Cyber Insurance and the Ransomware Challenge

The cyber insurance industry has been heavily criticised for providing coverage for ransom payments. A frequent accusation, which has become close to perceived wisdom in policymaking and cyber security discussions on ransomware, is that cyber insurance has incentivised victims to pay a ransom following a cyber incident, rather than seek alternative remediation options. Over a 12-month research project, researchers from RUSI, the University of Kent, De Montfort University and Oxford Brookes University conducted a series of expert interviews and workshops to explore the relationship between cyber insurance and ransomware in depth. This paper argues that there is, in fact, no compelling evidence that victims with cyber insurance are much more likely to pay ransoms than those without.

Ransomware remains one of the most persistent cyber threats facing the UK. Despite a range of government, law enforcement and even military cyber unit initiatives, ransomware remains lucrative for criminals. During this research, we identified three main drivers that ensure its continued success:

A profitable business model that continues to find innovative ways to extort victims.

Challenges around securing organisations of all sizes.

The low costs and risks for cybercriminals involved in the ransomware ecosystem, both in terms of the barriers to entry and the prospect of punishment.

Despite this perfect storm of factors, the cyber insurance industry has been singled out for criticism with the claim that it is funding organised cybercrime by covering ransom payments. In reality, cyber insurance’s influence on victim decision-making is considerably more nuanced than the public debate has captured so far. While there is evidence that cyber insurance policies exfiltrated during attacks are used as leverage in negotiations and to set higher ransom demands, the conclusion that ransomware operators are deliberately targeting organisations with insurance has been overstated.

However, the insurance industry could do much more to instil discipline in both insureds and the ransomware response ecosystem in relation to ransom payments to reduce cybercriminals’ profits. Insurers’ role as convenors of incident response services gives them considerable power to reward firms that drive best practices and only guide victims towards payment as a last resort. But the lack of clearly defined negotiation protocols and the challenges around learning from incidents make it difficult to develop a sense of collective responsibility and shared best practices around ransomware response. This has not been helped by the UK government’s black-and-white position on ransom payments, which has created a vacuum of assurance and advice on best practices for ransom negotiations and payments.

This paper does not advocate for an outright ban on ransom payments or for stopping insurers from providing coverage for them. Instead, it makes the case for interventions that would improve market-wide ransom discipline so that fewer victims pay ransoms, or pay lower demands. Ultimately, this involves creating more pathways for victims that do not result in ransom payments. Beyond ransom payments, cyber insurance has a growing role in raising cyber security standards, which could make it more difficult to successfully compromise victims and increase costs for ransomware operators. Successive years of losses from ransomware have led to more stringent security requirements and risk selection by underwriters. Although the overall effect of this on the frequency and severity of ransomware attacks remains to be seen, by linking improvements in security practices to coverage, cyber insurance is currently one of the few market-based levers for incentivising organisations to implement security controls and resilience measures. However, continued challenges around collecting and assessing reliable cyber risk and forensic claims data continue to place limits on the market’s effectiveness as a mechanism for reducing ransomware risk. This, along with cyber insurance’s low market penetration, makes clear that cyber insurance should not be treated as a substitute for the legislation and regulation required to improve minimum cyber security standards and resilience. Insurers are also commercial entities that primarily exist to help organisations transfer risk, rather than to improve national security and societal cyber resilience.

The cyber insurance industry could be a valuable partner for the UK government through increased ransomware attack and payment reporting, sharing aggregated claims data, and distributing National Cyber Security Centre (NCSC) guidance and intelligence to organisations. However, the government has not made a compelling enough case to insurers and insureds about the benefits of doing so. Instead, it has relied on appealing to their general sense of altruism. While insurers will benefit if governments are able to generate more accurate and actionable data on ransomware, albeit indirectly, this needs to be sold to the industry in a more convincing way.

