Blog, Cyber - March 29, 2021
Ransomware: Should Insurers Be Paying Ransoms?
869, 869, bermix-studio-F7DAQIDSk98-unsplash, bermix-studio-F7DAQIDSk98-unsplash.jpg, 515676,,, , 4, , , bermix-studio-f7daqidsk98-unsplash-2, inherit, 868, 2021-03-29 11:47:14, 2021-03-29 11:47:14, 0, image/jpeg, image, jpeg,, 2373, 2191, Array

If you’re unfamiliar with ransomware, then you’re one of the lucky ones! Ultimately, it’s software that infiltrates your system, blocks your network and restricts access. To regain control, you must make a payment to the hackers responsible, usually in the form of cryptocurrency such as Bitcoin.

Payment of this kind makes it difficult to trace transactions, so cyber criminals can remain anonymous while holding your data hostage. What’s more, hackers may even threaten to leak your files as they did with Disney – an attack that could have cost millions in lost box office revenue.

As with all breaches, something as simple as clicking a disguised malicious link could cause malware to enter your system, as can vulnerabilities with your remote desktop. Once they’ve gained access, hackers will convince you that your only option is to pay. Some even exaggerate the reputational damage you’ll experience if you don’t.

It’s been a recurring problem in the cyber threat landscape over the past couple of years. Here, we explore the reality of ransomware and its impact.


Do insurers pay ransoms?

Yes. In fact, kidnap and ransom policies have existed discreetly for years. Why discreetly? Because any company that publicly states it has insurance to cover a ransom would be a prime target. Likewise, the payments themselves are often kept quiet. After all, there’s a moral dilemma to insurers covering ransoms.

That’s because payments against public interest aren’t typically insurable. By settling ransomware demands, it could be argued that insurers are operating against public interests, helping to fund criminal activity and even terror organisations. So it’s understandable that the industry would want to avoid these discussions.

Despite such arguments, we’ve found that insurers continue to indemnify some businesses against ransomware payments – though mostly within Cyber & Data policies rather than a specific extension. So if that’s the case, insurers must be paying out all the time, right? Wrong.


How often do insurers pay?

Only 15-20% of UK businesses actually purchase Cyber & Data insurance. So even if insurers were covering ransoms at the same rate as regular claims, they’d still only pay out a small percentage.

While this means the majority of businesses that suffer a ransomware attack aren’t insured at all, even those that do have cover are prone to panic. Hackers notoriously word their threats so that you feel isolated and alone, causing many victims to actually keep quiet and pay off the ransom themselves.

Insurers, however, can ascertain the viability of a threat. They may have a cyber team that could regain control of your systems, trick the extorter into exposing themselves or negotiate the payment down on your behalf. Either way, it helps to discuss matters with an expert.


What happens after a payment?

We’ve all seen the films – a briefcase full of cash is dropped off, and a family waits nervously for the kidnappers to return their loved one. Cyber extortion is no different. But can you really trust someone to leave you alone after one attack?

Insurance companies use threat analysis that can assess the likelihood of the hacker keeping their word after the ransom is paid. They also summarise the scale of the data exposed as well as any damage you’ll incur if it’s leaked or deleted.

This happened recently with games developer CD Projekt Red, when vital files were hacked, and threats were made suggesting reputational damage if they didn’t pay. The company refuted the ransom demand and, although its content was leaked, it was able to weigh up its options so it could backup and protect its other assets.


How much are these ransoms?

Cyber crime ransoms were once around £1,000. Today, however, the average payment is closer to £100,000, rising 33% from the final quarter of 2019. This figure should help a number of businesses decide if they need Cyber & Data protection, or if they’re willing to take the risk.

But what this amount doesn’t include is the money you’ll need to spend on post-hack security, as well as on repairs and potential cyber-threat training for your team. Falling victim to a hack due to a remote desktop vulnerability, for example, could cost thousands to resolve.


What might change?

Many of the leading cyber insurers are American entities, so when it comes to Cyber & Data insurance, the UK typically follows the US. It’s also realistic to assume that what happens with US legislation today could have a direct impact on the UK insurance market tomorrow.

Because of this, the UK government wouldn’t really need to evaluate its position, as US insurers would take it out of their hands by removing cover altogether. For the time being though, these payments are still allowed and the Association of British Insurers actually released a statement defending the inclusion of ransomware coverage within UK Cyber & Data policies.


How can I protect my business?

Some insurers will still indemnify you against ransomware payments if you feel particularly vulnerable – though it’s unlikely to last for the long term. Ransomware attacks, on the other hand, could be here to stay.

That’s why it’s important to speak to your insurer and discuss your business’ current level of exposure. If you need help selecting a provider that’s best placed to handle cyber attacks, get in touch with the team at RiskBox. With our help, you’ll stand a better chance of protecting your assets and lowering the cost of cyber crime.


Author: Sam Johnson


Photo by Bermix Studio on Unsplash

Latest blog posts

Read more
Contact Us

Have your own insurance challenge?

Get in touch with the RiskBox team for a solution.
You can reach us on 0161 533 0411 or
Alternatively, click the button below and fill in our contact form.
Chat with us