Study Downplays Cyber Insurance as Incentive to Pay RansomRUSI Study Finds 'No Smoking Gun' Suggesting the Insured Pay Extortion More Readily
Fears that cyber insurance coverage drives companies into paying ransomware demands more easily than otherwise appear unfounded, concludes a British think tank study that suggests insurers should do more to enact corporate discipline.
The study, published Monday by the Royal United Services Institute, also concludes that the U.K. government's "black-and-white position on ransom payments" - it is against making them - has created a vacuum when it comes to best practices for ransom negotiations and payments.
Cyber insurance has been dogged by accusations of moral hazard, especially as insurers responded to increased demand during the last decade by often dropping requirements that customers maintain verifiable security minimums. The ransomware explosion of the past few years has exacerbated those concerns, not the least because ransomware hackers search victim networks for cyber insurance policies in a bid to gain leverage.
"There is no smoking gun" showing that victims with insurance are more likely to pay than those without, concludes the study, funded by the U.K.'s National Cyber Security Center. Scholars interviewed 65 experts in the insurance cybersecurity industries, as well as law firms and government officials.
"Most insurers do not advise victims to pay or not pay ransoms and do not authorize payments without at least some due diligence," the study states.
Insurers consistently told researchers that they authorize ransomware payments only as a "last resort." But what actually constitutes a "last resort" is unclear, said the authors. Some interview subjects suggested the decision really belongs to the insured and not the insurer.
If there's a lack of clear guidance on when to pay, or not to pay, that may be because of minimal advice from authorities about handling payments. Among the report's recommendations is that the U.K. government identify common best practices for specialist ransomware response firms.
Many of the report's recommendations are suggestions for the cyber insurance industry. By acting as "conveners of incident response," underwriters can stabilize the growth of ransom payments, assist the victims with ransom negotiation and dissuade the victims from paying outsized ransom demands, the study says. It recommends insurers include policy language requiring companies to document that they've exhausted all options before resorting to payment.
The study says approvingly that the market since 2021 has emphasized minimum security controls as a prerequisite for coverage and in some cases uses contractual obligations to prod companies into improving their security posture. Industry could go further by mandating that companies report ransomware incidents before making a payment, the study says.