back to article Cyber insurance model is broken, consider banning ransomware payments, says think tank

Cyber insurance isn't exactly driving organisations to improve their infosec practices, a think-tank has warned – and some insurers are thinking of giving up thanks to the impact of ransomware. "To date, the shortcomings of cyber insurance mean that its impact is ultimately more limited than policymakers and businesses might …

  1. Pete 2 Silver badge

    Hack me if you can

    > cyber insurance has two selling points as far as politicians and political policymakers are concerned: insurance could help limit the financial damage to organisations hit by ransomware, while due diligence by insurers and their brokers could help force relative slackers to adopt better security hygiene.

    And as far as businesses go, the advantages of cyber insurance are that it is quick to implement and it looks like the board of directors is taking the problem seriously.

    In reality it provides a way of protecting the business without having to make any significant technical changes. I have a sneaking suspicion that there is a high correlation between businesses that do not employ techies (and their managers) who are capable of keeping an installation secure and those outfits that are most likely to be hit by ransomware.

    So insurance probably works out cheaper than hiring talent and financing all the improvements that those experts and best-practice exponents would require.

    Cheaper, that is, right up until the time when the company gets hit and discovers that their insurance won't pay out as the insured company only paid lip service to the terms and conditions. (And then, it's probably still cheaper to give the CIO a severance package, than to make the necessary changes).

    Maybe cyber insurance providers should employ their own teams of hackers. Ones who will demonstrate the security or lack of, by test-hacking their customers before providing insurance to them?

    1. Drew Scriver

      Re: Hack me if you can

      Just yesterday I was explaining to our children the difference between "legal/illegal" and "right/wrong". One of the key differences is found in the repercussions, or "getting in trouble".

      Most companies (and people, for that matter) are primarily concerned with "getting in trouble". Losing money is an example of getting in trouble, as are legal penalties.

      Insurance shields companies from financial trouble, and the lack of personal culpability for executives shields from legal penalties.

      Years ago the Commonwealth of Massachusetts attempted to pass a bill that would hold executives personally responsible (potentially jailing them) if negligence resulted in loss of customer PII. The bill failed, but I'm afraid that such a law is about the only instrument that would cause companies to take security as seriously as they need to.

  2. alain williams Silver badge

    A report saying the bleeding obvious

    I, and others here, have said many times that if insurance did not pay ransomware then companies would be forced to up their game.

    Yes: it would hurt a few that did not get the message, but after a couple of bankruptcies other companies would start to take it seriously - not just try to blame others.

    If this is not done then the pain will persist for many years, this will not stop it but should make it much harder for the crooks.

  3. amanfromMars 1 Silver badge

    Hypocrites'R'Us, Plonkers'R'They

    The British government's view is that cyber insurance that pays ransoms to criminals is, as the National Cyber Security Centre put it last year, a matter for individual board members. Although The Register asked whether it would condemn the use of cyber insurance to pay ransoms, the GCHQ offshoot wouldn't be drawn.

    Oh, and a matter for individual board members, is that so? Is it any great wonder the GCHQ offshoot remained and remains schtum.

    The wage slaves views are that crippling taxation and constantly rising inflation pays a ransom to criminals adding zero value to their lives. Failure to pay such a ransom though is always going to be problematical for criminals, individuals and board members.

    Do you see the parallel/singularity in the two cases? And thus the likely enough reason for any number of intelligent unresolved silences which attend and surround such matters.

    1. Dave314159ggggdffsdds Silver badge

      Re: Hypocrites'R'Us, Plonkers'R'They

      "a matter for individual board members"

      I lol'd at that euphemism. They mean 'individual board members' can choose to do things that may well be criminal, and accept the consequences if caught.

  4. Throatwarbler Mangrove Silver badge
    Devil

    Whither the gray hats?

    It seems like there is a ripe market for mercenary hacker bands who will hunt down ransomware scum and their ilk for retainer + bounty. Where are those guys?

    Upon consideration, it seems like we're on the verge of a cyperpunk future where one could have a multi-functional mercenary team consisting of one or more offensive hackers (netrunners) combined with boots on the ground whose job is to locate and liquidate the black hats. At some point, it seems like it would become cheaper and more satisfying to put money into a fund to employ these guys rather than pay off the worthless parasites who write ransomware. Hell, I'd throw in a few bucks.

