Ransomware attacks are on the rise worldwide, as the recent attack on the Colonial Pipeline highlights. Insurers are raising premiums and limiting coverage in response to the growing number of ransomware-related claims. The rise in attacks has been so steep that the French government encouraged the insurer AXA to halt any ransomware-attack reimbursements in France for fear of stoking additional attacks. Will attacks subside if insurers are no longer willing or able (e.g., due to new regulations) to pay?
The idea that continued payouts would encourage ransomware attacks by ensuring they stay lucrative is intuitive. It’s supported by quite a bit of economic and psychological research on supply and demand and positive reinforcement. We can look to other fields—international relations, security studies, criminology—for ways to deter ransomware attacks by changing our behavior.
The word “deterrence” conjures images of ICBMs and other seeming relics of the Cold War. Still, deterrence thinking is present and relevant in any field that deals with defending against violent or criminal behavior. Insurance and the cyber realm are no exception.
Intelligence agencies in the US and elsewhere have been talking about “active measures” for years, referring to retaliation in cyberspace or the “real world” for cyber-attacks. It is unclear how successful this approach, called “deterrence by punishment,” will be. However, the more interesting term for insurers and their clients is “deterrence by denial.”
To make ransomware attacks less attractive, victims must deny them success by refusing to pay ransoms. However, simply halting insurance payments will not accomplish this, as victims will still find ways to stump up to restore vital data. In that scenario, ransomware attacks would become even more harmful to economies while remaining lucrative for their perpetrators.
Insurers offering ransomware coverage should instead establish and enforce standards that make ransomware attacks harder to carry out, protecting themselves and their clients. Moreover, these standards need to go beyond security: Clients will always pay out if they can’t get vital data back, so insurers have scope to assist in disaster/data recovery alongside other forms of cyber risk mitigation (e.g., liability).
It is not inevitable that sharply rising ransomware costs will continue on their current trajectory. The rise is driven by a lack of stringent security and DR/BC standards. The panic surrounding these attacks is almost certain to catalyze action within businesses, insurance, the legal and regulatory space, and even at the diplomatic and international security level. However, as the case of AXA in France shows, the outcome may not be optimal for insurers or the economy as a whole. Insurers have the chance to be at the forefront of offering cyber insurance and risk mitigation services that protect clients and the wider economy at a reasonable cost.
Add new comment