Insurers are inadvertently funding organised crime by covering ransom payments, says former NCSC chief

Insurance companies are inadvertently funding organised crime by covering ransom payments, according to former NCSC chief Ciaran Martin, who ran the National Cyber Security Centre until August 2020. 

Speaking to the Guardian newspaper, he said he feared that so-called ransomware was “close to getting out of control” and that there was a risk that NHS systems could be hit during the pandemic.

The problem, he said, is being fuelled because there is no legal barrier to companies paying ransoms to cyber gangs – typically from Russia and some other former Soviet states – and claiming back on insurance. “People are paying bitcoin to criminals and claiming back cash,” he is quoted as saying.

“I see this as so avoidable. At the moment, companies have incentives to pay ransoms to make sure this all goes away,” the former intelligence chief said. “You have to look seriously about changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry”.

According to research by Blockchain software company Chainalysis, the big story for cryptocurrency-based crime in 2020 was ransomware. While ransomware accounted for just 7% of all funds received by criminal addresses - at just under $350m worth of cryptocurrency - the figure represents a 311% increase over 2019.

Ransomware attacks also became more targeted and costly in 2020, according to Willis Towers Watson. In its Insurance Marketplace Realities 2021 report, the broker noted that cybercriminals are targeting businesses of all kinds with ransomware attacks. ”As these attacks become more sophisticated, threatening a firm’s entire electronic infrastructure, ransom demands have increased — often reaching eight figures.”

There are signs the insurance industry is waking up to the issue. At the 1 January 2021 cyber renewals, a number of cyber insurance markets are understood to have introduced new sublimits to reduce their potential exposure while some imposed co-insurance measures (sharing a defined portion of claims with policyholders for losses below a certain threshold).

Rates for primary and excess cyber cover are rising by double-digits across the board, with heavily-exposed industries most likely to see increases in the 30%-plus range, according to Willis Towers Watson. This includes healthcare, higher education, public entities, manufacturing, financial institutions, construction and large media and technology companies.

Topics