Cyber insurance isn’t perpetuating the ongoing growth of ransomware, but there is plenty that providers and the government could do to reduce the likelihood of policyholders paying, according to a leading think tank.
The Royal United Services Institute (RUSI) report, Cyber Insurance and the Ransomware Challenge, claimed that victims with insurance are not much more likely to pay their extortionists than those without.
Read more on RUSI: UK Spies Called on to Help in Fraud Fight
The report authors therefore don’t want an outright ban on ransom payments or coverage, as some have mooted, but instead suggest that insurers could use their market power to offer more “pathways” for victims that don’t involve paying a ransom.
As the conveners of ransomware response services like incident response, legal advice, negotiations and crisis communications, insurers have plenty of power to reward those firms that promote best practices over enabling their clients to pay a ransom.
However, a lack of defined protocols and insight into incident learnings has made it difficult to create industry best practices and a sense of shared responsibility in this area, RUSI argued.
Insurance offers “one of the few market-based levers for incentivizing organizations to implement security controls and resilience measures,” the report added.
However, challenges around collecting accurate risk and claims data and low penetration rates mean cyber insurance can’t be viewed as a substitute for legislation and regulation designed to drive improvements in baseline security, it continued.
RUSI made several recommendations for insurers and the government:
- Improved oversight of ransomware response firms. To do so, insurers should obtain written evidence from policyholders and response firms of negotiation strategies and outcomes
- Enhanced ransomware response best practice, by demanding a minimum set of requirements from any response firms wanting to work with insurers
- Improved government understanding of ransomware response, through a newly commissioned study of the industry, which could be shared
- A dedicated licensing regime to increase reporting of ransom payments
- Insurers to agree a set of minimum conditions and obligations in ransomware coverage to ensure alternatives to paying a ransom are explored first. These could include sanctions due diligence and notification to law enforcement
- Insurers to specify in coverage that policyholders must notify Action Fraud and the NCSC before paying, in order to improve reporting of incidents
- Insurers to integrate NCSC’s Early Warning system in policyholder assessments
- Government to ensure current financial crime reporting mechanisms like suspicious activity reports (SARs) can be used to report ransomware and related money laundering