Cyber insurance is not fuelling the ransomware epidemic
7 August 2023
Contrary to perceived wisdom, there is no compelling evidence that victims of ransomware with cyber insurance are much more likely to pay ransoms than those without.
That's the conclusion of a new piece of analysis titled Cyber Insurance and the Ransomware Challenge, conducted by the Royal United Services Institute (RUSI), the University of Kent, Oxford Brookes University and De Montfort University.
The report explores the extent to which cyber insurance might help to mitigate the threat of ransomware at a societal level.
Ransomware stands out as one of the most destructive cyberthreats that businesses encounter. This software has the potential to inflict irreparable harm to a company's systems, data, and reputation, leading to severe financial consequences. According to the Cyber security breaches survey 2023, 'just over half of businesses (57%) and four in ten charities (43%) have a rule or policy to not pay ransomware payments – this is in line with last year, when this question was introduced.'
The new report's findings include:
- No compelling evidence found that the cyber insurance market is fuelling the ransomware epidemic, but nor are insurers doing enough to ensure ransom payments are paid as a genuine last resort.
- The authors do not advocate for an outright ban of ransom payments or stopping insurers from providing coverage for them. Instead, they advocate for interventions that could result in fewer victims pay ransoms or pay lower demands but without punishing victims. Ultimately, this involves creating more pathways for victims that do not result in ransom payments.
- Insurers' role as convenors of ransomware response services (e.g. incident response, legal advice, crisis communications, ransomware negotiations etc.) gives them considerable power to reward firms that drive best practices and only guide victims towards payment as a last resort. But the lack of clearly defined negotiation protocols and the challenges around learning from incidents make it difficult to develop a sense of collective responsibility and best practices.
- Beyond ransom payments, the report finds that cyber insurance has a growing role in making organisations more resilient against ransomware and other cyber threats. The authors argue that cyber insurance is currently one of the few market-based levers for incentivising organisations to improve their cyber security and resilience.
- However, low market penetration of cyber insurance and ongoing challenges around the evidence base used for underwriting cyber risk means that it should not be treated as substitute for the kind of legislation and regulation required to improve minimum cyber security standards and resilience.
Kent's Dr Jason R.C. Nurse, Senior Lecturer (Associate Professor) in Cyber Security and a member of the University's Institute of Cyber Security for Society (iCSS), said: 'Cyber insurance has a significant role to play in organisational cyber resilience and particularly in the response to ransomware attacks. Our research has clarified this positioning and found that cyber insurance is not – as many believe – directly fuelling the ransomware epidemic. However, there is much more that needs to be done by insurers, organisations and governments if we are to truly address the threat of ransomware to society.'
The paper forms part of a 12-month research project conducted by RUSI, the University of Kent, De Montfort University and Oxford Brookes University entitled 'Ransomware and Cyber Insurance'. It is funded by the National Cyber Security Centre (NCSC) , in collaboration with the Research Institute in Sociotechnical Cyber Security. The project aims to explore the relationship between ransomware and cyber insurance.
The Kent team also included Dr Gareth Mott, Lecturer in Security and Intelligence at the School of Politics and International Relations, and School of Computing cyber security research student Sarah Turner.
The team also recently led on the paper Between a rock and a hard(ening) place: Cyber insurance in the ransomware era, a study of the extent to which cyber insurance can mitigate the ransomware threat.