Insurance and Ransomware

As ransomware becomes more common, I’m seeing more discussions about the ethics of paying the ransom. Here’s one more contribution to that issue: a research paper that the insurance industry is hurting more than it’s helping.

However, the most pressing challenge currently facing the industry is ransomware. Although it is a societal problem, cyber insurers have received considerable criticism for facilitating ransom payments to cybercriminals. These add fuel to the fire by incentivising cybercriminals’ engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities. Growing losses from ransomware attacks have also emphasised that the current reality is not sustainable for insurers either.

To overcome these challenges and champion the positive effects of cyber insurance, this paper calls for a series of interventions from government and industry. Some in the industry favour allowing the market to mature on its own, but it will not be possible to rely on changing market forces alone. To date, the UK government has taken a light-touch approach to the cyber insurance industry. With the market undergoing changes amid growing losses, more coordinated action by government and regulators is necessary to help the industry reach its full potential.

The interventions recommended here are still relatively light, and reflect the fact that cyber insurance is only a potential incentive for managing societal cyber risk.They include: developing guidance for minimum security standards for underwriting; expanding data collection and data sharing; mandating cyber insurance for government suppliers; and creating a new collaborative approach between insurers and intelligence and law enforcement agencies around ransomware.

Finally, although a well-functioning cyber insurance industry could improve cyber security practices on a societal scale, it is not a silver bullet for the cyber security challenge. It is important to remember that the primary purpose of cyber insurance is not to improve cyber security, but to transfer residual risk. As such, it should be one of many tools that governments and businesses can draw on to manage cyber risk more effectively.

Basically, the insurance industry incents companies to do the cheapest mitigation possible. Often, that’s paying the ransom.

News article.

Posted on July 1, 2021 at 11:01 AM24 Comments


yabba dabba don't July 1, 2021 12:19 PM

Ethically, what is the difference between paying a ransom and paying a bug bounty? Both the so-called criminal and the so-called security researcher provides the exact same service, detecting weakness in defensive systems. As I see it, the only reason ransomware payout are so large is to compensate for the legal risk that hackers are forced to bear. So the best way to lower the social costs of ransomware is to make it legal. Instead of ransomware lets call it SIMBBA (Socially Instigated Mandatory Bug Bounty Activity).

Robert M Alberti July 1, 2021 12:25 PM

Ransomware doesn’t exist. Rather, there are two discreet things: there is malware that damages data, and there is a related fraud attempt to extort money.

Malware that damages your data can happen in many ways and we know how to prepare for it. Backups, anti-malware measures, etc. But the fraud attempt is the one we’re culturally not as ready for: right at the moment when the malware attack has made us feel vulnerable, along comes a white knight who promises to fix everything… for money.

“Aw, I’m sorry to hear your data has been damaged – but I can fix it for you!”

And never mind that these extortionists are the ones who admit to damaging your data in the first place.

One would be a fool to engage with them, and one would be an even bigger fool to trust or use or touch the data they so generously “unencrypt” for you. If I wanted to install malware or alter or examine data, what better way than to take possession of the data for a while and then “return” it, altering or adding whatever I wanted while my victims scramble to gather cash and pay me for this.

There is no ransomware – there is malware that damages data and a corresponding extortion attempt, that’s it.

So prepare for ransomware by preparing for malware that damages your data as you always would and deciding in advance that you’re not going to deal with extortionists.

I’m rather emphatic about this because the term “ransomware” is an example of “framing.” It positions this type of fraud as some kind of clever trick by the bad actors and obscures the reality of what’s actually happening. One is never in a strategically good position if one begins by accepting the enemy’s framing, it’s like battling on their territory.

When you break this phenomenon down into “an advanced persistent threat that over time compromises a large amount of data” and “a corresponding extortion attempt” it becomes easier to see how to deal with it. In my opinion the word “ransomware” should be avoided.

Steven July 1, 2021 1:01 PM

I don’t think cyber-insurance is viable long-term.
Insurers routinely exclude coverage for things that they can’t model statistically, like riots and military action. I think the insurers are going to learn (probably the hard way) that cyber-attacks are in that category, and then there will be no more cyber-insurance.

NombreNoImportane' July 1, 2021 3:08 PM

Then its time for a federal requirement to report all incidents. And a HUGE fine for paying the ransom.

Fail July 1, 2021 3:10 PM

A bug bounty does not hold your company or customers hostage, it’s proactive albeit slightly behind the proper investment curve I would classify bounties as a smoothing function.

Ransom payments for getting caught with you or your employees pants down, and insurance or tax subsidizing any loss incurred?

That’s just downright irresponsible, like driving a car without insurance and getting t-boned by someone who runs a stop sign.

The government is not here to bail irresponsible companies out of a self created situation, getting hacked via overflows format strings heap spraying or sub nation-state phishing emails is 1990s.

They should be fined in addition to having to foot the bill and if they pass the buck to consumers. They need to be shook down by our big brother, I personally don’t care who they’re beholden to as far as stock and stake holders.

Listed companies wouldn’t be able to gouge and lobby in the face of negligence. Regulation and fines are the equivalent of cutting off a thieves fingers and in the face of callous disregard for the public facing market these companies operate in I really can’t see a reason not to crucify one or two of them at least.

This isn’t y2k there is a real and present danger and it’s the government’s responsibility to make it real for the companies that make it real for the public.

Let’s make it real to the executives stakeholders and banks that profit off this racketeering.

Emmett July 1, 2021 5:14 PM

Not all risks are insurable, or insurable at reasonable rates — Actuarial science makes the determination.

Insurance is based on shared risk — so how big is the potential $$$ risk to a defined pool of Ransomware insured participants ??

If government is involved, you are no longer talking about standard actuarial insurance principles.

Zian July 1, 2021 5:33 PM


government is involved
Are you thinking about them as the attacker, victim, or both?

As a victim, government agencies buy insurance for other things. For example, transit agencies can buy insurance for train crashes. What would make computer security insurance actuarially impossible to calculate for government agencies that often use commercial off the shelf software?

shared risk
That would depend on the type of people at risk of the peril. For fire, that’s often “all people who own real property within a defined geographic area”. For malware, I would expect that to be “all people who use software that may have bugs”. As to the amount of potential loss, wouldn’t that be something the customer decides? If I wanted to be protected for up to $1 in damages, I would expect to pay smaller premiums than if I bought a policy that pays for up to $100 in damages.

If I’m not willing to pay the premiums for $100 or take the liability myself, then I wouldn’t expect anyone to bail me out if my box of stuff catches fire and burns to the ground.

As you said, a peril may not be “insurable at reasonable rates.” Then, the organization at risk should consider not exposing themselves to the risk. For example, if you don’t want build your own user authentication system for a website and pay $LargeNumberHere in premiums, then you could use someone else’s software and (I hope) pay $SmallNumberHere.

ech July 1, 2021 5:55 PM

UK government dogma for some years now has been “light touch regulation” to the point of absurdity. When anyone in charge actually does do their job as it exists on paper government attitude has tended to be hostile. “Market forces” have been allowed to reign supreme. It is getting worse not better.

Notable by its absense from the reearch paper is the UK computer industry as we no longer have one. Nor a nuclear industry. Nor a flexible medium and small manufacturing base. Nor much of anything, really.

A “collaborative approach between insurers and intelligence and law enforcement agencies around ransomware” is going to create a talking shop of the selfish, sneery, and stupid. For this one merely needs to review any nuber of reports and internal reports into their own misbehavior. The most it will achieve is a meeting to discuss the agenda of the first meeting while meeting in a further six months to have a meeting to discuss the framework then suspend for another six months while they appoint the members of the panel. I’ll skip the bit in the middle but suggest in 10 years time they will A.) Disband B.) Achieve nothing C.) Generate a public inquiry into dropping the ball and why they failed to work together.

Now let’s have a glance through this report.

Recommendation 1: Insurers should collectively agree on a set of minimum security requirements as part of risk assessments for small and medium-sized enterprises (11–250 employees). In the UK, this paper recommends using the controls used for Cyber Essentials3 as a minimum requirement, beyond which insurers can require additional controls based on claims data or other risk frameworks. This will help increase the baseline cyber security of many UK businesses.

I was half expecting this before I read the report. The fact is government has all but abandoned medium to small business. Big business tend to be the favoured partners of intelligence agencies and as per GCHQ’s own annual report GCHQ hate them because they have their own opinions. The ordinary man or woman in the street doesn’t get a look in.

Recommendation 2: Cyber insurance carriers should explore partnerships with managed security service providers, cloud service providers and threat intelligence providers to gain access to additional sources of data (for example, beyond only external perimeter scans). In exchange, insurers can offer reduced premiums and other financial incentives to their customers.

Typical lazy GCHQ. They cannot do anything without having a mandatory data gathering backdoor to a lot of state data and financial sector data. Now they want private sector data on the same basis? What happened to their fabled “time machine”?

Recommendation 3: The insurance industry should take a more collegial approach to data sharing. The Treasury and the Department for Digital, Culture, Media and Sport (DCMS) should bring together relevant stakeholders, including relevant regulators, Lloyd’s of London and the Association of British Insurers, to create a working group and identify a timeline for the creation of a cyber insurance data-sharing exchange.

We want your data pretty please.

Recommendation 4: The government and insurance regulators should review any current insurance regulation or legislation that impedes insurers collectively sharing data on cyber insurance incidents and claims, including confidentiality requirements in contracts. This effort can be led by the Treasury in the UK.

Mandatory data sharing policy in 5…4…3…2…1…

Recommendation 5: The government should ensure mandatory breach notification data is made available to the insurance industry. DCMS should work with the Information Commissioner’s Office to find a compromise on providing anonymised breach data to the insurance industry. If one cannot be found, the government should amend the relevant legislation.

But not the computer industry we don’t have nor the small and medium business owners we don’t really care about, and the man or woman in the street who don’t really exist because they are not represented by anybody and don’t appear in a 30 page report with a nice glossy cover.

Recommendation 6:The government, underwriters and brokers should focus awareness and marketing campaigns around articulating and quantifying the financial costs of cyber risk to businesses and consumers.

Scare the pants off them so they buy insurance!

Recommendation 7: The Cabinet Office and Crown Commercial Service should develop a policy and legal framework to mandate cyber insurance coverage for all government suppliers and vendors. This should specify minimum requirements and inclusions for coverage, whether coverage needs to vary by government department and a reasonable cover limit to ensure all affected organisations can access a policy

Yet another lucrative revolving door for ex ministers and ex chiefs of the intelligence services.

Recommendation 8:The government should help organisations identify cyber insurance products that drive cyber security best practices. To do so, the National Cyber Security Centre (NCSC) should add more detailed guidance to its buyer’s guide on services that may improve a policyholder’s cyber security practices.

Buy more stuff but not ours because we don’t have a computer industry and don’t make anything.

Recommendation 9: The Treasury, in coordination with the Bank of England and insurance industry stakeholders, should conduct a public study into the potential design and parameters of a government-backed financial backstop for cyber risk.

So less insurance based on risk and more of an investment opportunity. Post career sinecure are already sorted now donations to political parties are sorted.

Recommendation 10:The National Security Secretariat should conduct an urgent policy review into the feasibility and suitability of banning ransom payments. The review should aim to produce actionable recommendations within three to six months and consult widely with relevant government departments, intelligence agencies, law enforcement and industry stakeholders. This should form part of a wider UK government review into policy options for combating ransomware.

We’re beginning to eye an opportunity for empire building and need a bigger budget.

Recommendation 11: The intelligence community, law enforcement and the insurance industry should establish a dedicated information-sharing partnership to exchange anonymised threat intelligence and incident response and cryptocurrency payment data relating to ransomware attacks. The NCSC, the National Crime Agency (NCA) and insurance industry stakeholders should leverage existing public–private partnership models for combating cyber threats and financial crime, such as the Joint Money Laundering Intelligence Taskforce.

We’d like to have pretend jobs which pay a lot of many and staff which run around and salute us while propping up “market forces dogma” and getting other people to do the actual real work.

Recommendation 12: Insurers should specify that any ransomware coverage must contain a requirement for policyholders to notify the NCA and the NCSC in the event of an attack and before a ransom is paid.

Careful. This is beginning to sound a bit too close to doing something.

Recommendation 13: The insurance industry should work with the NCSC and cyber security partners to create a set of minimum ransomware controls based on threat intelligence and insurers’ claims data. Insurance carriers should require these controls to be implemented as part of any ransomware coverage. These controls should include:

•Timely patching of critical vulnerabilities in external-facing IT infrastructure.
•Enabling multifactor authentication on remote-access services (such as remote desktop protocol instances).
•Limiting lateral movement by adopting network segmentation measures.
•Implementing procedures to ensure regular backups are created.

Phew. We got out of this one by the skin of out teeth. Now we tell the people we don’t care about to do all the work to save spending money on insurance which justifies our post career sinecures and spend it on software and hardware we don’t make because we don’t do anything anymore.

CYBERCRIME IS THRIVING. One estimate puts global losses from cybercrime in 2020 at $945 billion, 1 while a recent report from the World Economic Forum highlights cybercrime as one of the most challenging risks facing societies in the next five years, alongside climate change and pandemics. 2 Although this trend predates the coronavirus pandemic, the spread of Covid-19 has emboldened cybercriminals. The threat posed by targeted ransomware operations, in particular, has increased in complexity and severity over the last 18 months. 3 Not only are the number of ransomware attacks increasing, 4 but the payments demanded by attackers are also increasing in value. One report suggests that from Q4 2019 to Q1 2021, the average ransom payment rose from $84,116 to $220,298. 5 It is clear that both critical national infrastructure (CNI)6 and economic security are threatened by ransomware, and cybercrime more generally.7 Meanwhile, governments and businesses continue to struggle to manage cyber risk.

Perhaps if we made our own stuff and didn’t privatise every department which isn’t nailed down, or sell everything off to our mates or not always in our best interest foreigners, or sold off our data or allowed it to be processed outside of a safe harbour, or have government ministers and other staff publish their private phones numbers or think Google email was safe because it was a big brand name their nephew had heard of, or sell arms through the backdoor to dodgy regimes or hang out with oligarchs at drink fuelled parties?

Now there are things in this report which are useful but they are bullet pointed and can be condensed down to one page. I personally think they are far too detached and far too slow and speaking the obvious in too many ways underneath the glossy waffle. Password management, not clicking like an idiot on every link in an email, compartmentalisation, staying alert, keeping good backups are basically it. They miss how much stuff is badly designed from the beginning and how 99% of users rely on this sofware and hardware because in all honesty they are too busy working or living to acquire a PhD in computer science just to press a keyboard without it blowing up in their faces.

SpaceLifeForm July 1, 2021 5:58 PM


Jesse Thompson July 1, 2021 8:30 PM

@Robert M Alberti
Your logic for “Ransomware doesn’t exist” would also require that “Ransom” doesn’t exist, in any other arena either.
It’s always some believably repairable damage or loss followed by an extortion attempt. Loved one gets kidnapped, but white knight will return them to you for $X.

As usual I’m not hearing many solutions in the comments short of either “Don’t love anyone, then there’s nobody to kidnap” or “have your daughter backed up in a gene bank somewhere, so if she’s taken you just mint a fresh one to replace her and move along like nothing ever happened”.

As a person, a volunteer organization, or as a company:

  • Backups can only be performed periodically and restoring from them abandons all data gathered since the last backup.
  • Your operation is dead in the water while all data gets restored from backup, and the very measures that put a backup out of reach of the same attack that took down your live data are the ones that slow and complicate re-introducing the backup data: It’s stored off-site, it’s geographically distributed, it’s in a time-lock safe, it requires X people to turn the key, etc.
  • The process of restoring from backup costs time and money, above and beyond the time and money invested to make the backup to begin with.

When contrasted against paying the ransom, even when you do already have a backup:

  • By and large, all files were encrypted at a snapshot state just before the outage began. Decrypting them has a reasonable chance of meaning that no transacted data is lost since the last periodic backup.
  • While you are still dead in the water reacting to the intrusion, possibly communicating with the ransomer or a proxy, bouncing funds around some crypto somewhere, (I don’t count “enhancing security to defend against future intrusion” only because that would be true for either resolution path) and then waiting for the data decrypt to complete: depending on the shape of the data this path may easily be faster than restoring from backup would.
    • For example, you’re copying from onsite disk to onsite disk (fastest via mirror RAID) instead of copying from off of an external media, and over a potentially bottlenecked data connection.
  • Obviously the process of paying a ransom costs money, but does it cost less? Bear in mind that the more secure your backups are, the more likely the ransom is cheaper than falling back to them.
    • There is also the risk that ransomer simply will not release the key on payment, or that their malware was sufficiently incompetent as to make the files unrecoverable. Those risks do dampen the potential benefit of paying ransom.

Ransomers do not (primarily) prey upon the fear and irrationality of their victims, they prey upon their obligations as rational economic actors. In this respect they closely resemble the racketeering of the mob, the nearly identical racketeering of national governments, and the actions of every other demonstrably sovereign power in the world: namely herding and fleecing those too weak to be sovereign themselves.

Namely, they have the power to attack you and you will not always have the power to defend yourself, while neither you nor the government you pay taxes to has the means and/or will to attack them back.

@NombreNoImportane, @Fail, et al

Punishing anyone who pays a ransom and holding them responsible for the incursion is victim blaming.

You can complain about lobbyists all day long, but out of millions of companies in the world and billions of users all vulnerable to malware only 0.001% of them are capable of levying any political will of their own.

Plus the ones buying lobbyists highly correlate to being the ones hardest to attack with ransomware.

But if you’re all geared up for “HUGE fines” and “the equivalent of cutting off the fingers” of any hospital, school district, or worker’s union who yields a ransom to their attackers then I guess I shouldn’t be the one to stand in your way.

In fact, I’ll pose this question back to you instead. If being negatively impacted by hackers is such obvious proof of irresponsibility that you feel an organization deserves to go bankrupt or to be fined for attempting to continue to operate at all, then why would you even care if the ransom was paid or not? What would be so bad about money changing hands to people who are basically already fining whoever you already throw under the bus for having weak enough security to be hacked?

Hell, the ransomers wouldn’t even be spending your tax dollars to levy or enforce their fines. They’re doing it “out of the goodness of their hearts”. ;P

Everywhere in the world right now, the attackers have an advantage in cybersecurity. At least partly thanks to the attack-first international policy of our governments; since any defense-first policy would have knock-on effects to defend everyone else as well.

It’s quite a lot like living in the wild west where guns are more effective in a fight than any available tech to shield against bullets are.

This situation is like if the only hospital in town hired goons to shoot people (and their children) so that they’d pay to be treated, and commenters in this thread want to punish any townsfolk who were either “irresponsible” enough to either not know how to dodge bullets, or lacked the integrity to bleed out and die in preference to seeking medical care to be made whole again.

Now if you’ll excuse me, I must get going to pay my taxes to a government that will turn around and spend that money attacking whoever doesn’t pay them — at least that are weak enough not to resist.

I guess that’s just the kind of enabler that I am. 🤷‍♂️

Fail July 1, 2021 9:58 PM

I forgot about the schools 😅

I’m still not feeling a whole lot of sympathy vs HMOs, HIPAA should cover that.

Also, speaking from the position of a US citizen the recent revisiting of the CFAA may help the question of responsibility.

Backups are a definite must, but the recent gas pipeline hack should reinforce the idea that a monopoly is anti redundancy.

And a lack of redundancy means you can’t necessarily make it to work on your own accord if your car breaks down.

Thanks for setting me down a better path than the ever trodden angry mob one JT.

Steve Friedl July 1, 2021 10:20 PM

Though criminalizing ransomware payments has a certain appeal, one way to change the calculus at the C-level might be for the IRS to rule that ransomware payments (including to “consultants” who act as middlemen) are not deductible as business expenses.

This would effectively put a tax on ransomware payments, and there’s some chance it could change behaviors.

AL July 1, 2021 11:45 PM

I’ve dealt with insurance in the amusement park businesses, and they look at every ride, because things can break. One rule that always stuck with me was, if an employee assigned to a ride found a defect, they were to be given indefinite break, and not reassigned to a different ride. That provided incentive to report defects with rides.

Well, in cyber insurance, the insurance company will look under the hood, and if a required security mitigation isn’t being followed, the insured will find themselves without insurance. The insurance company can’t sell an economically priced policy if they don’t enforce standards.

Way I see it, we don’t have a business oriented operating system. Microsoft Windows comes to mind. Do we need the display at kernel level? Do we need USB devices connecting at kernel level?

Right now, I see OS’s optimized for gaming. There needs to be a business oriented operating system, employing “least privilege”, where, whether it is network, display, USB. or printing, the attack surface at kernel level is minimized.

This idea that someone could receive an infected Excel spreadsheet, open it and infect multiple computers is ridiculous.

Every month from Microsoft, I see never ending patches for kernel or display escalation of privilege. I hear the print spooler is going to join in shortly.

The insurance alleviates the symptoms, but the OS looks like a car with a steering column where the driver can be impaled on, brakes where a brake line breaks at one wheel, and all 4 wheels fail, etc. If we were talking cars, I see OS’s at about 1966 safety levels.

And I had car insurance in 1996.😉

Winter July 2, 2021 1:07 AM

This quote is only part of the story:
“To date, the UK government has taken a light-touch approach to the cyber insurance industry. ”

Security is a public good.

One reason is that the UK government, like many other governments, have fiercely opposed all attempts to secure computer networks.

The UK is a prime example of a country where the government has historically considered their population as their main enemy. And an enemy you cannot spy on is too dangerous.

As most computers and software are designed and commissioned in countries that have the same approach to user security, be it for political reasons or for wealth extraction reasons (user==product), we will not see any improvement soon.

And with a public/stockholders that does not want to pay for hardening security, the circle is round again.

Again, security is a public good. This is a classical “tragedy of the commons”, where everybody wants someone else to pay for a public good. Without government regulation, there will be no security. And with a government that relies on the insecurity, there will not be any effective regulation.

Cyber-insurance is just a band-aid to prevent companies and public institutions (hospitals) from collapsing. The alternative, hardening security, is unthinkable for those involved.

I am constantly reminded of Hurricane Katrina. Everyone knew the levies should be repaired and improved. But no one wanted to pay for it. And gone was New Orleans. The same holds for collapsing bridges, ransomed pipelines, and failing power grids in the USA, and many other countries.

John July 2, 2021 2:11 AM

Cyber insurance is doing the wrong thing for cyber security in much the same way that the banks are currently tolerating a fairly high level of credit card fraud, as a commercial cost.

In both cases, we need a system with greater integrity, i.e. not subject to criminal attack and treating the ongoing cost via the balance sheet is doing harm.

ADFGVX July 2, 2021 2:37 AM

@ John • July 2, 2021 2:11 AM

Cyber insurance is doing the wrong thing for cyber security in much the same way that the banks are currently tolerating a fairly high level of credit card fraud, as a commercial cost.

There’s a temptation to pay the premiums and ransoms demanded by “the industry” as a “cost of doing business” — but that sort of theft is too bold. If you want to start cutting those losses, there are other additional burdens to keep your children and family safe.

In both cases, we need a system with greater integrity, i.e. not subject to criminal attack and treating the ongoing cost via the balance sheet is doing harm.

Here again, you are fighting the same “industry” tooth and nail, and taking a nasty haircut on any business profits, and meanwhile they’re drawing as much of your blood as they can possibly get away with.

The problem is that “the industry” has such a strong vested interest with ongoing “sunk costs” in banking systems and other monetary systems already known to be irredeemably compromised.

That is a general problem with “capital deepening” or, in general, getting “in too deep” to serious organized crime, even to the point of hiring hit men to take out thieves, unless you want to talk about improving the security of the entire court system and criminal justice system, which has also been hacked and compromised to benefit the thieves.

wiredog July 2, 2021 5:41 AM

I think AL and I are the only ones posting here who have dealt with insurance companies as other than purchasers of home/auto/small business insurance.

In the 90’s I worked in industrial automation and the customer’s insurance companies insisted that our (mostly custom, one-off) machines get UL Certified. UL is “Underwriters Laboratories”, that is, the insurance companies equipment testers. UL Listed means that the insurance companies have determined, to their satisfaction, that the device isn’t likely to catch fire, explode, electrocute the user, or otherwise generate an insurance payout.

Not a lot of hoops to jump though, comma, but. All the subassemblies and parts we bought “off the shelf” were UL listed, we thoroughly documented how they were connected to each other. We documented the proper way to use everything, all the failure modes, and the mitigation for those modes. Mostly lots of circuit breakers, but some safety circuits that shut everything down if an operator did something stupid, like stick their head into a machine that had half ton hoists moving at 4 feet/second.

UL needs to develop the expertise to do for cybersecurity what it does for other things.

EpicFail July 2, 2021 9:28 AM


You seem to be equating covering loss from ransomware via insurance as irresponsible to getting hit my a car WITHOUT insurance. Oh the irony.

wumpus July 2, 2021 2:01 PM

What should the insurance cover? Scrapping the malware off your backups? Shouldn’t the backups be cheaper than the danegeld anyway?


At one point I was testing streetlights for excess glare/light pollution. It seems that UL bought up the company responsible for the specs. The company itself had a curious business practice, they’d lobby governments to follow their spec, then charge the companies making streetlights for the rights to test the equipment to their spec.

I have no idea how you would test software for security, especially with a mostly automated/procedural tests like a UL spec. But I’d expect that any company that created one would have an ultimate business plan of being bought by UL (although I have no idea if they pay a high premium or not).

SpaceLifeForm July 2, 2021 6:24 PM


The problem is that “the industry” has such a strong vested interest with ongoing “sunk costs” in banking systems and other monetary systems already known to be irredeemably compromised.

You get it. It’s all a scam.

There are no guarantees in life, no matter how much you waste on insurance.

DB and GS do not care about anything but profit. It’s turtles all the way down.

c1ue July 6, 2021 9:22 AM

I would note that the depiction of insurance implicit in the paper is very poorly nuanced.
Among the more egregious errors: there is an enormous difference between how insurance operates in a primary sector like auto collision vs. cyber security.
Auto collision insurance is both highly actuarially analytical and regulated.
Cyber insurance, on the other hand, is more akin to the original Lloyd’s operations in the 1800s than anything else. Which is to say, seat of the pants.

The analogy extends beyond the modeling/underwriter requirements/claims and loss handling.

For auto insurance – particularly liability – the car insurance companies were behind many of the auto safety laws: seat belts, air bags etc much as they also fund many of the active accident avoidance research today.

Where is the equivalent in cyber insurance?

Yet there are ways by which the cyber insurers could address the cyber security problem.

Coalition and others are trying the fire/boiler insurance approach: institute a set minimum maintenance and safety standards and inspect. Longer term, this is likely what needs to happen but I am certain that the shambolic nature of IT today makes this futile in the short term.

Another way to address this is again found from the past: when piracy became a problem for Lloyd’s – they incented private parties to address the problem.

How much would a $10M bounty on information leading to the cessation of Darkforce activities, impact focus on this and other major ransomware groups?

By contrast: the cyber security industry sees a bump up every time a new ransomware outrage hits the news sheets. Talk about mixed feelings.

M. July 7, 2021 1:37 AM

Am I the only one thinking the comparisons to kidnappings in the Middle East and Latin America may be a good place to start with this analysis? Countries AND companies have responded completely differently, and because they’ve set up such different incentives, kidnappers, insurers, and governments have learned to respond differently. I kinda wonder if you’ll see the same spread of reactions when it comes to ransomware.

To give you two points of comparison. if you’re an IDF soldier and captured by Hamas? You might be beaten, but you’ll be alive in five years. The one Israeli soldier to 1,000 Palestinian prisoner ratio that’s been prevailing recently means you’ll probably be fine. They may want to murder you, but everyone knows it’s in their best interests not to. You almost always win an engagement when you’re shooting to kill and they’re just trying to capture you. Israel knows its vastly outnumbered, so its strategy for the past 25+ years has been to weaken its opposition further by making its soldiers exponentially more valuable alive than dead.

If you’re American and you’re kidnapped in the Syria by ISIS, it’s the exact opposite.