Some principles and recommendations for both the insurance industry and the UK government are listed below. These are not designed to solve all the challenges of the cyber insurance market, nor do they present wide-ranging solutions to the ransomware challenge. Instead, they focus on where the cyber insurance industry can have the most impact on key ransomware drivers. This reflects the fact that disrupting the ransomware economy involves applying pressure from different angles in a whole-of-society approach. The recommendations also start from the position that the UK government’s light-touch approach is unsustainable and requires more intervention in private markets that are involved in ransomware prevention and response. While they are specifically aimed at UK policymakers, regulators and insurers, they may be applicable to other national contexts.

Recommendations

Recommendation 1: To increase oversight of ransomware response, insurers should use policy language to require that insureds and incident response firms provide written evidence of negotiation strategies and outcomes.

Recommendation 2: To develop and drive ransomware response best practices across the market, insurers should select specialist ransomware response firms for panels that meet a set of pre-defined minimum requirements. These should include: A proven track record of both regularly achieving outcomes that do not result in ransom payments, and of operational relationships with law enforcement and cyber security agencies. Conducting sanctions risk assessments. Compliance with anti-money laundering laws and FATF (Financial Action Task Force) standards. Ensuring payment firms that make payments on behalf of UK victims are registered with relevant financial authorities in the UK.

Recommendation 3: The UK government should commission a study to improve its understanding of specialist ransomware response firms. This should aim to identify common best practices and key market players, and create a framework for benchmarking the quality of their services and products. These findings can be distributed to trusted partners in the insurance industry. To drive best practices in ransomware response and create more oversight of the incident response ecosystem, the NCSC, National Crime Agency (NCA) and international partners should also explore the feasibility and potential implications of creating a dedicated assurance scheme for firms that provide specialist ransomware services such as decryption, recovery, negotiations and payments.

Recommendation 4: To increase reporting of ransom payments, the UK government and international partners should explore creating a dedicated licensing regime for firms that facilitate cryptocurrency payments on behalf of ransomware victims. In the short-term, the UK government should follow the example set by the US government and also ensure that ransomware response firms that facilitate payments are registered as money service businesses in the UK and therefore subject to national financial crime reporting requirements.

Recommendation 5: To reach a market-wide consensus on what constitutes a reasonable last resort before a ransom payment is made, insurers should agree on a set of minimum conditions and obligations in ransomware coverage to ensure alternatives are explored first. These should include sanctions due diligence, a requirement to notify law enforcement and written evidence that all options have been exhausted.

Recommendation 6: To increase ransomware reporting and ensure victims are able to access any relevant law enforcement and NCSC support, insurers should specify that any ransomware coverage must contain a requirement for policyholders to notify Action Fraud (the UK’s national centre for reporting fraud and cybercrime) and the NCSC before a ransom is paid. If there is no progress on this recommendation without intervention, then regulators should intervene to compel insurers to include this obligation in coverage. However, this recommendation also depends on the implementation of long-promised but delayed reforms to Action Fraud. These should include creating a dedicated category for reporting ransomware. Law enforcement and the NCSC must also provide assurances to insurers that they have the capabilities to support victims during incidents and that reporting leads to actual outcomes against ransomware actors, such as cryptocurrency seizures, arrests or offensive cyber operations.

Recommendation 7: The NCSC and a UK insurer should trial integrating the NCSC’s Early Warning service into their ongoing assessments of policyholders. This would enable the insurer to distribute intelligence from Early Warning at scale and notify policyholders of potential ransomware attacks. The NCSC should also explore whether Early Warning will need to be expanded and adapted to meet the requirements of insurers and policyholders.

Recommendation 8: To deepen operational collaboration with the insurance industry, the NCSC should seek to recruit secondees from the cyber insurance industry into the Industry 100 cyber security secondment scheme. This should include identifying specific tasks and roles for underwriters, claims managers and incident response professionals working for UK insurers.

Recommendation 9: To increase reporting of ransom payments, the Home Office and NCA should ensure that existing financial crime reporting mechanisms – specifically, suspicious activity reports (SARs) – are fit for reporting ransom payments or money laundering linked to ransomware. Concurrently, the UK government should also identify ways to encourage cyber insurers to report ransom payments as SARs or through more informal channels.