The U.K.'s former top cybersecurity official has warned companies not to meet the ransom demands of hijackers who hold their data and systems hostage, a new report said.
But the reason isn’t the oft repeated one not to give into cyber kidnappers’ demands for it only emboldens them. While that’s true, said Ciaran Martin, who headed the National Cyber Security Centre until last August, insurers who pay out claims from companies are inadvertently funding organized cyber gangs that execute the majority of ransomware attacks, The Guardian, a U.K. news outlet, reported.
It’s a triangular process, Martin said. Because under U.K. law there’s no legal limit to companies paying ransoms to cyber gangs and then turning to cyber insurers to make them whole, adversarial hacking gangs, typically from Russia, can essentially roam free, he said.
“People are paying bitcoin to criminals and claiming back cash,” Martin reportedly said. “I see this as so avoidable. At the moment, companies have incentives to pay ransoms to make sure this all goes away. You have to look seriously about changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry.”
The relationship between ransomware payouts and cyber insurance policies is backed by an earlier ESG research study that found some insurers are urging victims to pay ransoms, which in a circuitous route, boosts the economy around ransomware. The net net is ransomware hackers exploiting organizations that have engaged with cybersecurity insurance companies.
According to ESG’s data, in 2019 half of organizations invest in cybersecurity insurance policies and some two-thirds experienced a ransomware attack. Given the dramatic spikes in ransomware, those figures can only head skyward.
“Attackers often set great store in being reliable once you have paid them, providing testimony from involuntary customers,” Martin said. “The law is nobody’s fault, it was written for another purpose, but it has become OK to pay out to criminals,” he said.
With the number of companies in the cyber insurance market growing and coverage expanding, the conundrum is likely to gain further momentum. For example, in mid-January, new partnerships, coverages and services emerged, including:
- Data privacy specialist BlackFog’s partnership with cyber insurance specialist Evolve to help policy holders assess their current exposure and mitigate risks of ransomware.
- Cowbell Cyber’s excess cyber coverage line called Prime Plus, enabling businesses with $1 billion in revenue to get an additional $10 million in excess limits.
- Pathpoint’s vehicle for access to multiple cyber quotes from multiple carriers through a single online application.
- Cybersecurity & risk management startup Zeguro’s expanded cyber insurance coverage beyond ransomware attacks to include computer fraud and more.