Outlawing ransomware payments will hurt small companies, say experts
Cyber experts have criticised the calls to make ransomware payments illegal, stating that such a move could leave small companies “dead in the water” if they are subject to an attack.
Earlier this month, French insurer AXA announced that it would no longer reimburse ransomware payments made by French companies.
The decision was prompted by concerns aired by French cyber officials who had spoken out about a ‘global epidemic’ of ransomware attacks. Cybercrime prosecutor Johanna Brousse said during a Senate roundtable in April: “The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay.”
Cybersecurity professionals have criticised the move to outlaw ransomware payments, while warning that companies should expect more insurers to follow AXA’s actions, creating further complexity in what is already a growing problem for risk managers.
“There is a lot of sabre rattling at the moment in political circles and talk of making ransomware payments illegal,” said Ben Hobby, a partner at accountancy firm Baker Tilly and member of the cyber claims committee at the International Underwriting Association.
“I think that’s the wrong move. If a company hasn’t got backup systems and they are not allowed to pay the ransom, it leaves them nowhere to go. They are dead in the water,” he added.
Mr Hobby was speaking at technology forum held by UK risk and insurance management association Airmic. Also present at the event was Jayan Perera, head of cyber response, Control Risks, who stressed how ransomware has developed into a more effective tactic for cybercriminals. “Ransomware was originally designed to attack systems availability. Now we have a double extortion threat – not just data encryption but also data theft.”
Even in an environment where ransomware payments are not illegal, there are still several restrictions, said Greig Anderson, partner at law firm Herbert Smith Freehills. For example, if the party demanding the ransom is on a sanctions list or is a suspected terrorist, a payment would be illegal.
Companies also have to consider if the hackers can be trusted and whether they will give the data back once the payment is made.
The ransomware market has become increasingly sophisticated and organised. Hacking groups often work in partnership with groups that specialise in ransom demands. They are also entrepreneurial and looking to make money.
This raises the prospect of companies entering into negotiations with cybercriminals, said Mr Perera. For example, companies could ask for proof that the hackers actually have their data and that it is intact, akin to a proof-of-life demand in a kidnapping scenario.
Ransomware hackers’ success in shutting down the Colonial Pipeline in the US has led the White House to open a debate on the merits of ransomware payments. “We recognise that victims of cyberattacks often face a very difficult situation,” said Liz Neuberger, US deputy national security adviser for cyber and emerging technologies.
“Given the rise in ransomware, [ransom payments] is one area we’re definitely looking at now to say: ‘What should be the government’s approach to ransomware actors and to ransoms overall?’” added Ms Neuberger.
In the UK, the Association of British Insurers defended the inclusion of ransomware payments in cyber policies, stating that companies could face financial ruin without this provision. But some cyber experts have made contrary statements. Former head of the National Cyber Security Centre, professor Ciaran Martin, told The Guardian newspaper that insurers were “funding organised crime” by accepting ransomware claims.
However, it is unclear how much public support there is for making ransomware payments illegal. A petition started on the UK government and parliament website in July calling for ransomware payments to be made illegal was closed in January, after attracting just 154 signatures.