The Royal United Services Institute (RUSI) is an independent UK think tank that has been in existence since 1831. It has examined the relationship between cyberinsurance and ransomware, and proposes greater reporting from victims to government, enforced through insurance policies.
Specifically, RUSI finds that ransomware is prevalent among malicious attackers because it is profitable, easy, and low risk. Cyberinsurance does not cause ransomware. “While there is evidence that cyber insurance policies exfiltrated during attacks are used as leverage in negotiations and to set higher ransom demands, the conclusion that ransomware operators are deliberately targeting organizations with insurance has been overstated.”
The report, Cyber Insurance and the Ransomware Challenge (PDF) starts from the basis that cyberinsurers are innocent parties in the ransomware wars. Manu Singh, VP of risk engineering at Cowbell, agrees with this conclusion. “The narrative that cyber insurance providers are the catalyst of ransomware is a dangerous simplification of the facts,” he told SecurityWeek.
However, RUSI believes that the lack of a consistent advocated response to ransomware is a separate and distinct problem. It does not recommend a blanket ban on the payment of ransoms, but suggests that the UK government’s black-and-white position on ransom payments has created “a vacuum of assurance and advice on best practices for ransom negotiations and payments.”
It sees the role of cyberinsurance as “raising cybersecurity standards, which could make it more difficult to successfully compromise victims and increase costs for ransomware operators.” Ultimately, this would involve linking insurance coverage to insured’s cybersecurity posture through refusals and premiums. “Cyber insurance is currently one of the few market-based levers for incentivizing organizations to implement security controls and resilience measures.”
This is possibly an oversimplification: business survival, profit, and shareholders are also good cybersecurity incentives – and they are not necessarily connected to cyberinsurance. Furthermore, they do not result in cybersecurity requirements imposed by an external third party with its own separate profit motives.
RUSI recognizes two possible problems for its assertion. Firstly, the insurance industry doesn’t really know what tools it should incentivize (after all, the entire security industry has so far failed to solve the ransomware problem); and secondly, cyberinsurance still has low market penetration — certainly insufficient to affect the overall ransomware ecosystem.
The first problem is well-understood by cybersecurity professionals. Cybercriminals continuously adapt their tactics whenever defenders get close to a solution. For example, attackers have evolved ransomware from concentrating on data encryption to concentrating on date theft. This requires a shift of emphasis from incident response to incident prevention – and new insurance policies must continually change to reflect any different reality.
There is always a cat and mouse game between attackers and defenders, and in many ways, cybersecurity is largely playing catchup with the attackers. The problem for cyberinsurance is that it must strive to be and remain ahead of the attackers, when in reality it must play catchup with the defenders.
RUSI sees a way forward through increased cooperation between the insurance industry and government. “The cyberinsurance industry could be a valuable partner for the UK government through increased ransomware attack and payment reporting, sharing aggregated claims data, and distributing National Cyber Security Centre (NCSC) guidance and intelligence to organizations,” it says, adding “The UK government’s light-touch approach is unsustainable and requires more intervention in private markets that are involved in ransomware prevention and response.”
It could be argued, however, that data sharing from the NCSC’s Early Warning service should be a given, and not reliant on a quid quo pro from industry.
RUSI makes nine specific recommendations in its report:
- Cyberinsurance policies should require that insureds and IR firms provide written evidence on ransom negotiations and their outcomes.
- To drive market-wide response best practices, insurers should define and use a set of response firms that meet pre-defined requirements.
- The government should assist in defining “common best practices and key market players, and create a framework for benchmarking the quality of their services and products.”
- To improve reporting on ransom payments, the government should explore a licensing regime for firms that facilitate cryptocurrency payments on behalf of victims. This should follow the US example, and the facilitators should be “subject to national financial crime reporting requirements”.
- Insurers should set ‘minimum conditions and obligations in ransomware coverage’ that enforce consideration of alternatives to ransom payment. “These should include sanctions due diligence, a requirement to notify law enforcement and written evidence that all options have been exhausted.”
- Insurers should require that coverage should require policyholders to inform both Action Fraud and the NCSC before any payment is made. If necessary, “regulators should intervene to compel insurers to include this obligation in coverage.” But it is not a one-way obligation. Law enforcement and the NCSC must give assurances “that reporting leads to actual outcomes against ransomware actors, such as cryptocurrency seizures, arrests or offensive cyber operations.”
- Integration of the NCSC’s Early Warning service into insurers’ policyholder assessments would allow the distribution of potential ransomware attack intelligence.
- The NCSC should strengthen operational collaboration by recruiting secondees from the insurance industry into the Industry 100 cyber security secondment scheme.
- The government and the National Crime Agency should ensure that suspicious activity reports (SARs) are fit for reporting ransom payments and associated money laundering, and “identify ways to encourage cyber insurers to report ransom payments as SARs or through more informal channels.”
The overall impression of the RUSI report is that increased cooperation from the cyberinsurance industry could help government response to the ransomware threat. There is little in these recommendations on how the cyberinsurance industry can help its insureds, beyond saying, ‘if you want insurance, this is the level of security you must implement’ (even if it doesn’t focus on the latest attacker methods).
RUSI’s basic proposals are effectively intrusive on both public and private industry, adding that, if necessary, the recommendations should be imposed by regulation. There is nothing in the basic recommendations to incentivize business into adopting ransomware cyberinsurance. This is no way to treat business. It may indeed have the opposite effect, persuading industry to forego ransomware insurance rather than give up its freedom of movement in doing its own job just to help the NCSC do its job.
Related: Cyber Insights 2023 | Cyberinsurance