The Association of British Insurers (ABI) defended cyber insurance policies that include paying ransomware demands.
Cyber insurance covers damage and loss to an organisation in the event of damage to its computer or computer networks. This includes payments to cover the cost of a ransom in the event of a ransomware attack.
Payments to cybercriminals have been a contentious issue, with cybersecurity experts warning that paying the ransom simply encourages attackers. It also comes with the risk that the criminals will simply not provide access to stolen data.
Cyber insurance pay-outs in the event of a ransomware attack have led to former National Cyber Security Centre head Ciaran Martin to accuse insurers of inadvertently funding organised crime.
In comments to the Guardian, he warned that companies are currently incentivised to pay ransoms.
“You have to look seriously about changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry,” he said.
However, in response to Martin’s remarks, the ABI warned that while having insurance was not an alternative to robust security, a lack of insurance could be a financial disaster for victims.
An ABI spokesperson told the BBC that insurers require ‘reasonable precautions’ be put in place to prevent cyberattacks.
“Some might argue that any insurance that covers against a criminal act could lull the policyholder into a false sense of security,” they added.
DIGIT’S 2021 #virtualevents calendar:
📅 #MarTech Summit https://t.co/JkViHnOzbF Wed 24 Feb
📅 ScotSecure #CyberSecurity Summit https://t.co/JaD886wGh9 24/ 25 Mar
📅 #DigitalEnergy Summit https://t.co/thGSfrBqlM 22 Apr
📅 DIGIT #Leader Summit https://t.co/alC1xjRvtW 26 May pic.twitter.com/XXGqh5Braw
— DIGIT (@digitfyi) January 18, 2021
Modern ransomware attacks frequently use a double extortion model – where attackers both encrypt data and steal it. Older attacks would simply encrypt data and demand payment for the decryption key. If the victim kept regular and well protected backups, then the attack could be easily dealt with.
However, recent attacks not only steal data, but also threaten the victim with a data leak. This brings a major reputational hit to the company as well as potentially landing it with a data protection fine. Depending on the data stolen, it can also seriously harm the victim’s customers and staff, especially if financial details were stolen.
However, for groups that lack backups or the funds to rebuild their systems, paying a ransom is often one of the few options available. For organisations like hospitals, having systems shut down can potentially put lives in jeopardy. Paying a ransom is often the fastest way to restore locked systems.
- Leader Insights | Mastering Marketing with Gideon Wellins, Lemon Pulse
- Emotet botnet shut down following international police operation
- LiberEat data to help health agencies understand dietary trends
The threat posed by cyberattacks has grown over 2020 as threat actors have leveraged uncertainties about the coronavirus and remote working to launch attacks. Using emails claiming to be about PPE supplies, vaccine appointments or from colleagues’ home numbers, cybercriminals have ample opportunities to infect computers with malware.
Ransomware is one of the major growth areas for cybercriminals. Last year brought a range of high-profile ransomware attacks. German software giant Software AG, cruise operator Carnival Corporation, Garmin, and cloud computing provider Blackbaud were all hit with ransomware attacks.
And a Christmas Even attack saw the Scottish Environmental Protection Agency’s (SEPA’s) systems knocked offline due to a ransomware attack.
Of these attacks, Blackbaud confirmed that it paid the ransom demand; Garmin has not confirmed that it paid the ransom, but it is believed to have paid out around $10 million; Software AG is believed to have refused to pay the $20 million ransom, which saw the criminals leak the stolen data.