to cyber.
As the ransomware demands and cyber claims costs continue to rise, more insurers may stop offering coverage, according to panelists at a Reuters conference. Meredith Schnur, a cyber brokerage leader at insurer brokers Marsh, said some insurers are not writing coverage, calling this is a “hard market.”
Unintended Consequences
Others see the ransom payments as inviting their own unintended consequences.
Cyber recovery experts at Coveware contend that paying criminals offers few benefits to businesses. “[V]ictims of data exfiltration extortion have very little to gain by paying a cyber criminal, and despite the increase in demands, and higher prevalence of data theft, we are encouraged that a growing number of victims are not paying. Over hundreds of cases, we have yet to encounter an example where paying a cyber criminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage. On the contrary, paying creates a false sense of security, unintended consequences and future liabilities,” the company wrote in its blog.
Cyber insurance policies typically cover more than ransoms, including costs of restoring systems, business interruption losses, and reputational damage.
“Insurers want to be partners with business leaders and policymakers in finding meaningful solutions for addressing the proliferation of ransomware attacks,” said David A. Sampson, APCIA president and CEO.
“Singling out insurance as a reason for increased attacks negates the holistic benefit of cyber insurance and takes a simplistic approach to a complex problem. We all have a role in this fight and insurers are ready to participate.”
APCIA’s Sampson stressed that insureds, not insurers, make the decisions on ransom payments.
“A victimized company always makes the choice whether or not to pay the ransom and it is not a decision entered into lightly. The victimized company may involve law enforcement, legal counsel, and security experts. Importantly, a cyber insurer does not pay the ransom, it only provides reimbursement once the policyholder makes the decision to pay the ransom,” he stated in a comment after release of the principles.
Sampson said APCIA is not taking a position on whether ransomware payments by businesses should be prohibited or regulated, but rather that “if ransomware payments are allowed, business consumers should have a full array of available services to protect themselves, including insurance.”
He said that reimbursement by an insurer may be the “only way that a small business can get the encryption key and avoid a potential business closure. ”
He said a prohibition on the reimbursement of ransom could have “negative unintended consequences that on a large scale could have impacts for the overall economy.”
Public/Private Partnership
Deputy National Security Advisor for Cyber Anne Neuberger agrees with the need for a private and public partnership. In an open letter to private companies, she called for “cohesive and consistent policies towards ransom payments” but stopped short of support for a ban.
“The U.S. Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility,” she wrote.
Joshua Motta, co-founder and CEO of Coalition, a cyber insurance managing general agency and security company, spoke up in support of the APCIA’s guiding principles.
“There is literally no industry better positioned to fight cybercrime than the insurance industry. Insurers have one thing in common that others (including cybersecurity companies) do not: a direct financial incentive to protect insured clients and prevent financial loss,” Motta stated.
“It is impossible to imagine how much worse the world would be without insurance. While some insurers are pulling back on coverage, and even eliminating it, and while there is chatter of public policy efforts to render extortion uninsurable, or otherwise prevent extortion payments from being made, it would be a tremendous disservice to the organizations impacted by these attacks to prevent the insurance industry from continuing to innovate to fight cybercrime. Not only do insurance companies provide a tremendously valuable service, they have a unique ability to encourage – even enforce – the basic cybersecurity hygiene that is so desperately needed. They can also do so at a considerably lower cost than organizations can do themselves.”
*This story ran previously in our sister publication Insurance Journal.