Cyber insurance and ransom payments

Ransomware has in recent years become the most feared computer related event globally by companies of all sizes and is fueling the recent growth in cyber insurance.

Insurers’ approach to ransomware may also be the most controversial aspect of cyber insurance, due to the fact that many cyber insurance policies have cover for extortion payments. Since these payments are made to criminal organisations, and as a rule in untraceable cryptocurrencies, it’s understandable why it is a sensitive question.

If remains fully committed to continuing to insure our clients’ cyber risk, but in our quest to be more sustainable we have made the decision to step down from offering cover for extortion payments.  This article explains the background to this decision and our perspective on the future of cyber insurance.

Feeding criminals

While paying the criminals to unlock the data may provide immediate help to resolve the emergency at hand, it also has the very dark side of directly feeding cybercrime as a lucrative criminal career path. As the ransom payments in 2023 are often measured in millions, or in extreme cases tens of millions of dollars, every single payment made, or left unmade, truly matters. In a way, it’s like pouring petrol on a campfire.

There are situations where the paying of ransoms is acceptable, and there are cases where paying ransoms is illegal, for example if the recipient is a person under sanctions (e.g. for funding terrorism).

Finally, there is the reputational harm for cyber insurers, which has already eroded the viability of cyber insurance as an insurable risk.

Ransomware is not the only reason organisations take cyber insurance policies, but the recent uptake in ransomware incidents has certainly caused many companies to look for cyber insurance to help mitigate possible losses in the event of a cyberattack.

Decision not to pay ransoms

If is determined to continue to provide cover for all other costs incurred by ransomware, including but not limited to business interruption, incident response and data restoration, as well as any other type of cyber events. Our decision not to cover ransom payments is limited only to the actual ransom payment, and is simply based on ethical considerations. We recognize that in some cases not being able to pay might even lead to a longer business interruption or higher incident response costs which we continue to insure.

We recognise extreme scenarios could exist, where payment cannot be avoided. Examples of such situations could be an imminent risk of loss of life or large-scale leakage of highly sensitive data that the organisation must avoid at all costs. We fully respect our client’s decision to give in to extortion out of their own pockets in such excruciating circumstances.

We stand behind our decision not to pay ransoms, and we do this in our pursuit to be the most sustainable insurance company. We also believe that one insurer needs to have the courage to act first, to change the status quo, which we have now done. We believe that more insurers will follow us in the fight against cybercrime.

Written by

Mikko Peltonen, Head of Digital Risks and Cyber