Cyber insurance is not fueling the ransomware epidemic, says new analysis

Contrary to perceived wisdom, there is no compelling evidence that victims of ransomware with cyber insurance are much more likely to pay ransoms than those without.

That's the conclusion of a new piece of analysis titled "Cyber Insurance and the Ransomware Challenge," conducted by the Royal United Services Institute (RUSI), the University of Kent, Oxford Brookes University and De Montfort University.

The report explores the extent to which cyber insurance might help to mitigate the threat of ransomware at a societal level.

Ransomware stands out as one of the most destructive cyberthreats that businesses encounter. This software has the potential to inflict irreparable harm to a company's systems, data, and reputation, leading to severe financial consequences. According to the Cyber security breaches survey 2023, "just over half of businesses (57%) and four in ten charities (43%) have a rule or policy to not pay ransomware payments—this is in line with last year, when this question was introduced."

The new report's findings include:

• No compelling evidence found that the cyber insurance market is fueling the ransomware epidemic, but nor are insurers doing enough to ensure ransom payments are paid as a genuine last resort.
• The authors do not advocate for an outright ban of ransom payments or stopping insurers from providing coverage for them. Instead, they advocate for interventions that could result in fewer victims pay ransoms or pay lower demands but without punishing victims. Ultimately, this involves creating more pathways for victims that do not result in ransom payments.
• Insurers' role as convenors of ransomware response services (e.g., incident response, legal advice, crisis communications, ransomware negotiations etc.) gives them considerable power to reward firms that drive best practices and only guide victims towards payment as a last resort. But the lack of clearly defined negotiation protocols and the challenges around learning from incidents make it difficult to develop a sense of collective responsibility and best practices.
• Beyond ransom payments, the report finds that cyber insurance has a growing role in making organizations more resilient against ransomware and other cyber threats. The authors argue that cyber insurance is currently one of the few market-based levers for incentivizing organizations to improve their cyber security and resilience.
• However, low market penetration of cyber insurance and ongoing challenges around the evidence base used for underwriting cyber risk means that it should not be treated as substitute for the kind of legislation and regulation required to improve minimum cyber security standards and resilience.

Kent's Dr. Jason R.C. Nurse said, "Cyber insurance has a significant role to play in organizational cyber resilience and particularly in the response to ransomware attacks. Our research has clarified this positioning and found that cyber insurance is not—as many believe—directly fueling the ransomware epidemic. However, there is much more that needs to be done by insurers, organizations and governments if we are to truly address the threat of ransomware to society."

The paper forms part of a 12-month research project conducted by RUSI, the University of Kent, De Montfort University and Oxford Brookes University entitled "Ransomware and Cyber Insurance." The project aims to explore the relationship between ransomware and cyber insurance.

The team also recently published a paper, "Between a rock and a hard(ening) place: Cyber insurance in the ransomware era," in a Computers & Security, which evaluated the extent to which cyber insurance can mitigate the ransomware threat.