Cyber insurance is designed to protect organizations against the financial backlash of cyberattacks, including covering the financial costs of paying virtual ransoms. Now let me explain why that's a horrible idea. Cyber insurance encourages ransomware victims to simply pay the ransom demand that will then be covered by the insurers, rather than have adequate security to deter hackers in the first place. It isn't illegal (yet) to pay cyber criminals a ransom demand but law enforcement agencies warn that doing so will give the hacking groups funds to launch more critical attacks. If we aren't going to ban ransomware payments outright then we need to at least promote good security and backup programs instead of promoting a guaranteed money back program.
According to a research paper examining cyber insurance and the cybersecurity challenge by defense think tank Royal United Services Institute (RUSI), this practice isn't just encouraging cyber criminals, it's also not sustainable for the cyber insurance industry, which warns ransomware has become an existential threat for some insurers.
"To date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organizations' cybersecurity practices," RUSI said. And it warned: "Cyber insurers may be unintentionally facilitating the behavior of cyber criminals by contributing to the growth of targeted ransomware operations."
Now I do understand that refusing to pay the ransom can lead to months of downtime and huge costs for organizations that attempt to restore their networks from scratch, but ransomware attacks continue to increase in complexity and it seems like cyber criminals are demanding larger ransoms every attack. Focusing on security and recovery will benefit any corporation in the long run, even if they're cohered into it by legislation.