No evidence ransomware victims with cyber insurance pay up more often, UK report says

There is no “compelling evidence” that victims of ransomware attacks who have cyber insurance are more likely to make an extortion payment than those without, according to new research examining the role of the insurance industry in driving the criminal ecosystem.

The independent study, published Monday and sponsored by the U.K.’s National Cyber Security Centre (NCSC) and the Research Institute for Sociotechnical Cyber Security, addresses concerns that the cyber insurance industry is aiding cybercriminals by covering ransom payments.

It was conducted by researchers from the Royal United Services Institute, alongside the University of Kent, De Montfort University and Oxford Brookes University.

It found: “While there is evidence that cyber insurance policies exfiltrated during attacks are used as leverage in negotiations and to set higher ransom demands, the conclusion that ransomware operators are deliberately targeting organizations with insurance has been overstated.”

Ransomware as a term has come to describe more than just a particular type of encrypting malware. It now covers a range of incidents involving cyber extortion, including when hackers steal and threaten to sell or release the victim organization’s data.

It has been described by British officials as “the most acute threat” facing businesses and organizations in the country, and the high number of incidents with a significant national impact meant the topic dominated cross-departmental meetings in Whitehall last year.

A coalition of nearly 40 countries has been assembled by the Biden administration in the United States to form a Counter Ransomware Initiative to tackle the increasing number of attacks on public and private sector organizations.

Despite a brief disruption to the criminal ecosystem around the Russian invasion of Ukraine, there are three key reasons why the number of ransomware attacks remains very high, according to the 12-month research project.

Firstly, the study says, the profitable business model “continues to find innovative ways to extort victims.” Secondly, the challenge of securing organizations of all sizes from cyberattacks is beneficial to criminals. And thirdly, the “low costs and risks for cybercriminals involved in the ransomware ecosystem, both in terms of the barriers to entry and the prospect of punishment” means there is little disincentive for the hackers.

These issues, rather than the insurance industry making payments, are driving the ecosystem, say the researchers, who add that the role of insurers in convening incident response services “gives them considerable power to reward firms that drive best practices and only guide victims towards payment as a last resort.”

But it finds that the British government’s “black-and-white position” on making extortion payments — that they should not be made as they reward criminals, and that they neither guarantee decryption nor that stolen data will be deleted — has not helped the response to these attacks.

Instead, there are now no “clearly defined negotiation protocols” and too little learning from incidents that would help “develop a sense of collective responsibility and shared best practices around ransomware response.”

A spokesperson for NCSC said it was working with government partners and reviewing the report's recommendations so it could effectively bear down on cyber crime.

“The NCSC welcomes this report and commissioned it precisely because we recognise that ransomware remains one of the most acute cyber threats facing UK businesses and organisations,” they said.

“We encourage continued collaboration between the insurance sector and government to develop a more sophisticated, better-priced market which helps manage the risk of cyber attacks while reducing the harm those attacks cause.”

The researchers make their case for a number of government interventions “that would improve market-wide ransom discipline so that fewer victims pay ransoms, or pay lower ransom demands” and list nine recommendations.

The study also warned against overemphasizing the role of the cyber insurance industry in the fight against ransomware. “We must not lose sight of the fact that the primary purpose of insurance is to transfer residual risk and cover losses and costs, not to solve cybercrime,” said the paper.

“Disrupting the ransomware criminal enterprise and changing the risk-reward calculus of Russian cybercriminals in a lasting way will require a mobilisation of government resources, political will and collective action that is yet to materialise.”

This article was updated at 12:25 p.m. EST on July 31 with comment from a NCSC spokesperson.