Nearly 700 years ago, England captured King John II of France and held him for ransom for four million écus. But France could not afford to pay, and King John II ultimately traded his two sons as substitute hostages to try and secure his own release.
Today, it is not monarchs and their territorial kingdoms but computer systems and electronic kingdoms of data that are at risk. They are held hostage by foreign hackers who promise a key to unlock them in exchange for a king’s ransom in bitcoin. But unlike France in the 1300s, many companies today can and do pay.
When the cybercriminal group known as DarkSide took Colonial Pipeline’s computer systems hostage, it took less than a day for Colonial’s CEO to agree to pay 75 bitcoins ($4.4 million) to secure its release. It still took several days before the pipeline—a critical supplier of fuel for the eastern United States—was operational again.
And while Colonial’s $4.4 million payment made national headlines, it was well below the eyepopping $40 million that insurer CNA reportedly paid in March 2021 to neutralize a ransomware threat—more than any other publicly disclosed ransom ever paid.
Colonial reportedly had cyber insurance coverage that could help mitigate the impacts of the hacking attack. Most stand-alone cyber insurance policies include extortion coverage, covering costs to investigate a ransomware attack, negotiate with the hackers, and make a ransom payment. And some property insurance policies may provide coverage for other losses that result from a ransomware attack.
DarkSide’s attack (and Colonial’s payment) has led to increased scrutiny of the ransomware ecosystem. Some have called for governments to make such ransom payments illegal. And while no government has yet to ban paying ransoms outright, the U.S. Treasury issued an advisory on the potential risks of civil penalties for paying ransoms to anyone subject to U.S. economic sanctions. But a global taskforce of leading cybersecurity and technology industry experts recently concluded that, although ransom payments should be discouraged, an outright ban is not the solution. Such bans could cause hackers to shift to the areas of greatest vulnerability—such as hospitals—where resolve to resist paying ransom is likely weakest in the face of calamitous assaults on societal need, or to small- and medium-sized businesses without the resources to otherwise recover from a ransomware attack.
Others have sought to blame the availability of insurance, with at least one reporter suggesting that insurance companies are fueling ransomware attacks because it’s “good for business.” And in response to pressure from the French government, AXA SA recently announced that its French subsidiaries would no longer sell policies that cover ransomware payments.
But the availability of insurance coverage for ransom payments is not the problem and instead could be part of the solution. Some argue that the availability of insurance has led companies to become more lax with computer security. But this is no different than arguing that insuring negligence encourages more risky behavior. Policymakers have long recognized a benefit to allowing such insurance to compensate innocent victims. And in many jurisdictions even punitive damages resulting from reckless conduct are insurable because—as one state supreme court put it—policyholders will not be more likely to act recklessly simply because they have an insurance policy that covers punitive damages.
Insurance companies also have strong financial incentives to encourage policyholders to implement cybersecurity best practices proactively to minimize the likelihood of having to pay out on a claim. Just as fire insurers have long promoted industrial and commercial hygiene by establishing guidelines, inspecting premises and rewarding results with favorable premiums, cyber insurers can promote best practices to thwart hackers and prevent losses.
Others argue that insurance companies encourage ransom payments because they are less expensive than the insured losses that could otherwise result. But companies will engage in this same cost-benefit analysis regardless of the existence of insurance. Kidnap and ransom insurance has existed for centuries, with its purchase by corporations becoming more common beginning in the 1960s and 1970s, yet there is no evidence that the mere availability of such insurance has made ransom payments more likely. Indeed, the availability of ransomware insurance could decrease the total ransom being paid out. Unlike a company experiencing its first ransomware attack, ransomware insurers are well-positioned to develop expertise to negotiate lower ransom payments, and to do so in a lawful manner.
France could not pay the King’s ransom before it was too late. But today’s cybercriminals know better than to make ransom demands higher than their victim’s ability to pay. And as long as such payments remain legal, insurance coverage is likely to continue to play an important role in managing the risk of becoming a cybercriminal’s next hostage.