Forty or so years ago, if you were an American and kidnapped, your company could hire Kroll and/or the U.S. State Department might help negotiate your release. This policy existed because American grand strategy was predicated on American businesses being able to operate wherever they wanted to operate. But 9-11 and the Patriot Act really did change that. American grand strategy shifted from the post-WWII multilateral world order to the Cerebrowski/Rumsfeld doctrine, which explicitly relies on some countries being uninhabitable ****holes.

Al Qaeda/ISIS initially took its cues from Hamas, so when they first captured Americans, they thought the USA was a larger, richer version of Israel. Consequently, they began negotiations for people like James Foley at ridiculous prices like $300 million. The U.S. government claimed the Patriot Act made it illegal for them to negotiate, let alone pay. Moreover, they argued that the Patriot Act made it illegal for ANYONE to negotiate — including the victim’s relatives. Lawrence Wright’s The Terror Years has an absolutely jaw dropping section about how the FBI treated James Foley’s family when they hired a K&R firm to negotiate his release. (Spoiler: the FBI came thisclose to prosecuting Mr. and Mrs. Foley as terrorist money launderers — and they only stopped when they realized they’d never be able to undo the damage the catastrophic Streisand Effect would do to their careers.)

That said, I really wonder if The Bureau is right and these attacks aren’t about money at all. And if that’s the case, there’s no point trying to reason our way through this because we’re trying to play baseball while they’re playing some card game with the lights off.

Robert M Alberti July 9, 2021 9:55 AM

The only way in which holding data hostage can be compared to holding people hostage would be if cloning machines worked, and worked fast. While that would make for a really interesting science fiction story, data and people are not the same. If the Taliban holds a person hostage they either do or don’t return that person when paid. If they return that person you can be pretty sure that person is who you think they are. They won’t have been recoded into a Manchurian Candidate or something.

Not so with data. Maybe the Taliban returns you an unaltered copy of your data. They still will probably keep a copy to peruse at their leisure or sell on the black market if it has that kind of value. “But it’s encrypted!” Maybe it is. Or maybe they obtained a copy of the decryption keys before they launched their extortion attempt. Or maybe they have the resources for a brute force crack given that they now have as long as necessary to try.

And maybe you get a copy of your data back, but it’s got changes. How would you know? Is there a backdoor into your systems? Have they decrypted your databases, swapped encryption keys, and re-encrypted your databases with the new keys that they now possess, so they now have real-time access to your databases? How would you know? You simply CAN’T trust the data you get back from these scammers, meaning it’s valueless and worse than useless, it’s dangerous.

Finally, and I’m sad I have to say this, people are more important that company data. I know, I know, it’s a shock, but your company’s data isn’t actually worth a human life. So the measures taken to recover people cannot be compared to the measures taken to avoid having to resign your job because your board holds you responsible even though they denied your infosec funding for five years running.

Take the extortion attempt out of “ransomware” and look at what you have instead: an APT damages your data. That’s it. Done.

What would you do then? Well you’d take the hit, restore from backup or do the best you could, and then try to incorporate the lessons learned to avoid a repeat event. It’s happened to hundreds of companies all over the world for years. It’s cost people their jobs. That’s part of the risk we take in this field.

The extortion attempt muddies the stark reality of that loss with the lure of magically undoing that loss with enough raw cash. It’s a grift. It’s a pure con.

c1ue July 9, 2021 1:05 PM

@Robert M Alberti
While cold blooded, the reality is that corporations and governments value human lives in monetary terms all the time. What else is automotive liability insurance but the primary recompense for health and life losses? What about straight out health insurance?

Nor is FUD about the “integrity of returned data” particularly convincing.
Backups take time and involve at least some degree of inevitable loss. Older organizations’ IT systems involve black boxes of code and/or hardware that may literally have no one aware of their existence, much less being able to recover.

Yes, I absolutely agree that most organizations can eventually recover from a ransomware attack. Ultimately that is a decision for the executives in that company – much as decisions on cybersecurity spend.
Is $100M a year in cybersecurity spend with a, say, 2% chance of successful attack, worth the prevention of $10M in potential losses? How is this different than deciding whether to allocate $100M for marketing, sales and/or product development?

The cybersecurity industry is going to continue to be immature if it cannot comprehend that the costs of executing must be justifiable, at the top level, with the many other calls for budget and executive focus.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.