Addressing the Ransomware Problem Without Banning Ransom Payments.

Before the general election of 2024, the UK government was considering implementing stricter rules related to ransomware ransom payments, including the possibility of banning these payments altogether. The rationale behind this measure would be a decisive action to dismantle the business model of cyber extortionists. However, the message regarding ransom payments is, at the very least, contradictory. In the UK, the NCSC has made it clear that companies should not pay ransoms, although the insurance policies recommended by the government's Cyber Essentials scheme say otherwise, as they cover extortion payments. This, in turn, directly finances cybercriminal activity and allows it to thrive.

The debate about whether to pay the ransom is complex. In France, for example, the CHCSV hospital chose not to pay despite undergoing severe operational disruption. In contrast, other organizations, such as Change Healthcare in the U.S., decided to pay $22 million to attackers. This outcome differs between the public and private sectors, as when public entities choose to pay, these funds come from taxpayer money. For this reason, several states in the U.S. have prohibited ransom payments by public organizations.

In the UK, however, there is little transparency regarding ransom payments. Unlike the U.S., which has official government data on the matter, information in the UK about payments often comes from industry reports. Reports indicate that 85% of small and medium-sized enterprises (SMEs) have paid a ransom, while 69% have done the same in the past year. Not paying a ransom can prove to be more costly in the long run, as demonstrated by MGM Resorts, which did not pay its attackers but later faced costs amounting to $110 million. Similarly, the WannaCry incident in 2017 impacted thousands of NHS hospitals, with recovery costs reaching £92 million.

While ransomware victims continue to debate whether to pay or not, it is estimated that the cybersecurity insurance market in the UK will reach $1.35 billion in 2024, and $20.88 billion globally, as companies seek to insure themselves against this threat. Insurers generally tend to choose the cheaper option: paying the ransom. However, this contributes to perpetuating the global cybercrime pandemic, and according to Chainalysis, ransom payments surpassed $1 billion in 2023.

While some argue that ransomware has become more common due to better guidance from cybercriminals, it raises the question of whether it is merely coincidental that the growth of the insurance sector coincides with increased digital criminal activities.

Regarding the appropriate response to ransomware attacks, the general opinion is that paying should be the last resort, except in situations where there is a risk to life. Decisions motivated by the ease of payment or to avoid business disruption do not justify the act of paying, whether the payment comes from the company's funds or insurance.

A complete ban on ransom payments could be a step in the right direction, but it only addresses part of the problem and may seem like a 'whack-a-mole' strategy, where attackers could change their tactics. Alternatives such as regulating the cryptocurrency industry and shutting down vulnerability brokers could be more effective. For example, since most cybercrimes are monetized through cryptocurrencies, regulating this sector could be a better option than simply banning payments.

Moreover, it has been suggested that decisions about ransom payments be transferred to an independent body, ensuring that choices are based on risk rather than cost. Nevertheless, it remains uncertain whether an entity like a court could make quick decisions in these situations.

Digital transformation accelerated during the pandemic, and extortion-based cyberattacks have surged, driven by cryptocurrency. The main challenge for insurers is the lack of data, causing them to continuously adapt their requirements and rapidly increase premiums. It is worth noting that having insurance can make a business perceived as a more attractive target, as cybercriminals know they could receive their payment.

Therefore, it is vital for companies to maintain a strong cybersecurity posture, which will provide them with the best possible protection, whether they have insurance or not. Furthermore, insurers that understand risk through data often require companies to adopt technologies and processes that mitigate this risk, such as cloud backup systems and multifactor authentication.

The relationship between cybersecurity insurance and cybersecurity is presented as inseparable; both sectors are evolving towards a synergy that, however, faces a significant obstacle: the funding of cybercrime through ransom payments from insurers, which should cease unless there are exceptional circumstances.