Do insurers maintain a criminal revenue model? Now they reimburse the ransom that companies use to free their hacked files. But banning that – a possibility that the government is investigating – makes no sense, thinks lawyer Nynke Brouwer. “No one wants to pay criminals who occupy your company. However, there is often no acceptable alternative.” On Thursday she will receive her PhD at Radboud University in Nijmegen for her research into cyber insurance.
In addition to home contents and fire insurance, more and more companies are also taking out cyber insurance, provided by insurers such as AIG, Hiscox or Nationale Nederlanden. If an organization becomes the victim of, for example, an attack with ransomware, the insurer will reimburse the hiring of specialists and compensation. The ransom paid is also covered.
According to critics, the insurers thus play an important role in maintaining the lucrative criminal revenue model around the ransomware. If someone is insured, the step to pay may be taken more quickly. That is why the Ministry of Justice and Security is investigating whether the payment of ransom can be prohibited. Brouwer doesn’t think that’s a good plan.
Why are you against banning ransom cover?
“I think the reasoning that insurance coverage is causing more ransomware attacks is too quick. No real research has yet been done into payment behavior, nor into the influence of insurance on this. What is such a ban based on? The moment you start banning payment in general, you’re basically pushing her into the shadows and you’re out of sight of it. Payment is still made, but in different ways.
“For my research into ransomware coverage, the pertinent question was: Does an insured company pay ransom more often than an uninsured company? I have not been able to establish the connection between insurance coverage and ransom payment. Companies decide to pay ransom because there is no acceptable alternative. That problem applies to both insured and uninsured companies.”
While there are also successes, it is nearly impossible for companies to decrypt hacked files themselves. Often that takes too long. Every day that a company shuts down costs a lot of money. Especially if backups are also affected, paying ransom quickly becomes attractive.
Also read: With password ‘Welcome2020’, the hackers from the municipality of Hof van Twente were in
You say: companies have no choice.
“Insured or not, companies pay because they have no other choice. Currently, a minority of companies have cyber insurance. At the same time, we know that many businesses affected by ransomware will eventually pay because sometimes there is no alternative.
“You also hear more often that insurers are only allowed to compensate business damage. That doesn’t solve the problem. We know from government agencies – which usually do not pay on principle, which is of course very noble – that the damage can be enormous, sometimes much greater than the ransom demanded. Coverage for business damage only is not necessarily attractive for both the insurer and the insured because it can lead to rising premiums and cover limits. It must remain responsible for an insurer to insure.”
You call a ban on the payment of ransom ‘a drop on the hot plate’.
Ransomware is the big problem. Ransom insurance coverage is only a small part of that. We need to take a broader approach to ransomware, for example by improving detection and prevention. There are also other ways to disrupt the criminals’ business model, such as paying the ransom. This often happens in cryptocurrencies. Those kinds of trades could make you more difficult.
“I’m not saying we should leave things as they are. There is certainly room for improvement in insurance, such as more clarity about the definitions of important terms. At present, there are still discussions in court about banal concepts: what is fire, storm or hail? Can you see what kind of discussions this will lead to about the concepts of ‘cyber incident’, ‘malware’ or ‘phishing’.
“No one wants companies to pay money to criminals. No company thinks: I care, I’ll pay. Something absolutely needs to be done about the ransomware problem, but I don’t think the focus on insurance coverage in that bigger picture is justified.
“Particularly for smaller companies, such cyber insurance can be incredibly valuable. You will receive an emergency number where you can get 24/7 assistance. Speed is important in cyber incidents. I see cyber insurance as a last safety net for companies, which can make the difference between going under or not.”
Also read: Negotiating ransomware: ‘Didn’t we agree on 10 million?’
Do insurers maintain a criminal revenue model? Now they reimburse the ransom that companies use to free their hacked files. But banning that – a possibility that the government is investigating – makes no sense, thinks lawyer Nynke Brouwer. “No one wants to pay criminals who occupy your company. However, there is often no acceptable alternative.” On Thursday she will receive her PhD at Radboud University in Nijmegen for her research into cyber insurance.
In addition to home contents and fire insurance, more and more companies are also taking out cyber insurance, provided by insurers such as AIG, Hiscox or Nationale Nederlanden. If an organization becomes the victim of, for example, an attack with ransomware, the insurer will reimburse the hiring of specialists and compensation. The ransom paid is also covered.
According to critics, the insurers thus play an important role in maintaining the lucrative criminal revenue model around the ransomware. If someone is insured, the step to pay may be taken more quickly. That is why the Ministry of Justice and Security is investigating whether the payment of ransom can be prohibited. Brouwer doesn’t think that’s a good plan.
Why are you against banning ransom cover?
“I think the reasoning that insurance coverage is causing more ransomware attacks is too quick. No real research has yet been done into payment behavior, nor into the influence of insurance on this. What is such a ban based on? The moment you start banning payment in general, you’re basically pushing her into the shadows and you’re out of sight of it. Payment is still made, but in different ways.
“For my research into ransomware coverage, the pertinent question was: Does an insured company pay ransom more often than an uninsured company? I have not been able to establish the connection between insurance coverage and ransom payment. Companies decide to pay ransom because there is no acceptable alternative. That problem applies to both insured and uninsured companies.”
While there are also successes, it is nearly impossible for companies to decrypt hacked files themselves. Often that takes too long. Every day that a company shuts down costs a lot of money. Especially if backups are also affected, paying ransom quickly becomes attractive.
Also read: With password ‘Welcome2020’, the hackers from the municipality of Hof van Twente were in
You say: companies have no choice.
“Insured or not, companies pay because they have no other choice. Currently, a minority of companies have cyber insurance. At the same time, we know that many businesses affected by ransomware will eventually pay because sometimes there is no alternative.
“You also hear more often that insurers are only allowed to compensate business damage. That doesn’t solve the problem. We know from government agencies – which usually do not pay on principle, which is of course very noble – that the damage can be enormous, sometimes much greater than the ransom demanded. Coverage for business damage only is not necessarily attractive for both the insurer and the insured because it can lead to rising premiums and cover limits. It must remain responsible for an insurer to insure.”
You call a ban on the payment of ransom ‘a drop on the hot plate’.
Ransomware is the big problem. Ransom insurance coverage is only a small part of that. We need to take a broader approach to ransomware, for example by improving detection and prevention. There are also other ways to disrupt the criminals’ business model, such as paying the ransom. This often happens in cryptocurrencies. Those kinds of trades could make you more difficult.
“I’m not saying we should leave things as they are. There is certainly room for improvement in insurance, such as more clarity about the definitions of important terms. At present, there are still discussions in court about banal concepts: what is fire, storm or hail? Can you see what kind of discussions this will lead to about the concepts of ‘cyber incident’, ‘malware’ or ‘phishing’.
“No one wants companies to pay money to criminals. No company thinks: I care, I’ll pay. Something absolutely needs to be done about the ransomware problem, but I don’t think the focus on insurance coverage in that bigger picture is justified.
“Particularly for smaller companies, such cyber insurance can be incredibly valuable. You will receive an emergency number where you can get 24/7 assistance. Speed is important in cyber incidents. I see cyber insurance as a last safety net for companies, which can make the difference between going under or not.”
Also read: Negotiating ransomware: ‘Didn’t we agree on 10 million?’
Do insurers maintain a criminal revenue model? Now they reimburse the ransom that companies use to free their hacked files. But banning that – a possibility that the government is investigating – makes no sense, thinks lawyer Nynke Brouwer. “No one wants to pay criminals who occupy your company. However, there is often no acceptable alternative.” On Thursday she will receive her PhD at Radboud University in Nijmegen for her research into cyber insurance.
In addition to home contents and fire insurance, more and more companies are also taking out cyber insurance, provided by insurers such as AIG, Hiscox or Nationale Nederlanden. If an organization becomes the victim of, for example, an attack with ransomware, the insurer will reimburse the hiring of specialists and compensation. The ransom paid is also covered.
According to critics, the insurers thus play an important role in maintaining the lucrative criminal revenue model around the ransomware. If someone is insured, the step to pay may be taken more quickly. That is why the Ministry of Justice and Security is investigating whether the payment of ransom can be prohibited. Brouwer doesn’t think that’s a good plan.
Why are you against banning ransom cover?
“I think the reasoning that insurance coverage is causing more ransomware attacks is too quick. No real research has yet been done into payment behavior, nor into the influence of insurance on this. What is such a ban based on? The moment you start banning payment in general, you’re basically pushing her into the shadows and you’re out of sight of it. Payment is still made, but in different ways.
“For my research into ransomware coverage, the pertinent question was: Does an insured company pay ransom more often than an uninsured company? I have not been able to establish the connection between insurance coverage and ransom payment. Companies decide to pay ransom because there is no acceptable alternative. That problem applies to both insured and uninsured companies.”
While there are also successes, it is nearly impossible for companies to decrypt hacked files themselves. Often that takes too long. Every day that a company shuts down costs a lot of money. Especially if backups are also affected, paying ransom quickly becomes attractive.
Also read: With password ‘Welcome2020’, the hackers from the municipality of Hof van Twente were in
You say: companies have no choice.
“Insured or not, companies pay because they have no other choice. Currently, a minority of companies have cyber insurance. At the same time, we know that many businesses affected by ransomware will eventually pay because sometimes there is no alternative.
“You also hear more often that insurers are only allowed to compensate business damage. That doesn’t solve the problem. We know from government agencies – which usually do not pay on principle, which is of course very noble – that the damage can be enormous, sometimes much greater than the ransom demanded. Coverage for business damage only is not necessarily attractive for both the insurer and the insured because it can lead to rising premiums and cover limits. It must remain responsible for an insurer to insure.”
