Ransomware attacks make for one of the most common cyber attacks around the world, with malicious attackers targeting high revenue corporates with systematic exploits and financial gain as the clear end objective. While many enterprises, especially high-value ones have since opted for cyber insurance policies to deal with ransomware incidents, the cyber security community believes that use of cyber insurance in mitigating ransomware attacks by issuing payouts is leading to more ransomware attackers being incentivised. A Threatpost investigation report on the matter cites multiple ransomware examples to show why might this be the case.
Financial ‘cushion’ vs responsibility
The Threatpost report cites multiple instances of how cyber insurance claims have worked till date. On this note, the report notes how cyber insurance has so far worked as ancillary buffers for corporates, in a bid to help them recover from crippling cyber attacks. The objective here is clearly not usage of such policies in issuing ransomware payouts to attackers, but to help assess and mitigate the total cost incurred due to the cumulative nature of losses that a ransomware attack would impose.
A standard ransomware attack would typically exposure a company’s cyber infrastructure, and costs incurred may range from ransom payouts, infrastructure overhaul, recovery of corrupted files, rapid action security personnel and so on. While coverage of such assessed damages is the key objective behind cyber insurance policies, the aspect of responsibility may go amiss in process, security researchers note. As Brandon Hoffman, chief information security officer at NetEnrich says, “Not only does making a ransomware payment also place an organisation in a potentially questionable legal situation, it is proving to the cybercriminals you have funded their recent expedition.”
In India too, cyber insurance providers have increased in frequency steadily on both personal and private terms, as detailed in a Mint report. However, the concern lies steady that a blind dependence on insurance to mitigate costs incurred due to ransomware in particular is also causing companies to not shore up their cyber security standards and defences the way they should.
Regulatory guidelines necessary
While refraining from paying a ransomware demand is not a regulatory necessity, many security advocates have underlined the need for companies to easily pay out ransom. To this end, the USA is looking to set certain precedents by advising state governments and local administrative bodies from paying ransom in case of cyber attacks. In this case, many attacks are typically orchestrated by state-backed national cyber criminals from foreign nations, and for this, numerous cyber insurance policy providers also have clauses in their service contracts that refrain ransom payments citing acts of hostility and war.
However, much like large sections of technology and even insurance, cyber insurance policies remain unregulated in nations such as India. The nation has become one of the biggest targets for cyber criminals, but lacks a clear understanding and uniformity of actions recommendable to enterprises facing such cyber attacks. A February 2018 paper on the matter by Simran Sabharwal and Shilpi Sharma of Amity University underline how ransomware is not covered under the Indian Information Technology Act, 2000, and so far, lack of clear cyber security legislation makes both insurance providers and defendants prey to arbitrary actions.
Until further regulations in India and around the world, ransomware attacks will warrant payments from enterprises being held prey, and insurance providers will continue to bear the brunt of such attacks to a certain extent. While security advisers are largely on point in their fear of attackers using policies to further increase financial exploits, the industry will require laws and regulations to establish a response framework that holds back payments while giving companies adequate indemnities and resources to deal with cyber crises.
Read all the Latest News, Breaking News and Coronavirus News here.