Cyber insurance is not fuelling the ransomware epidemic. Contrary to perceived wisdom, there is no compelling evidence that victims of ransomware with cyber insurance are much more likely to pay ransoms than those without.
The report, authored by Jamie MacColl, Research Fellow in Cyber Threats and Cyber Security, explores the extent to which cyber insurance might help to mitigate the threat of ransomware at a societal level.
Ransomware stands out as one of the most destructive cyberthreats that businesses encounter. This software has the potential to inflict irreparable harm to a company’s systems, data, and reputation, leading to severe financial consequences. According to the Cyber security breaches survey 2023, “Just over half of businesses (57%) and four in ten charities (43%) have a rule or policy to not pay ransomware payments – this is in line with last year, when this question was introduced.”
Major findings include:
- No compelling evidence found that the cyber insurance market is fuelling the ransomware epidemic, but nor are insurers doing enough to ensure ransom payments are paid as a genuine last resort.
- The authors do not advocate for an outright ban of ransom payments or stopping insurers from providing coverage for them. Instead, they advocate for interventions that could result in fewer victims pay ransoms or pay lower demands but without punishing victims. Ultimately, this involves creating more pathways for victims that do not result in ransom payments.
- Insurers’ role as convenors of ransomware response services (e.g. incident response, legal advice, crisis communications, ransomware negotiations etc.) gives them considerable power to reward firms that drive best practices and only guide victims towards payment as a last resort. But the lack of clearly defined negotiation protocols and the challenges around learning from incidents make it difficult to develop a sense of collective responsibility and best practices.
- Beyond ransom payments, the report finds that cyber insurance has a growing role in making organisations more resilient against ransomware and other cyber threats. The authors argue that cyber insurance is currently one of the few market-based levers for incentivising organisations to improve their cyber security and resilience.
- However, low market penetration of cyber insurance and ongoing challenges around the evidence base used for underwriting cyber risk means that it should not be treated as substitute for the kind of legislation and regulation required to improve minimum cyber security standards and resilience.
In the report’s conclusion, Jamie MacColl states: “”We should not overemphasise the role of the cyber insurance industry in the fight against ransomware. Just as critics of the industry have overplayed and misunderstood the relationship between insurance and ransom payments, we must not lose sight of the fact that the primary purpose of insurance is to transfer residual risk and cover losses and costs, not to solve cybercrime.”
This paper forms part of a 12-month research project conducted by RUSI, the University of Kent, De Montfort University and Oxford Brookes University entitled ‘Ransomware and Cyber Insurance’. It is funded by the NCSC, in collaboration with the Research Institute in Sociotechnical Cyber Security. The project aims to explore the relationship between ransomware and cyber insurance.