Making ransomware payments illegal is often suggested as a solution to preventing ransomware attacks. In a newly released report, the Geneva Association warns that banning ransom payments could force companies and government agencies that are the victims of a ransomware attack to go underground.

Cyber insurance does more than just cover ransoms, according to the same report from an international insurance think tank. If a victim of a ransomware attack attempts to retrieve its data, an insurance is - or should be - part of the recovery process.

The think tank recently published a new report entitled "Ransomware: An Insurance Market Perspective". The frequency of ransomware attacks, as well as the size and nature of ransom demands, are on the rise, according to the authors. In recent years, cybercriminals have adopted more sophisticated approaches to target governments, businesses, and individuals, resulting in serious and costly consequences.

Due to the growth of the ransomware-as-a-service (RaaS) business model, threat actors with limited technical skills can also launch highly disruptive attacks. In the event of an attack, cyber insurance provides crucial financial protection and operational support, but ransomware has led to a decline in insurers' underwriting performance in recent years. According to the report, the costliest loss event category in 2021 was likely ransomware, which accounted for 75% of all cyber insurance claims in 2020.

Cyber insurance may also cover the losses incurred by victims of ransomware (for example, business interruption, data and system recovery, forensics and legal assistance), as well as arrange expert support in managing incidents. In a rapidly evolving landscape, insurance can also help organizations identify and address cybersecurity vulnerabilities.

A ban on ransom payments would be ineffective in such a complex environment, the report says. The outright prohibition of ransoms or their reimbursement by re/insurers could backfire by driving transactions underground and encouraging ransomware attackers to engage in new, more malicious forms of extortion.

A key message of the think tank is that governments and regulators must do more to combat ransomware attacks. Cybercriminals' business models and illicit use of cryptocurrencies should be disrupted by public policies, and organisations should be better prepared for intrusions.

The Geneva Association’s Director of Cyber and Evolving Liability and author of the report, Darren Pain, concludes: “The ransomware landscape is now highly evolved and sophisticated, especially with the development of ransomware-as-a-service (RaaS). Such ransomware attacks are driving significant increases in insurance claims and, as a consequence, premiums. Would banning ransom payments be a viable solution? According to our study, insurance companies do not think so. Prohibiting ransom payments or their reimbursement by insurers would likely drive transactions underground, forfeiting the ability of the authorities to record and analyse incidents and prosecute criminals. Furthermore, the last thing we should do is take steps that might discourage smaller firms from taking out cyber insurance, the benefits of which go well beyond reimbursing ransoms."

Photo credit: Scott Graham