Insurers urged to alter ransomware approach

The debate over payments for ransomware attacks has continued this week as insurers were told that remediation would better serve the client while deterring the criminals.

The MD of disaster recovery and business continuity firm Databarracks has accused insurers of taking the easier and often cheaper option of paying a ransom rather than working with the clients to prevent the attack and look to remediation if the policyholder falls victim.

The firm said the strategy of invoking cyber insurance policies to pay out on ransomware attacks was “funding cyber criminals and creating a vicious circle of further attacks”.

It added when hit by a ransomware attack, many organisations will choose to pay the ransom to quickly get their data back, knowing their insurance provider will cover the cost. This leads to increased attacks, which triggers greater awareness within the media, resulting in more companies taking out cyber policies more money being paid out for attacks.

Databarracks MD Peter Groucutt said things needs to change.

“The ransomware situation won’t change if the status quo remains, the only winners are the criminals and the insurance companies,” he added. “Criminals are confident their methods will succeed and will continue to carry out attacks. Ultimately, businesses will be better off if they are discouraged from going down the payment route.

“When an individual business suffers from a ransomware attack, its sole concern is to recover as quickly as possible to minimise its downtime and losses. When an insurance company looks at an individual claim, it has the same objective: to minimise downtime and its exposure to further Business Interruption claims. As a result, insurance companies will even recommend and facilitate paying the ransom as the lowest cost option. This is individual self-interest and it is harming the collective.”

Mr Groucutt said insurers needed to shift their approach to ransomware attacks.

“Instead, insurance companies should shift to a policy where they don’t pay out for ransomware attacks as a matter of course. This can happen in two ways: one is through regulation to prevent these pay-outs, as has been suggested. Alternatively, the insurance industry makes a collective decision to make this change without external intervention.

“Cyber is a relatively immature insurance market without historical loss data to guide it. The rapid increase in the number and value of attacks may show insurers that continuing this cycle will make it unprofitable. “

Groucutt said in his view insurers should focus on two areas in a different approach to the ransomware issue.

“Firstly, as with other types of cover, insurance companies must carry out cyber hygiene checks on customers before entering an agreement. For smaller organisations that could mean having the Cyber Essentials Certification, or for larger organisations, a more thorough assessment of its cyber defences and backup and recovery provisions,” he explained. “Secondly, insurers should rework their approach when an incident does happen. Rather than paying out to cover the cost of a ransom, they should emphasise remediation, so fixing the problem by helping the customer with Cyber Incident Response, IT Forensic Services and assistance to restore data and get operations back up and running.”

Mr Groucutt concluded: “This change won’t happen overnight: it will be a case of short-term pain but long-term gain. Whether done proactively or through regulation it will take time and effort, but this zero-tolerance approach is our best chance at breaking the cycle. This is in insurers’ and their customers’ best interests in the long run.”