Should ransomware payments be insurable? Experts weigh in

Should ransomware payments be insurable?

That question was asked by an audience member during a session at RSA Conference last week that focused on ransomware. In the session, titled "Feds Fighting Ransomware: How the FBI Investigates and How You Can Help," FBI supervisory special agent Joel DeCapua discussed how federal law enforcement investigates and prosecutes ransomware threat actors.

The relationship between cyberinsurance and ransomware, which has become a hot-button topic recently, was raised during the Q&A portion of DeCapua's talk. Ransomware payments are insurable, but should they be?

With some hesitation, DeCapua said that because many companies have cyberinsurance now and payments to threat actors are often covered by such policies, he thinks it's led to more ransoms being paid.

Celeste Fralick, McAfee senior principal engineer and chief data scientist, said she saw DeCapua's session and agreed with his point about cyberinsurance.

SearchSecurity asked a number of individuals at RSAC 2020 the same question: should ransomware payments be insurable? Here's what those interviewed had to say.

Malwarebytes Labs director Adam Kujawa: "Having cyberinsurance companies, or ransom payment companies, basically, definitely does seem to kind of take the onus off of the victims and so they don't really have to make that determination anymore," he said. "And that could definitely encourage cybercriminals to utilize ransomware in that way because it almost becomes a guaranteed paycheck if it becomes the norm."

BitSight vice president Jake Olcott: "The question is, are more people becoming victims of ransomware because more people are paying for it? And I don't know the answer to that. And I don't think the FBI knows the answer to that either. I don't think the insurance companies really know the answer to that either. We really need to start measuring that. After we start to measure and evaluate that, then we as a society can decide it's not appropriate for insurance companies to pay out ransoms anymore because we think that there's some sort of societal good that comes from companies being on the hook… there's a lot that we don't know."

Akamai CTO Patrick Sullivan: "Obviously it's feeding the economics of the attack when other people pay that. But I think insurance is a mature market, so I think as these insurers start paying out, the next thing that's going to happen is they're going to go build actuarial tables and figure which characteristics of organizations lead to a higher proclivity for a payout and they're going to feed that back into premiums. So, if you're doing the right things, you're covered and your premiums are lower. If you're not doing the right things, maybe you can't get covered or maybe you need the equivalent of a Lloyd's of London policy. Maybe they're going to be the lever that applies an economic influence to force better behavior."

Trend Micro vice president Greg Young: "Should any attack be insured? So if you say yes, you have to put ransomware as part of that," he said. "So I think if you're going to insure a successful virus attack, why not a ransomware attack? You're hurt; you have to be repaired."

CrowdStrike CTO Mike Sentonas: "It would be easy for me to say to you that [insuring ransoms] does fuel the growth of ransomware, but I don't want to say that. What I want to say is that that needs to be carefully investigated," he said. "I think the problem, if we take a step back though, is that there are too many organizations, local governments, that are paying the ransoms. It's irrelevant to me if they have insurance or who's actually funding the payment. We shouldn't be paying it. I understand the need to recover as quickly as possible because people don't have a backup, et cetera. But… have a backup. Have a plan. Have technology that can prevent against the attack. Because by paying it, we are seeing a huge rise because people are fueling an industry."

Sophos principal research scientist Chet Wisniewski: "I think you take it back a step, should there be cyberinsurance at all? That's a better question, because I think if you're going to allow cyberinsurance then why wouldn't ransomware be a part of it? And it's a tough question because I'm very much against cyberinsurance as a concept, [both] as an individual and as a researcher. I don't believe the industry is mature enough for us to sensibly offer it at this point. Obviously, the idea of insurance is to defer risk that you can't manage another way, right? And the problem is companies are using it as a way to avoid managing their risk and they're buying cyberinsurance instead. And then of course the policy is usually strict enough that when they have an incident it won't pay out because they didn't do the things they were supposed to do to be safe. Like, you can't get fire insurance if you don't have smoke alarms, sprinklers and fire extinguishers in your building. They're not going to sell you fire insurance if you're literally waiting to light it on fire."