White House official says insurance companies must stop funding ransomware payments

Insurance companies must stop issuing policies that incentivize making extortion payments in ransomware attacks, a senior White House official said on Friday.

The call for the practice to end, which was made without any indication the White House was formally proposing to ban the practice, follows the fourth annual International Counter Ransomware Initiative (CRI) summit in the United States this week, where the 68 members of the CRI discussed tackling the problem.

Writing an opinion piece in the Financial Times newspaper, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, warned that ransomware was “wreaking havoc around the world.”

She wrote: “Some insurance company policies — for example covering reimbursement of ransomware payments — incentivise payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end.” 

Attempts to engage with the insurance industry on this front have not yet delivered any promises, let alone formal agreements, although Neuberger said it could play a “constructive role” by “requiring and verifying implementation of effective cyber security measures as a condition of underwriting its policies, akin to the way fire alarm systems are required for home insurance.”

Earlier this year, after a long period of engagement with the British insurance industry, the United Kingdom’s National Cyber Security Centre (NCSC) announced only agreeing on guidance expressing a joint view of how businesses should handle ransomware attacks, including reviewing the decision to not make an extortion payment.

In a further development on this guidance, during the CRI summit this week, some members of the CRI (just 39) alongside 8 insurance industry bodies from around the world, endorsed almost identical guidance encouraging “organisations to carefully consider their options instead of rushing to make payments.”

The guidance falls very short of stopping the practice of insurance companies funding ransomware payments, as Neuberger called for.

Despite the availability of other guidance on best practice in ransomware responses, attacks targeting victims in the United Kingdom have roughly doubled over the past two years.

The figures are mirrored by what has happened in the United States, according to Laura Galante, the director of the cyberthreat intelligence integration center at the Office of the Director of National Intelligence, who told journalists on Sunday that the U.S. intelligence community has seen ransomware attacks nearly double in this period.