Insurers paying ransomware demands

The BBC reported this week on the ABI’s defence of the practice of insurers paying ransomware payments under cyber policies (https://www.bbc.co.uk/news/technology-55811165). This followed comments by the former head of the National Cyber Security Centre that insurers were ‘funding organised crime” by paying ransomware demands and his call for a change in the law to ban such payments. Subject certain checks, paying ransomware payments in the UK is generally legal, albeit the official position of the Government and law enforcement authorities remains that the practice is a bad idea and ransomware payments should not be made as it simply encourages more future attacks.

Andrew Jones, Senior Associate in the Cyber Risks team at Beale & Co, commented:

“The potential financial cost to companies and their insurers of being unable to access IT systems for a prolonged period of time can be much larger than the ransom payment demanded and potentially put companies out of business. Insurers’ willingness to cover ransom payments can therefore be a life-saver for the insured companies involved.

As the ABI pointed out, however, insurance for ransom payments is not an alternative to good risk management and taking the steps to minimise the risks of a ransomware attack in the first place. In particular, companies should put in place effective cybersecurity and keep regular system back-ups in multiple locations, including off-site “cold” locations which cannot be accessed by hackers. The insurance market’s exposure to ransomware attacks has increased significantly in the last 18 months, tied in with an increase in the amounts being demanded by the cybercriminals involved. Such ever-increasing insurance losses cannot continue to be paid by the insurance market and insurers may soon well need to introduce stricter policy conditions requiring minimum compliance by policyholders as to risk management, in particular off-site secure system backups. With such backups in place, the efficacy of ransomware attacks drops significantly and an affected company can (usually) relatively quickly and cheaply, compared to the ransoms demanded, get its IT system back up and running.

It is also worth remembering that ransom payments do not legally become the criminal’s ‘property’ following payment, and can be potentially traced and recovered, including payments made in Bitcoin and other cryptocurrency. Insurers should always consider the possibility of “tagging” and subsequently seeking to trace and recover such ransomware payments – expert cryptocurrency forensic firms are becoming increasingly adept on such issues and the English Courts are also assisting in the tracing efforts through their willingness to grant various types of injunctions to track down and freeze these criminally obtained ransom payments.”