In a recent op-ed for The Financial Times, U.S. Deputy National Security Advisor Anne Neuberger wrote that reimbursing ransom payments is a 'troubling practice that must end.'
As concerns about ransomware continue to grow, some cyber insurance carriers are pushing back against government claims that ransom reimbursement policies "fuel" the persistent and disruptive threat.
Discussions around fighting ransomware continue to return to cyber insurance policies, many of which offer reimbursement for victim organizations that decide to pay ransoms. Over the past few years, industry professionals have expressed concern about cyber insurers' increasing role in ransomware incident response, including how it may affect a victim organization's decision to pay.
According to some cybersecurity companies, Ransomware reached record highs in 2023, and appears to be on track to do the same in 2024. The situation has become so dire that Anne Neuberger, U.S. Deputy National Security Advisor for cyber and emerging technology, called out the insurance community.
Neuberger wrote an op-ed in the Financial Times last month titled, "The ransomware battle is shifting -- so should our response." In the article, she called for increased global partnerships and public/private collaboration but also blamed cyber insurers for writing policies that reimburse ransom payments.
Anne Neuberger
"Some insurance company policies -- for example covering reimbursement of ransomware payments -- incentivize payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end," Neuberger wrote in the op-ed.
The cyber insurance industry has remained largely silent on Neuberger's criticism. TechTarget Editorial contacted several major carriers for comment on her editorial. The majority either declined to comment or did not respond to the requests, though some companies pushed back on Neuberger's statements.
Cysurance CEO Kirsten Bay told TechTarget Editorial that insurers are not driving enterprises' payment decisions. For example, Bay said around 30% to 35% of victim organizations that pay ransoms do so without notifying insurers. She also said that while moral hazard -- the tendency of organizations to take on higher risk when they are protected by insurance -- does occur in the insurance industry, cyber insurance carriers frequently require customers to have best practices in place to mitigate ransomware risks.
"Any kind of insurance has some type of moral hazard around it. Does [insurance] incentivize something bad to happen? "Bay said. "The other side of it is let's look at the highly targeted healthcare industry. Do we want to make an end-of-life decision for someone because we can't run the hospital system? Do we want to make decisions for organizations where that would mean they're completely out of business, and is that something our economy can sustain?"
Alternatively, Bay said the focus should be on increasing ransomware transparency. She called for a more efficient and managed global infrastructure to track the number of ransomware attacks and identify threat actors.
"From a government perspective, we really need to start thinking about how we move up that chain to start looking at the actors themselves and trying to have more enforcement around that," she said.
As the threat grows more disruptive, law enforcement efforts have increased, and agencies have shifted their responses. In addition to arrests, sanctions and takedowns, a joint law enforcement action earlier this year exposed Dimitry Yuryevich Khoroshev, the LockBit ransomware gang's ringleader, also known as "LockBitSupp."
While some of these efforts are successful, ransomware continues as groups rebrand and new groups emerge on the landscape. At the beginning of 2023, cybersecurity companies Coveware and Emsisoft called for a payment ban, and cyber insurers' reimbursement policies were included in those discussions.
Although insurers are blamed for incentivizing ransom payments, Bay highlighted how they also provide important data in combatting cybercrime. One cybercrime that she believes should receive more attention is business email compromise, she said, explaining that policyholders experience 10 times more BEC attacks compared with ransomware.
"It's always easy to pick on us because we ultimately are the ones who make people whole, and that's our job," Bay said. "I've been involved in some government conversations and called on by the intelligence community because of tracking threat actors and other elements."
Rob Jones, global head of claims at Coalition, said companies without insurance still give in to ransom demands. Jones added that currently, around 40% of companies that experience attacks will pay a ransom.
Should insurance companies not pay a ransom? I think it's a very broad brush to something that is a very specific situation.
Rob JonesGlobal head of claims, Coalition
Jones highlighted how insurance not only helps companies respond to ransom demands but also assists with the adverse effects on operations. He added that insurers also help organizations prepare for ransomware attacks by evaluating their cybersecurity hygiene and testing backups, for example.
"Should insurance companies not pay a ransom? I think it's a very broad brush to something that is a very specific situation," Jones said.
Ransomware fight continues
While infosec experts highlighted how complicated the ransom reimbursement issue is, they offered ways for the government and private sector to address the increasing threat as well as insurers. It's clear that two areas require assistance: transparency around ransomware reporting and organizations' security postures.
Alla Valente, a senior analyst at Forrester, told TechTarget Editorial that if the government wants to address the endless cycle of ransomware payments, it should help organizations avoid attacks in the first place. For example, she called for a federal level of cybersecurity regulations. While there are currently best practice recommendations, Valente says they need to be mandated, not voluntary.
"Put some measures in place that would significantly reduce the impact, the potential impact. Instead, they're talking about reimbursing ransomware payments," Valente said.
On the other hand, she said not every insurance policy will reimburse ransom payments. She added that a barrage of attacks that occurred in 2020 and 2021 resulted in significant policy changes, including requirements for what the companies will underwrite.
"I agree that insurance companies need to do a much better job at assessing the risk during the underwriting process to say if they're going to include coverage for ransomware attacks like payment and reimbursement," Valente said. "Does this company have all of the necessary tools, resources and best practices in place to show that they are addressing cybersecurity risk -- not the event, but preventative? Are they taking the steps to prevent this from happening?"
Art Gilliland, CEO of identity security vendor Delinea, agreed with Neuberger that giving in to ransom demands reinforces ransomware gangs' ability to operate. However, he said, enterprises face enormous challenges going up against cybercriminal gangs that are sometimes connected to and supported by adversarial governments. "I think the downside is that it puts all of the pressure on the companies to basically defend themselves against nation-states because most of the cybercriminal gangs are sponsored by nation-states," Gilliland said.
He added that instead of focusing on insurers' reimbursement policies, companies should look for ways to help defend themselves. He also said adversaries understand that cyber insurance is part of the ransomware ecosystem, and threat actors understand how that ecosystem works.
"Ultimately, whether cyber insurance pays or the companies pay, somebody is going to pay, and cyber insurance is just a way that companies are doing risk management," Gilland said. "I do think companies probably pay faster because they have insurance backing, but they would still pay. What companies have done with insurance is they've given themselves an ability that is 'easier,' but at the end of the day, would probably still pay."
Grayson Milbourne, security intelligence director at OpenText Cybersecurity, said the ransomware economy is booming and that OpenText data shows concerning trends, particularly around the success of initial access brokers. Milbourne referred to a recent OpenText survey that showed 48% of respondents received a ransom demand, and 46% opted to pay. One-third of the demands were between $1 and $5 million, he added.
"Cyber insurance plays an element, but there are a lot of pieces, so I believe we'll continue to see this as a significant problem for the foreseeable future until we can get people not to pay and arrest the leaders of these operations. Even LockBit is still around and widely prevalent," Milbourne said.
Regarding Neuberger's statement, Milbourne said there are certain cases where insurers need to pay, but those situations typically represent a failure of many different security layers. For example, Milbourne urged enterprises to implement the NIST cybersecurity framework to make it harder for attackers and MFA for remote access and to educate employees. He added that employee education is an important element to prevent initial compromise.
Milbourne also called for increased transparency around attacks to help the government track those responsible.
"I get that paying, whether it's through insurance or the business is just continuing the problem, but it doesn't make sense to always say no," he said.
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
Anne Neuberger
