Cyber insurance policies that pay out on ransomware attacks are funding cyber criminals and creating a vicious cycle of further attacks, according to disaster recovery specialists at Databarracks.

The company is urging insurers to change their approach to “one of remediation rather than paying out ransoms”.

Managing director Peter Groucutt said paying a ransom may be a quick fix, but it is empowering hackers, and that discouraging organisations from paying is the only way to break the cycle.

“The ransomware situation won’t change if the status quo remains: the only winners are the criminals and the insurance companies. Criminals are confident their methods will succeed, and will continue to carry out attacks. Ultimately, businesses will be better off if they are discouraged from going down the payment route," he suggests.

“When an individual business suffers from a ransomware attack, its sole concern is to recover as quickly as possible to minimise its downtime and losses. When an insurance company looks at an individual claim, it has the same objective: to minimise downtime and its exposure to further business interruption claims. As a result, insurance companies will even recommend and facilitate paying the ransom as the lowest cost option. This is individual self-interest and it is harming the collective.

“Instead, insurance companies should shift to a policy where they don’t pay out for ransomware attacks as a matter of course. This can happen in two ways: one is through regulation to prevent these pay-outs, as has been suggested. Alternatively, the insurance industry makes a collective decision to make this change without external intervention.

“Cyber is a relatively immature insurance market without historical loss data to guide it. The rapid increase in the number and value of attacks may show insurers that continuing this cycle will make it unprofitable."

Groucutt has some additional pointers for insurers looking to tackle the ransomware issue.

“Firstly, as with other types of cover, insurance companies must carry out cyber hygiene checks on customers before entering an agreement. For smaller organisations that could mean having the Cyber Essentials Certification, or for larger organisations, a more thorough assessment of its cyber defences and backup and recovery provisions," he added.

“Secondly, insurers should rework their approach when an incident does happen. Rather than paying out to cover the cost of a ransom, they should emphasise remediation, so fixing the problem by helping the customer with cyber incident response, IT forensic services and assistance to restore data and get operations back up and running.”

Share Story: