P/C Insurers Defend Ransomware Reimbursements in New Cyber Principles

INSURANCE NEWS

P/C Insurers Defend Ransomware Reimbursements in New Cyber Principles

The nation’s largest property/casualty insurance organization is defending ransom payment reimbursements by insurers in a new set of principles stressing that the insurance industry wants to partner with government and business to improve cybersecurity.

The insurers say they “must be permitted to provide reimbursement coverage for the policyholder’s payment of ransom for cyber extortion,” subject to applicable sanction and other laws.

“This principle is consistent with the long-standing approach to the parallel issue of crime or kidnap & ransom coverages, which are allowed by regulators so long as those payments do not violate sanctions laws,” the American Property Casualty Insurance Association (APCIA) said in releasing its Cyber Extortion/Ransomware Guiding Principles.

Recent ransomware attacks on Colonial Pipeline, beef producer JBS USA, and CNA Insurance among others have re-ignited a debate over whether victims of attacks should pay ransom, and whether doing so encourages more attacks.

Public-Private Partners

The APCIA’s principles stress the view that the ransomware problem cannot be resolved with “insurance-centric policy” changes: “Insurance can play a role in enhancing resiliency, but ultimately cannot cure the criminal behavior that perpetuates the ransomware problem. For this reason, there must be a holistic approach that focuses on the core drivers of the criminal behavior utilizing the expertise of all stakeholders.”

Government “should not rely on insurers as its due diligence mechanism for monitoring business compliance and implementation of security measures,” the group says in its principles.

APCIA members include many of the nation’s best-known P/C insurance companies; all told its members represent nearly 60% of the nation’s property/casualty market share.

Some of the APCIA guiding principles on dealing with ransomware attacks include:

  • The insurance industry wants to partner with government and policyholders to help drive policy objectives that will increase cyber resiliency and support competition.
  • Creating greater cyber resiliency is a societal obligation achievable with the involvement of both the public and private sectors coming together to identify the core drivers of ransomware incidents, and cyber threats generally.
  • Cyber threat information sharing by government and impacted businesses with strong liability protections can increase timely detection, response, and deterrence measures.
  • Subject to applicable sanction and other laws, insurers must be permitted to provide reimbursement coverage for the policyholder’s payment of ransom for cyber extortion. This principle is consistent with the long-standing approach to the parallel issue of crime or kidnap & ransom coverages, which are allowed by regulators so long as those payments do not violate sanctions laws.
  • Insurance is an important economic recovery resource for victims of ransomware attacks. Prohibitions on the reimbursement of legal ransom payments presents potential unintended consequence such as eliminating a meaningful risk management resource.
  • The ransomware problem cannot be resolved with insurance-centric policy changes. Insurance can play a role in enhancing resiliency, but ultimately cannot cure the criminal behavior that perpetuates the ransomware problem. For this reason, there must be a holistic approach that focuses on the core drivers of the criminal behavior utilizing the expertise of all stakeholders.
  • Government should not rely on insurers as its due diligence mechanism for monitoring business compliance and implementation of security measures.

APCIA is worried that prohibitions on the reimbursement of ransom payments present “potential unintended consequences” such as eliminating a meaningful risk management resource.

Some have argued that businesses sometimes have no option except to meet the ransom demands, while stressing that the insured, not insurer, makes the call. Many businesses purchase cyber insurance because it offers ransom payment coverage and if that is not allowed, smaller businesses that could not afford the payments without insurance would be harmed far more than larger business that can pay, they contend.

Pipeline Ransomware Attack Stirs Debate on Whether Insurance Attracts Hackers

R.J. Lehmann, senior fellow at the think tank International Center for Law & Economics, says he does not think a ban would work and could encourage more attacks on high-value targets.

“The urge to ban ransom payments is understandable and, in an ideal world where it could be enforced nearly all of the time, perhaps it would even be a good idea. But in the real world, so long as the damage inflicted by a cyber attack is greater than the cost of the ransom, we can predict that ransoms would be paid surreptitiously. Rather than taking away the incentive to engage in such attacks, a ban on ransom payments would be likely to shift hackers focus to the highest value targets where an interruption would do the most damage to society,” Lehmann told Insurance Journal.

Others question the idea that criminals choose their victims because of the presence of insurance. Adam Lantrip, with insurance broker CAC Specialty, told Bloomberg recently that criminals are more likely to target firms with system vulnerabilities.

“I don’t think it’s as binary of a process of saying, ‘This company buys cyber insurance and so I’m going to go after them,’” said Lantrip, the cyber practice leader at CAC. He said it is more likely that the attackers are looking at “who is showing the world a particular piece of technology that they know they can exploit. That’s how they narrow their target list.”

However, the Federal Bureau of Investigation and others in government have warned against businesses paying ransom out of concern it encourages more attacks.

“It is our policy, it is our guidance from the FBI, that companies should not pay the ransom,” FBI Director Christopher Wray told Congress recently.

The National Security Council has said private companies should not pay ransom, not only because doing so enriches malicious actors, but also because “there is no guarantee companies get their data back.”

Energy Secretary Jennifer Granholm has signaled that a ban on ransomware payments might be a good idea. “We need to send this strong message that paying of ransomware only exacerbates and accelerates this problem. You are encouraging the bad actors when that happens,” she told NBC news.

The New York State Department of Financial Services (DFS) this week issued new guidance on preventing ransomware attacks. DFS said that it is joining the FBI in recommending that companies avoid making ransomware payments if their networks are compromised, maintaining that larger extortion payments have “financed the development of more effective hacking and ransomware tools and added more hackers” to their ranks.

“As reported, cybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry. We must all do our part to prevent ransomware incidents,” stated DFS Superintendent Linda Lacewell.

One global insurance company, AXA, announced in May it will stop writing cyber insurance coverage in France that reimburses customers for extortion payments made to ransomware criminals.

Analysts at AM Best have reported the escalation in ransomware attacks is forcing insurers to re-think their approach to cyber.

As the ransomware demands and cyber claims costs continue to rise, more insurers may stop offering coverage, according to panelists at a Reuters conference. Meredith Schnur, a cyber brokerage leader at insurer brokers Marsh, said some insurers are not writing coverage, calling this is a “hard market.”

Others see the ransom payments as inviting their own unintended consequences.

Cyber recovery experts at Coveware contend that paying criminals offers few benefits to businesses. “[V]ictims of data exfiltration extortion have very little to gain by paying a cyber criminal, and despite the increase in demands, and higher prevalence of data theft, we are encouraged that a growing number of victims are not paying. Over hundreds of cases, we have yet to encounter an example where paying a cyber criminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage. On the contrary, paying creates a false sense of security, unintended consequences and future liabilities,” the company wrote in its blog.

Cyber insurance policies typically cover more than ransoms, including costs of restoring systems, business interruption losses, and reputational damage.

“Insurers want to be partners with business leaders and policymakers in finding meaningful solutions for addressing the proliferation of ransomware attacks,” said David A. Sampson, APCIA president and CEO.

“Singling out insurance as a reason for increased attacks negates the holistic benefit of cyber insurance and takes a simplistic approach to a complex problem. We all have a role in this fight and insurers are ready to participate.”

Deputy National Security Advisor for Cyber Anne Neuberger agrees with the need for a private and public partnership. In an open letter to private companies, she called for “cohesive and consistent policies towards ransom payments” but stopped short of support for a ban.

“The U.S. Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility,” she wrote.

Joshua Motta, co-founder and CEO of Coalition, a cyber insurance managing general agency and security company, spoke up in support of the APCIA’s guiding principles.

“There is literally no industry better positioned to fight cybercrime than the insurance industry. Insurers have one thing in common that others (including cybersecurity companies) do not: a direct financial incentive to protect insured clients and prevent financial loss,” Motta stated.

“It is impossible to imagine how much worse the world would be without insurance. While some insurers are pulling back on coverage, and even eliminating it, and while there is chatter of public policy efforts to render extortion uninsurable, or otherwise prevent extortion payments from being made, it would be a tremendous disservice to the organizations impacted by these attacks to prevent the insurance industry from continuing to innovate to fight cybercrime. Not only do insurance companies provide a tremendously valuable service, they have a unique ability to encourage – even enforce – the basic cybersecurity hygiene that is so desperately needed. They can also do so at a considerably lower cost than organizations can do themselves.”

Topics
Carriers
Cyber
Property Casualty

Read Original – Click Here

Please rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

©2021 U-S-INSURANCE.COM - FIND THE RIGHT INSURANCE

CONTACT US

We're not around right now. But you can send us an email and we'll get back to you, asap.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account