Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Editorial: Cybercrime needs balanced response

Reprints
Gavin Souter

The surge in ransomware attacks over the past year is fueling wide-ranging debates over how to stop the alarming trend but few concrete answers are emerging.

The international nature of the crimes, the difficulty in tracking and recovering ransoms paid in cryptocurrency and the vulnerabilities to cyberattacks that are evidently present at many organizations are all complicating the discussions.

In addition, some security experts and policymakers have suggested that the payment of ransoms is a big part of the problem, because the ill-gotten gains finance the operations of criminal networks and encourage hackers to launch more attacks.

Some public policy experts in the U.S. and overseas have also suggested that cyber insurance that covers ransomware payments is part of the problem.

Clearly, if organizations refused to pay ransoms, criminals would have little financial incentive to carry out future attacks, but equally clearly, it’s not as simple as that.

As we have seen with recent attacks on infrastructure, financial companies and health care systems, hackers have the potential to cripple operations through the attacks. Those companies that pay the ransoms appear to regain control of their systems quickly and those that don’t, such as Ireland’s health system, face weeks or months of disruption. 

Failure to return systems swiftly can put lives at risk, disrupt operations at other organizations and lead to the release of sensitive information.

For many organizations attacked, the ransoms they pay are significantly less than the money they would potentially lose through lost revenue or from the liabilities they would face from a swath of lawsuits.

Faced with the unappealing choice of paying millions of dollars to a hacker or potentially significantly more if they don’t, many companies opt to pay the criminals. According to a recent survey by insurer Hiscox Ltd., 58% of companies targeted with ransomware met the cyber kidnappers’ demands.

Banning or restricting insurance coverage for the payments would likely make little difference, other than put the already distressed organizations under even more pressure. Looking at the size of most of the ransom payments that have been made public, few of the companies involved would be unable to make the payments if they did not have insurance. 

Instead, cyber insurance can be part of the solution. During the underwriting process, insurers can highlight potential weaknesses in policyholders’ cybersecurity frameworks and help provide access to resources that can make networks more secure. If the carrot of improved risk management does not work, the stick of higher insurance premiums or coverage declines might.

Government has a big role to play in fighting the ransomware crime wave, but those efforts should center on ransom recovery, centralization of breach information and improving public and private cyber defenses. Undercutting organizations’ ability to recover crucial data won’t help.