Banning insurers from reimbursing ransoms paid by clients to hackers is pointless. It is not the solution to undermine the revenue model of hackers and cybercriminals. Companies and organizations that are the target of a ransomware attack then look for other ways to pay, simply because they see no other way out.
This is apparent from research by lawyer Nynke Brouwer. She obtained her doctorate last Thursday on the functioning of cyber insurance.
Cabinet wants to prohibit reimbursement of ransom payments by insurers
Companies that have been hit by ransomware or ransomware are often at a loss. They often lose access to their systems, let alone confidential information and other data stored on their servers. The attacker offers his victims to remove the lock for a fee. If the victims do not agree, the perpetrators threaten to make the stolen information public or sell it to the highest bidder. Fearing data loss, business shutdown, reputational damage, liability, recovery costs or in the worst case bankruptcy, companies often choose to pay the ransom.
Insurers have been offering cyber insurance for several years now. This allows entrepreneurs to cover themselves financially against cyber threats and risks. In most cases, insurers choose to reimburse the requested ransom: in practice, repairing and replacing the infected systems often costs more time and money. It’s a simple calculation.
The government considers this an undesirable situation. By paying hackers and cybercriminals, we maintain the revenue model. The government wants to make cybercrime less attractive. If no one pays ransom, then ransomware and other cyber attacks will no longer occur. The Ministry of Justice and Security is currently investigating the possibility of imposing a ban on the payment of ransom by insurers.
Ban is a bad idea
Master of Laws Nynke Brouwer does not see a ban as the solution. “A ban will only make the payments illegal. Companies will find another way to pay,” explains the lawyer. Banning the reimbursement of ransom by insurers is, she says, ‘a drop in the ocean’. “In my research, I found no clear links between having insurance coverage for ransom paid and the company’s decision to pay. Insured or not, companies pay because they have no other choice.”
Brouwer points out that cyber insurance has been on the rise in recent years. They offer all kinds of benefits for entrepreneurs because they offer wide coverage in the event of cyber incidents. Think of recovery costs after an attack, fines and liability in the event of privacy violations and network incidents, damage due to business interruption and costs of defence in legal proceedings. She is pleased with the incident response services that insurers offer. “For example, if a company is hit by ransomware, the insurer sends out a team of experts in IT, legal services and communications. This way, the impact of the ransomware can be limited as much as possible on all sides.”
Cyber insurance increases corporate cyber resilience
The lawyer points out that insurers often define key terms such as ‘cyber incident’ in the policy conditions in their own way. As a result, it can be difficult to get a good idea of what is and what is not reimbursed. That is not surprising, according to Brouwer. “With other forms of insurance, we have hundreds of years of claims history to arrive at a clear understanding. We know what fire is, and insurers only differ in the margins about what such fire insurance does and does not cover. But we do not yet have that certainty and damage history for cyber incidents, and everyone struggles with that.”
The lawyer with a doctorate points out that cyber insurance has a positive effect. Entrepreneurs who want to take out such insurance must meet certain minimum conditions or requirements. This helps to increase the cyber resilience of companies and organizations. There is another advantage: “By thinking about the risks in the context of (taking out) insurance, taking measures and regularly evaluating and reinforcing them, many incidents can be prevented,” says Brouwer.
Much criticism of minister Grapperhaus’s plan
Nynke Brouwer is not the only expert who is critical of the government’s intention to ban the reimbursement of ransom payments after a cyber attack. The Dutch Association of Insurers asked outgoing Minister Ferd Grapperhaus of Justice and Security not to let the decision be taken overnight. Cyber security expert Frank Groenewegen fears that a ban will do more harm than good. “I have assisted many companies where all data was lost. They then have the choice: pay, or spend weeks or months repairing and sometimes even go bankrupt.”
The VVD faction in the House of Representatives also sees nothing in the plan of Minister Grapperhaus. Queeny Rajkowski is afraid that the rain will leave entrepreneurs in the doldrums. Entrepreneurs should not go bankrupt if they are not allowed to pay a ransom. Instead of banning ransom payments, the party thinks it’s a better idea to focus on preventive security measures and ‘basic digital hygiene.
Catch up on more articles here
Follow us on Twitter here