{"id":31351,"date":"2021-08-10T12:55:24","date_gmt":"2021-08-10T18:55:24","guid":{"rendered":"https://www.webroot.com/blog/?p=31351"},"modified":"2021-09-23T10:57:59","modified_gmt":"2021-09-23T16:57:59","slug":"its-time-to-ask-is-ransomware-insurance-bad-for-cybersecurity","status":"publish","type":"post","link":"https://www.webroot.com/blog/2021\/08\/10\/its-time-to-ask-is-ransomware-insurance-bad-for-cybersecurity\/","title":{"rendered":"It\u2019s time to ask: Is ransomware insurance bad for cybersecurity?"},"content":{"rendered":"\n

The issue at the heart of ransomware insurance will be familiar to most parents of young children: rewarding bad behavior only invites more of the same, so it’s generally not a good idea. But critics of the ransomware insurance industry argue that’s exactly what the practice does.<\/p>\n\n\n\n

Ransomware insurance has by now long been suspected of excusing lax security practices and inspiring confidence among cybercriminals that they’ll receive a timely payment following a successful breach.<\/p>\n\n\n\n

Exactly how widespread ransomware claims by businesses are is difficult to determine since companies don\u2019t exactly jump at the chance to discuss their run-ins with ransomware publicly. But it\u2019s safe to assume that claims have risen alongside an undeniable surge<\/a> in ransomware attacks.<\/p>\n\n\n\n

Another issue with the cyber insurance industry stems from the fact that paying a ransom is no guarantee that data will be returned. In our recent report on the hidden costs of ransomware<\/a>, nearly 20 percent of respondents were not able to recover their data even after making an extortion payment.<\/p>\n\n\n\n

The Paris-based insurance giant AXA broke new ground this year by announcing<\/a> it would stop insuring against cyberattacks, citing a lack of guidance from French regulators about the practice. It\u2019s worth remembering that the FBI<\/a> \u201cdoes not support paying a ransom in response to a ransomware attack.\u201d<\/p>\n\n\n\n

So, if U.S.-based insurers were to follow AXA\u2019s logic, they too would stop covering ransomware payments. So far, few have. For now.<\/p>\n\n\n\n

Doomed to be a short-lived sector?<\/strong><\/p>\n\n\n\n

The industry publication InsuranceJournal.com<\/a> recently wrote in a post on its site that “pressure is building on the industry to stop reimbursing for ransoms.\u201d Before ransomware went rampant, the article notes, cybersecurity insurance was a profitable sub-category of the insurance business as a whole. But those days may be numbered. The sector is now \u201cteetering on the edge of profitability\u201d according to the post\u2019s author.<\/p>\n\n\n\n

It\u2019s well-known within cybersecurity circles that ransomware actors will conduct advanced research to determine if a potential target is insured. If so, it\u2019s hardly a deterrent since it increases the likelihood a payment will be made.<\/p>\n\n\n\n

It winds up being a self-reinforcing cycle. As ProPublica wrot<\/a>e<\/a> in its study of the industry, \u201cby rewarding hackers, it encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies.\u201d<\/p>\n\n\n\n

A commonly cited defense of ransomware insurance is that they not only protect against the cost of the ransom, but also against knock-on expenses from ransomware like downtime, reallocation of tech resources and reputational damage. We know from our own research<\/a> that these costs can be significant, so there\u2019s some validity to this argument.<\/p>\n\n\n\n

But the real question the cyber insurance industry needs to answer is whether it can ever again be profitable. A recently released paper from the British defense think tank Royal United Services Institute (RUSI), titled Cyber Insurance and the Cyber Security Challenge<\/a>, identified this as one of the key challenges to the industry\u2019s viability.<\/p>\n\n\n\n

That paper found that \u201cthere is arguably too little global premium to absorb losses from a systemic event.\u201d In other words, the next NotPetya could sink the industry.<\/p>\n\n\n\n

Ransomware on the whole has caused losses in the cyber insurance industry, not least because, \u201cunlike the majority of risks insurers cover, ransomware attacks are both a high-impact and a high-probability risk.\u201d<\/p>\n\n\n\n

Addressing cybersecurity insurance shortfalls<\/strong><\/p>\n\n\n\n

Importantly, the RUSI paper in the end reported that it was unable to find empirical evidence that \u201ccyber insurers may be unintentionally facilitating the behavior of cybercriminals by contributing to the growth of targeted ransomware operations.\u201d While that fact undermines arguments that cyber insurers are a boon for ransomware actors, it doesn\u2019t speak to the question of viability.<\/p>\n\n\n\n

As with any nascent industry, ransomware insurance vendors have some tough issues to grapple with concerning how they do business. The \u201crace to the bottom,\u201d which RUSI describes as a combination of cheap premiums and loose restrictions on underwriting (not requiring basic cybersecurity measures as part of the deal, for example), represents the real risk to the industry.<\/p>\n\n\n\n

Its possible cyber insurance companies could drastically reduce claims by mandating a cyber resilience posture as a condition of being insured. Like a higher life insurance premium for a career stunt man, organizations without robust cybersecurity in place (including defense plus backup and restoration capabilities) could be forced to foot a higher bill. While this is already standard practice among many insurers, industry regulation may be required to prevent the opening of a market for insurers with more lax baseline cybersecurity requirements.<\/p>\n\n\n\n

At the very least, insurers should insist on three core elements of cybersecurity strategy before underwriting:<\/p>\n\n\n\n