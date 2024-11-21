As concerns about ransomware continue to grow, some cyber insurance carriers are pushing back against government claims that ransom reimbursement policies "fuel" the persistent and disruptive threat.

Discussions around fighting ransomware continue to return to cyber insurance policies, many of which offer reimbursement for victim organizations that decide to pay ransoms. Over the past few years, industry professionals have expressed concern about cyber insurers' increasing role in ransomware incident response, including how it may affect a victim organization's decision to pay.

According to some cybersecurity companies, Ransomware reached record highs in 2023, and appears to be on track to do the same in 2024. The situation has become so dire that Anne Neuberger, U.S. Deputy National Security Advisor for cyber and emerging technology, called out the insurance community.

Neuberger wrote an op-ed in the Financial Times last month titled, "The ransomware battle is shifting -- so should our response." In the article, she called for increased global partnerships and public/private collaboration but also blamed cyber insurers for writing policies that reimburse ransom payments.

Anne Neuberger

"Some insurance company policies -- for example covering reimbursement of ransomware payments -- incentivize payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end," Neuberger wrote in the op-ed.

The cyber insurance industry has remained largely silent on Neuberger's criticism. TechTarget Editorial contacted several major carriers for comment on her editorial. The majority either declined to comment or did not respond to the requests, though some companies pushed back on Neuberger's statements.

Cysurance CEO Kirsten Bay told TechTarget Editorial that insurers are not driving enterprises' payment decisions. For example, Bay said around 30% to 35% of victim organizations that pay ransoms do so without notifying insurers. She also said that while moral hazard -- the tendency of organizations to take on higher risk when they are protected by insurance -- does occur in the insurance industry, cyber insurance carriers frequently require customers to have best practices in place to mitigate ransomware risks.

"Any kind of insurance has some type of moral hazard around it. Does [insurance] incentivize something bad to happen? "Bay said. "The other side of it is let's look at the highly targeted healthcare industry. Do we want to make an end-of-life decision for someone because we can't run the hospital system? Do we want to make decisions for organizations where that would mean they're completely out of business, and is that something our economy can sustain?"

Alternatively, Bay said the focus should be on increasing ransomware transparency. She called for a more efficient and managed global infrastructure to track the number of ransomware attacks and identify threat actors.

"From a government perspective, we really need to start thinking about how we move up that chain to start looking at the actors themselves and trying to have more enforcement around that," she said.

As the threat grows more disruptive, law enforcement efforts have increased, and agencies have shifted their responses. In addition to arrests, sanctions and takedowns, a joint law enforcement action earlier this year exposed Dimitry Yuryevich Khoroshev, the LockBit ransomware gang's ringleader, also known as "LockBitSupp."

While some of these efforts are successful, ransomware continues as groups rebrand and new groups emerge on the landscape. At the beginning of 2023, cybersecurity companies Coveware and Emsisoft called for a payment ban, and cyber insurers' reimbursement policies were included in those discussions.

Although insurers are blamed for incentivizing ransom payments, Bay highlighted how they also provide important data in combatting cybercrime. One cybercrime that she believes should receive more attention is business email compromise, she said, explaining that policyholders experience 10 times more BEC attacks compared with ransomware.

"It's always easy to pick on us because we ultimately are the ones who make people whole, and that's our job," Bay said. "I've been involved in some government conversations and called on by the intelligence community because of tracking threat actors and other elements."

Rob Jones, global head of claims at Coalition, said companies without insurance still give in to ransom demands. Jones added that currently, around 40% of companies that experience attacks will pay a ransom.

Jones highlighted how insurance not only helps companies respond to ransom demands but also assists with the adverse effects on operations. He added that insurers also help organizations prepare for ransomware attacks by evaluating their cybersecurity hygiene and testing backups, for example.

"Should insurance companies not pay a ransom? I think it's a very broad brush to something that is a very specific situation," Jones said.