You call a ban on the payment of ransom ‘a drop on the hot plate’.
Ransomware is the big problem. Ransom insurance coverage is only a small part of that. We need to take a broader approach to ransomware, for example by improving detection and prevention. There are also other ways to disrupt the criminals’ business model, such as paying the ransom. This often happens in cryptocurrencies. Those kinds of trades could make you more difficult.
“I’m not saying we should leave things as they are. There is certainly room for improvement in insurance, such as more clarity about the definitions of important terms. At present, there are still discussions in court about banal concepts: what is fire, storm or hail? Can you see what kind of discussions this will lead to about the concepts of ‘cyber incident’, ‘malware’ or ‘phishing’.
“No one wants companies to pay money to criminals. No company thinks: I care, I’ll pay. Something absolutely needs to be done about the ransomware problem, but I don’t think the focus on insurance coverage in that bigger picture is justified.
“Particularly for smaller companies, such cyber insurance can be incredibly valuable. You will receive an emergency number where you can get 24/7 assistance. Speed is important in cyber incidents. I see cyber insurance as a last safety net for companies, which can make the difference between going under or not.”
Also read: Negotiating ransomware: ‘Didn’t we agree on 10 million?’
Do insurers maintain a criminal revenue model? Now they reimburse the ransom that companies use to free their hacked files. But banning that – a possibility that the government is investigating – makes no sense, thinks lawyer Nynke Brouwer. “No one wants to pay criminals who occupy your company. However, there is often no acceptable alternative.” On Thursday she will receive her PhD at Radboud University in Nijmegen for her research into cyber insurance.
In addition to home contents and fire insurance, more and more companies are also taking out cyber insurance, provided by insurers such as AIG, Hiscox or Nationale Nederlanden. If an organization becomes the victim of, for example, an attack with ransomware, the insurer will reimburse the hiring of specialists and compensation. The ransom paid is also covered.
According to critics, the insurers thus play an important role in maintaining the lucrative criminal revenue model around the ransomware. If someone is insured, the step to pay may be taken more quickly. That is why the Ministry of Justice and Security is investigating whether the payment of ransom can be prohibited. Brouwer doesn’t think that’s a good plan.
Why are you against banning ransom cover?
“I think the reasoning that insurance coverage is causing more ransomware attacks is too quick. No real research has yet been done into payment behavior, nor into the influence of insurance on this. What is such a ban based on? The moment you start banning payment in general, you’re basically pushing her into the shadows and you’re out of sight of it. Payment is still made, but in different ways.
“For my research into ransomware coverage, the pertinent question was: Does an insured company pay ransom more often than an uninsured company? I have not been able to establish the connection between insurance coverage and ransom payment. Companies decide to pay ransom because there is no acceptable alternative. That problem applies to both insured and uninsured companies.”
While there are also successes, it is nearly impossible for companies to decrypt hacked files themselves. Often that takes too long. Every day that a company shuts down costs a lot of money. Especially if backups are also affected, paying ransom quickly becomes attractive.
Also read: With password ‘Welcome2020’, the hackers from the municipality of Hof van Twente were in
You say: companies have no choice.
“Insured or not, companies pay because they have no other choice. Currently, a minority of companies have cyber insurance. At the same time, we know that many businesses affected by ransomware will eventually pay because sometimes there is no alternative.
“You also hear more often that insurers are only allowed to compensate business damage. That doesn’t solve the problem. We know from government agencies – which usually do not pay on principle, which is of course very noble – that the damage can be enormous, sometimes much greater than the ransom demanded. Coverage for business damage only is not necessarily attractive for both the insurer and the insured because it can lead to rising premiums and cover limits. It must remain responsible for an insurer to insure.”
You call a ban on the payment of ransom ‘a drop on the hot plate’.
Ransomware is the big problem. Ransom insurance coverage is only a small part of that. We need to take a broader approach to ransomware, for example by improving detection and prevention. There are also other ways to disrupt the criminals’ business model, such as paying the ransom. This often happens in cryptocurrencies. Those kinds of trades could make you more difficult.
“I’m not saying we should leave things as they are. There is certainly room for improvement in insurance, such as more clarity about the definitions of important terms. At present, there are still discussions in court about banal concepts: what is fire, storm or hail? Can you see what kind of discussions this will lead to about the concepts of ‘cyber incident’, ‘malware’ or ‘phishing’.
“No one wants companies to pay money to criminals. No company thinks: I care, I’ll pay. Something absolutely needs to be done about the ransomware problem, but I don’t think the focus on insurance coverage in that bigger picture is justified.
“Particularly for smaller companies, such cyber insurance can be incredibly valuable. You will receive an emergency number where you can get 24/7 assistance. Speed is important in cyber incidents. I see cyber insurance as a last safety net for companies, which can make the difference between going under or not.”
Also read: Negotiating ransomware: ‘Didn’t we agree on 10 million?’