Governments and regulators have to do more to counter groups and individuals behind ransomware attacks, says a group representing global insurance companies.
The recommendation is one of several made in a report on ransomware and cyber insurance issued Tuesday by the Geneva Association. It also says forbidding organizations from paying ransoms for the return of access to stolen data “is a blunt, potentially ineffective instrument.”
And in a message to organizations, the report says cyber insurance does more than cover ransom payments. It also improves a firm’s overall cyber hygiene.
In calling for more government action, the report argues that policies aimed at deterring
ransomware attacks, disrupting cybercriminals’ business models (including their use of cryptocurrencies to launder funds), better preparing organizations for intrusions, and more effectively responding to attacks “will improve the security of cyberspace and help legitimate businesses gain the upper hand against cyber adversaries.”
Actions could include:
- tougher penalties against cybercriminals who carry out ransomware attacks;
- international co-ordination of sanction regimes that prohibit transactions with banned
entities, including sharing intelligence on re-branded ransomware strains;
- holding cryptocurrency exchanges and peer-to-peer (P2P) platforms to standards for due diligence in creating accounts and monitoring transactions, including additional know-your-customer (KYC) and traceability requirements;
- pursuing, prosecution, and publicizing of illicit activities of unlicensed exchanges and crypto-swapping services;
- promoting minimum cybersecurity standards and fostering mechanisms to encourage best practice and;
- strengthening disclosure regimes for ransomware incidents.
Some of this is included in proposed Canadian legislation and new U.S. legislation.
Banning ransom payments by companies or prohibiting reimbursement by insurers would probably discourage some attacks, the report acknowledges. But, it adds, “such a blunt policy response may not always have the desired effect, especially if bans are not consistently applied on an international level.”
An outright ban on ransom payments could drive the transactions underground and/or encourage ransomware attackers to engage in new forms of extortion, the report argues, including threats to destroy property or cause bodily injury if their demands are not met.
In the U.S., North Carolina, Pennsylvania, and New York have passed or are advancing legislation that would outlaw ransomware payments by state and local governments,
As for the benefits of cyber insurance, the report notes insurance plays an important role in
encouraging good cyber hygiene and risk prevention. For example, through premium discounts, co-insurance and retention arrangements, and coverage limits, organizations are pushed to adopt essential cybersecurity best practices. These include investing in state-of-the-art backup systems, endpoint and anti-virus protection, implementing the latest software patches, enforcing the use of multifactor authentication and training all employees to be aware of security risks.
The report says by one calculation, ransomware accounted for 75 per cent of all cyber insurance claims in 2020. According to another report, ransomware was likely to have been the costliest loss event category for insurers in 2021.
Globally, few organizations sign up for cyber insurance. The report notes that cyber premiums — the fees firms pay for coverage — represent less than one per cent of the global property and casualty market. The numbers would be higher in Canada, the U.S. and Europe.
The association wants to encourage more firms to buy coverage, urging governments to “avoid measures that could inadvertently discourage households and firms from buying cyber insurance. Instead, policies that aim to safeguard cyberspace, promote cybersecurity, and undermine cybercriminals’ business models will help to counter malware attacks and increase re/insurers’ appetite to absorb cyber risks from those less able to deal with them.”
However, as the report points out, increased cyber insurance-related claims have caused some insurers and re-insurers to reduce the amount of damages they will cover, limit what they will cover, hike premiums or even get out of cyber insurance. The report quotes one international broker saying the cost of cyber protection rose by more than 100 per cent in the U.S. and the U.K., and by 80 per cent in Continental Europe for the year ending in Q1 2022.
What the industry calls affirmative cyber insurance policies typically cover the external expenses associated with a breach (for example, the costs of forensic investigations, data/system restoration, and crisis management fees), business interruption costs, and liabilities to third parties affected by the attack as well as any ransom paid.
“With ransomware we see an example of the important ‘prevention and mitigation’ role insurers play as risk managers,” said Jad Ariss, the Geneva Association’s managing director.
“They control a critical lever with their ability to incentivize customers to maintain strong cybersecurity controls and standards, helping to reduce firms’ vulnerability to attack and boost their cyber resilience. Governments and regulators have their levers, too, and as our report highlights, they need to rein in the illegal use of cryptocurrencies and do more to ensure information exchange about incidents as well as improve international cooperation among law enforcement.”