Study downplays link between cyber insurance and ransomware demands
The idea that cyber insurance increases the likelihood of ransomware demands has been dismissed by a study from a British thinktank.
The research from the Royal United Services Institute (RUSI) states that there is no ‘smoking gun’ showing that victims of ransomware with insurance are more likely to pay than those without.
Consequently, the study concludes that insurers should do more to enforce corporate discipline when it comes to cyber security.
The research, which was funded by the UK’s National Cyber Security Centre, pushes back against the accusation that cyber insurance has incentivised victims to pay ransom demands rather than seeking alternatives remedies.
Instead it cites other factors that have driven the continued success of ransomware exponents, including the low costs and risks for cybercriminals.
However, the report also criticises the idea that insurers have reacted to increasing demand for cyber coverage by sometimes dropping the requirement that firms maintain a verifiable minimum level of security.
“Insurers’ role as convenors of incident response services gives them considerable power to reward firms that drive best practices and only guide victims towards payment as a last resort,” it states.
“But the lack of clearly defined negotiation protocols and the challenges around learning from incidents make it difficult to develop a sense of collective responsibility and shared best practices around ransomware response.”
The Institute also criticises the UK government’s “black-and-white” stance on ransom payments, which it states has “created a vacuum of assurance on best practices for ransom negotiations and payments”.
The report calls on the cyber insurance industry to do more to set cyber security standards while also noting the challenges around data collection.
It states that the cyber insurance industry could be a “valuable partner” for the UK government in terms of ransomware attacks and payments reporting and sharing aggregated claims data.
However, RUSI also adds that the government has not yet made a compelling enough case to insurers and insureds about the benefits of doing so.