This past Friday, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, wrote an opinion piece for the Financial Times warning that ransomware was “wreaking havoc around the world,” and insurance companies must stop issuing policies that incentivize extortion payments in ransomware attacks.
The initial call for the practice to end was made at the end of the 4th annual International Counter Ransomware Initiative summit in the US last week, where the 68 members discussed tackling the problem.
“Some insurance company policies — for example covering reimbursement of ransomware payments — incentivize payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end,” Neuberger wrote.
The insurance industry could play a “constructive role” by “requiring and verifying implementation of effective cyber security measures as a condition of underwriting its policies, akin to the way fire alarm systems are required for home insurance,” Neuberger continued.
Attempts to engage with the insurance industry have not yet delivered any promises or formal agreements.
Earlier this year, the UK’s NCSC announced that it would agree on guidance that expressed a joint view of how businesses should handle ransomware attacks. Furthermore, during the CRI summit, just 39 members and 8 insurance industry bodies from around the world endorsed a similar guidance encouraging “organizations to carefully consider their options instead of rushing to make payments.”
Despite the availability of other guidance on best practices in ransomware responses, attacks targeting victims in the UK and the US have roughly doubled over the past two years.
Steve Hahn, EVP Sales US, BullWall:
“The global ransomware market has seen a 200% increase in successful cyber attacks in the last two years. They know global ransomware payments exceeded a billion dollars for the first time last year. This increase in money for the criminals gives them all the incentive they need to continue innovating their attack techniques. It’s clear many companies are seeing these events as inevitable, which is true, but relying on insurance to pay their way out of it. Unfortunately, even if they pay the ransom, their infrastructure was down for days or weeks and they are unlikely to recover more than 78% of their data even if they pay the ransom.
United Healthcare paid at least $22 million in ransom payments, but that didn’t stop billions of dollars of downstream economic loss, including multiple healthcare companies that were forced out of business because of this event. Paying the ransom increases activity, increases funding, and throws gasoline on what is already a raging fire. Yes, these events are inevitable, but companies must focus on containing these events quickly, segmenting their environments, limiting the blast radius, and focusing on how to recover quickly from immutable backups. These strategies will ensure a quick recovery from the inevitable without lining the bloated coffers of the criminal underground.”
Ted Miracco, CEO, Approov:
“Paying ransoms only fuels the ransomware economy, emboldening attackers, and encouraging future attacks. Businesses must focus on bolstering their fundamental cybersecurity practices— not adding more insurance coverage, as insurance is a reactive measure and often only provides temporary relief, while the underlying vulnerabilities remain unaddressed. Insurers should play a constructive role by mandating stricter cybersecurity practices as a prerequisite for coverage, much like requiring fire alarms in homes. This would help elevate overall security standards and reduce the attractiveness of ransomware as a profitable venture.”
I’ve said it before and I will say it again. These sorts of attacks are out of control. Everyone needs to do better when it comes to responding to attacks. And that includes not paying the ransom. Ever.
Like this:
Like Loading...
Related
This entry was posted on October 7, 2024 at 3:23 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
White House Official Calls For Insurance Companies To Stop Covering Ransomware Payments
This past Friday, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, wrote an opinion piece for the Financial Times warning that ransomware was “wreaking havoc around the world,” and insurance companies must stop issuing policies that incentivize extortion payments in ransomware attacks.
The initial call for the practice to end was made at the end of the 4th annual International Counter Ransomware Initiative summit in the US last week, where the 68 members discussed tackling the problem.
“Some insurance company policies — for example covering reimbursement of ransomware payments — incentivize payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end,” Neuberger wrote.
The insurance industry could play a “constructive role” by “requiring and verifying implementation of effective cyber security measures as a condition of underwriting its policies, akin to the way fire alarm systems are required for home insurance,” Neuberger continued.
Attempts to engage with the insurance industry have not yet delivered any promises or formal agreements.
Earlier this year, the UK’s NCSC announced that it would agree on guidance that expressed a joint view of how businesses should handle ransomware attacks. Furthermore, during the CRI summit, just 39 members and 8 insurance industry bodies from around the world endorsed a similar guidance encouraging “organizations to carefully consider their options instead of rushing to make payments.”
Despite the availability of other guidance on best practices in ransomware responses, attacks targeting victims in the UK and the US have roughly doubled over the past two years.
Steve Hahn, EVP Sales US, BullWall:
“The global ransomware market has seen a 200% increase in successful cyber attacks in the last two years. They know global ransomware payments exceeded a billion dollars for the first time last year. This increase in money for the criminals gives them all the incentive they need to continue innovating their attack techniques. It’s clear many companies are seeing these events as inevitable, which is true, but relying on insurance to pay their way out of it. Unfortunately, even if they pay the ransom, their infrastructure was down for days or weeks and they are unlikely to recover more than 78% of their data even if they pay the ransom.
United Healthcare paid at least $22 million in ransom payments, but that didn’t stop billions of dollars of downstream economic loss, including multiple healthcare companies that were forced out of business because of this event. Paying the ransom increases activity, increases funding, and throws gasoline on what is already a raging fire. Yes, these events are inevitable, but companies must focus on containing these events quickly, segmenting their environments, limiting the blast radius, and focusing on how to recover quickly from immutable backups. These strategies will ensure a quick recovery from the inevitable without lining the bloated coffers of the criminal underground.”
Ted Miracco, CEO, Approov:
“Paying ransoms only fuels the ransomware economy, emboldening attackers, and encouraging future attacks. Businesses must focus on bolstering their fundamental cybersecurity practices— not adding more insurance coverage, as insurance is a reactive measure and often only provides temporary relief, while the underlying vulnerabilities remain unaddressed. Insurers should play a constructive role by mandating stricter cybersecurity practices as a prerequisite for coverage, much like requiring fire alarms in homes. This would help elevate overall security standards and reduce the attractiveness of ransomware as a profitable venture.”
I’ve said it before and I will say it again. These sorts of attacks are out of control. Everyone needs to do better when it comes to responding to attacks. And that includes not paying the ransom. Ever.
Share this:
Like this:
Related
This entry was posted on October 7, 2024 at 3:23 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.