    1. Dave314159ggggdffsdds Silver badge

      Re: Whither the gray hats?

      "the worthless parasites who write ransomware"

      Or are they self-incentivised bounty hunters helping by highlighting insecure corporate systems?

      OK, no, they aren't. But it strikes me that the best way to fix the problem is to accept that the ransomware gangs are doing valuable work, and pay them for the work - as long as they inform the right people instead of using their access to lock stuff.

      1. Throatwarbler Mangrove Silver badge
        Thumb Down

        Re: Whither the gray hats?

        "But it strikes me that the best way to fix the problem is to accept that the ransomware gangs are doing valuable work, and pay them for the work - as long as they inform the right people instead of using their access to lock stuff."

        There are already red team hackers who do just what you describe. The problem is getting the organization to implement the correct changes to patch the holes, which leads me to my next point ...

        The only reason that having such a robust security response is necessary is because of criminal activity in the first place. It's like saying that someone who breaks into my house and steals my stuff is doing me a favor by highlighting the weaknesses in my home security. In fact, the only reason I need security is because of thieving assholes. In practice, it would be much nicer if I could just leave my door unlocked and not have an unsightly iron gate in front of my house, but I can't because assholes.

        As an aside, I agree that there is a more complex discussion which could be had in regard to financial and other incentives which motivate the ransomware scum. On balance, however, I just wish they'd fucking crawl into a hole and die.

        1. Dave314159ggggdffsdds Silver badge

          Re: Whither the gray hats?

          "The only reason that having such a robust security response is necessary is because of criminal activity in the first place"

          Really? No need for security except to protect from criminals? Are you really saying that?

          1. Throatwarbler Mangrove Silver badge
            Holmes

            Re: Whither the gray hats?

            "Really? No need for security except to protect from criminals? Are you really saying that?"

            Yes, that is what I am saying. Why else would I have it?

      2. Cuddles

        Re: Whither the gray hats?

        "But it strikes me that the best way to fix the problem is to accept that the ransomware gangs are doing valuable work, and pay them for the work - as long as they inform the right people instead of using their access to lock stuff."

        If that actually worked, most crime wouldn't exist. It's no different from saying that the best way to eliminate bank robberies is to employ potential robbers as security guards. The unfortunate fact is that while some people may be happy with a steady paycheck for doing a regular job, others would much prefer the jackpot from emptying the entire vault. No business can afford to pay enough to keep happy those who won't settle for anything less than everything.

        Plus there's the obvious catch-22 situation - if you pay all criminals to work as security, then there are no longer any criminals and hence no reason to pay anyone to work as security.

    2. amanfromMars 1 Silver badge

      Re: Whither the gray hats?

      It seems like there is a ripe market for mercenary hacker bands who will hunt down ransomware scum and their ilk for retainer + bounty. Where are those guys? ....... Throatwarbler Mangrove

      Enter stage left ..... National Cyber Security Centre and sundry other wannabe GCHQ offshoots, TM.

      It is though no place or space for inept tools and brainwashed fools.

    3. Steve McIntyre

      Re: Whither the gray hats?

      "It seems like there is a ripe market for mercenary hacker bands who will hunt down ransomware scum and their ilk for retainer + bounty. Where are those guys?"

      I've been wondering similarly for years about how to kill spam(mers).

  5. Dave314159ggggdffsdds Silver badge

    The Reg is writing fiction these days

    "During a discussion set in the context of squirmy insurance companies turning into their own stereotypes, trying to evade payouts at all cost"

    That simply isn't true. The Reg has attempted, and failed, to create a story along those lines. A conspiratorial, nutcasey kind of story.

    1. Throatwarbler Mangrove Silver badge
      FAIL

      Re: The Reg is writing fiction these days

      So your assertion is that insurance companies are not rent-seekers who ideally seek to only take in money without ever paying any out and who will deny coverage and reimbursement on the flimsiest pretext? Because that definitely reflects my experience, and I'm sure I'm not the only one.

      1. Dave314159ggggdffsdds Silver badge

        Re: The Reg is writing fiction these days

        So you're outing yourself as a believer in conspiracy theories...

