RUSI Study Finds ‘No Smoking Gun’ Suggesting Insureds Pay Extortion More Readily
Fears that cyber insurance coverage drives companies into paying ransomware demands more easily than otherwise appear unfounded, concludes a British think tank study that suggests insurers should do more to enact corporate discipline.
The study, published Monday by the Royal United Services Institute, also concludes that the U.K. government’s “black-and-white position on ransom payments” – it is against making payment – has created a vacuum when it comes to best practices for ransom negotiations and payments.
Cyber insurance has been dogged by accusations of moral hazard, especially as insurers responded to increased demand during the last decade by often dropping requirements that customers maintain verifiable security minimums. The ransomware explosion of the past few years has exacerbated those concerns, not the least because ransomware hackers themselves search victim networks for cyber insurance policies, in a bid to gain leverage.
“There is no smoking gun” showing that victims with insurance are more likely to pay than those without, concludes the study, funded by the U.K.’s National Cyber Security Centre. Scholars interviewed 65 experts in the insurance cybersecurity industries, as well as law firms and government officials.
“Most insurers do not advise victims to pay or not pay ransoms and do not authorize payments without at least some due diligence,” the study states.
Insurers consistently told researchers that they authorize ransomware payments only as a “last resort.” But what actually constitutes a “last resort” is unclear, say the authors. Some interview subjects suggested the decision is really the insured’s and not the insurer’s.
If there’s a lack of clear guidance on when to pay, or not to pay, that may be because of a minimal advice from authorities about handling payments. Among the report’s recommendations is that the U.K. government identify common best practices for specialist ransomware response firms.
Many of the report’s recommendations are suggestions for the cyber insurance industry. Underwriters’ role as “conveners of incident response” can stabilize the growth of ransom payments, assist the victims with ransom negotiation, and also dissuade the victims from paying outsized ransom demands, the study says. It recommends insurers include policy language requiring companies to document that they’ve exhausted all options before resorting to payment.
It notes with approval that the market since 2021 again emphasizes minimum security controls as a prerequisite for coverage and in some cases use contractual obligations to prod companies into improving their security posture. Industry could go further by also mandating that companies report ransomware incidents before making a payment, authors suggest.