Cyber Insurance: Enabler of Ransomware Events? Not Quite
Ransomware is once again front and center in the news with reports of a rash of attacks on public and private entities throughout the United States. Some suggest that the proliferation of cyber insurance is fanning the flames of cyberattacks, but there is scant evidence to support that conclusion. In fact, cyber insurance merely offers insureds options in how to respond to a ransomware event.
A recent ProPublica article speculates that cyber insurance’s ability to assist insured’s operations to quickly recover from a ransomware event by funding ransom payments may be to blame for the uptick in ransomware events. The article relies on the opinions of the FBI and security researchers who take the position that “paying ransoms contributes to the profitability and spread of cybercrime and in some cases may ultimately be funding terrorist regimes.” The article suggests that, “by rewarding hackers, [paying ransoms] encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies.” In support of its conclusions, the article cites a chief technology officer for an anti-virus provider who postulates that cyber insurers pressure their insureds to allow the payment of ransoms so the insurers will avoid reimbursing additional business income loss. According to the CTO, “Cyber insurance is what’s keeping ransomware alive today. It’s a perverted relationship. [Insurers] will pay anything, as long as it is cheaper than the loss of revenue they have to cover otherwise.”
This rhetoric, however, is unwarranted and misinformed. The article’s claims fail to explain how insurers could possibly exert leverage over insureds in this scenario or cite to any empirical evidence that insurers are putting their interests above those of their insureds.
It is not until the end of the article that the author quotes the chief information officer at a London market insurer who refutes the notion that insurers pressure insureds into paying ransoms, which he characterizes as a “very final course of action.”
The article does, however, provide some examples that demonstrate the pragmatism of paying ransoms. The article mentions two cities that were the victims of ransomware attacks. Each chose not to pay a five-figure ransom. Ultimately, these cities paid millions of dollars to recover their data and otherwise respond to the event instead of paying ransoms that would cost far less. While principle based decision making has its place, unnecessarily costing taxpayers millions may prove to be a decision that is difficult to defend.
Another recently published article in Insurance Journal (, does not specifically refute or discuss the ProPublica article, but it highlights insurers’ decision making and offers context for why making ransom payments is justified. The author aptly identifies the true “aim of cyber insurance” as “get[ting] the organization up-and-running with its data.” Quoting Travelers’ enterprise cyber lead, Tim Francis, the article describes a collaborative process between the insurer and insured in deciding whether to make a ransom payment. Francis stresses that before making any payment, the insurer and insured and a team of incident response vendors try to find ways to remediate the cyberattack without having to pay the ransom. At the end of the day, “the insured is the one ultimately making the decision.”
While the ProPublica article suggests the cyber insurance industry may bear responsibility for the increasing frequency and severity of ransomware attacks, that hypothesis cannot survive scrutiny, especially when viewed against the backdrop and in the context of the role of insurance in ransomware negotiations.