        1. Throatwarbler Mangrove Silver badge
          FAIL

          Re: The Reg is writing fiction these days

          No, I'm saying that the insurance companies have a strong motivation (financial profit) not to a) insure risky clients and b) pay out claims. Without getting into the weeds regarding insurance, insurers obviously also have an incentive to insure people and pay claims, but I believe the theory promulgated by El Reg is that the insurers did a piss-poor job of evaluating the risk behind ransomware and now find themselves potentially on the hook for rather more claim money than they anticipated so are balking at paying it. No conspiracy is required: given the incentives involved, it's perfectly possible for multiple insurance companies to come to the same conclusion independently.

          Which insurer do you work for, btw?

          1. A Nother Handle

            Re: The Reg is writing fiction these days

            I followed the link in this article to another Reg story claiming lack of trust in insurers because they sue their own customers. The 'evidence' there was two more links to one article about Mondelez (the insured) suing Zurich (their insurer). I agree that the Reg here is over-egging the insurers never pay angle on very flimsy evidence.

            A well run insurer will pay out on valid claims because they have made a good assessment of the risks and priced accordingly. The point made in this article is that both data and agreed standard practice for responses to ransomware are in short supply and those risk assessments are basically guesswork. I would expect a higher proption of court disputes in that environment.

            I do work for an insurer, but not anywhere near claims, and no I won't say which one.

  6. DS999 Silver badge
    Flame

    Cyber insurance

    Is what fire insurance would be if they just sold it to you without regard to risk, and there was no fire code, no regulations, nothing more than the most cursory inspection so businesses were free to do whatever they want and could decide for themselves whether to invest in installing a proper sprinkler system and alarms, or just staple PVC pipe to the ceiling that's not connected to anything, paint it black and rely on that to pass "inspection".

  7. elsergiovolador Silver badge

    Destroy competition

    Let's say a ransomware attack happens, company becomes paralysed. Payment of ransom is illegal.

    What does company do? Pack their bags?

    Is government going to scramble a team of mathematicians? The encryption techniques are more advanced today than during the WWII.

    Or maybe, since the think tank seem to - as the label suggest - think, are they going to get their calculators out and try to crack the code?

    I have a hunch though, that such a ban has been thought out by unscrupulous companies who would use the ransomware to destroy competition.

    Why else such idiotic thing would be proposed?

    1. Danny 2

      Re: Destroy competition

      The theory is that if you criminalise paying a ransom then you start to discourage the crime by removing the profit motive. Sure, companies that haven't invested in security will be thrown against the wall, but that will encourage others to properly pay and respect their IT staff.

      It makes more sense than the current British government policy which is, "We don't negotiate with criminals! We're just leaving this bag of money over there and walking away."

    2. Richard 12 Silver badge
      Mushroom

      Re: Destroy competition

      If they "need" to pay a ransom then that company is dead anyway.

      Even even if the decryption actually happens, their systems are compromised and so will immediately suffer further attacks.

      They're now marked as an extremely high risk so can't get insurance, and the criminals know they're a company who will pay out so will spear-phish them as they're worth direct attacks.

      Better that company simply fails without funding the next attack.

  8. BOFH in Training
    Facepalm

    Don't the insurance companies have their own cyber security policies and teams?

    Assuming the insurance companies are protecting themselves against malware, ransomware, cyber attacks, etc, they should have internal policies they have for their own use.

    They should, in theory have an IT team, cyber security team, etc.

    After all, insurance companies, generally being billion dollar organisations, should have their own internal mechnisms for cyber defence.

    So if all the insurance companies get together, and figure out what they are all doing for themselves, make a standard that captures the policies, procedures, etc.

    And use that as a baseline for the customers who are purchasing cyber security insurance.

    Am I missing something? Or am I wrong in thinking this should be a relatively easy way to get a standard that they can all agree to.

    Hell, maybe even create an organisation which liases with all the insurance companies to check what they are doing, and create yearly standards, which all insurance companies and client organisations have to follow.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't the insurance companies have their own cyber security policies and teams?

      You've just described the PCI DSS on steroids, heroin, and pcp.

      ps, i only use one of these and its not pcp.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like