Growing concerns over ransomware payments puts NZ cyber insurers on the spot

Friday, 2 October 2020

Cyber insurers may be the canary in the coal mine if anger over ransomware turns into a tougher line on paying off attackers.

The tide may be turning against insurers providing cover for the payment of cyber ransoms as concerns grow over the ethics and ramifications of caving into blackmail demands.

Insurance Council chief executive Tim Grafton said paying ransoms sent “absolutely the wrong signal” and there was “clearly an issue around reimbursing ultimately criminal behaviour”.

But while legitimate questions could be asked, the issues around insurance were “not black and white”, he said.

GCSB Minister Andrew Little said last month that it was “never ethical” for businesses to pay such ransoms because they sustained criminal activity, and he has not ruled out a law change.

* Victim-blaming plays into DDOS attackers' hands

NZI indicates on its website that its cyber insurance covers ransom payments but said in a short statement that its policies are regularly reviewed.

* 'Tsunami' of ransomware attacks coming, businesses warned

* Ransomware group threatens to 'auction' confidential Lion files if $1.25m ransom not paid

The United States Treasury appeared to turn the screw further on Thursday.

It issued a warning that cyber insurers and other businesses risked violating its regulations if they helped pay off attackers.

They could face sanctions if they facilitated payments – even unknowingly – to some cybercrime groups including the Lazarus Group, which it said was sponsored by North Korea, and Russian gang Evil Corp.

GCSB Minister Andrew Little has been cautious about a law change but has said paying off cyber extortionists is “never ethical”.

The US Treasury said ransomware was a growing problem and payments could be used to fund further crimes and “activities adverse to the national security” of the US.

Although the sanction threat applies mainly to US organisations, any US citizens overseas and non-US organisations that facilitated the banned transactions for Americans appear to be within its ambit.

Debate over the ethics of ransom payments has heated up globally after the much-publicised death of a German woman who was unable to undergo urgent surgery because of a ransomware attack on a hospital in Dusseldorf last month.

One cyber security consultant described the relationship between insurers and ransomware as “perverse”.

“’Cyber’ is the most profitable type of insurance, and ransomware helps them sell it,” he said.

Many firms would have upped their insurance cover after US law firm Grubman Shire Meiselas & Sacks – whose clients include Lady Gaga – was subjected to a US$42 million (NZ$62m) ransomware demand this year, he said.

Insurance Council Tim Grafton says the rights and wrongs of paying ransoms, and insurers providing cover for businesses paying ransoms, are not the same.

“That’s not only good news for the insurers, it’s good news for the criminals too: the more coverage their victims have, the more they can pay.'

NZI, a division of Australian insurance giant IAG, states on its website that its Cyber Base and Cyber Ultra insurance policies include cover for “cyber extortion”.

It says that includes “payment of ransom, or costs associated with negotiating or mediating due to an extortion attempt”.

IAG declined to discuss the ethics of providing that specific cover within its policy.

But in a possible sign changes might be considered, a spokeswoman said in a brief statement that it “regularly reviewed” its policies to ensure they were fit for purpose.

Delta Insurance – another big player in the cyber insurance market – states that its policies include cover for “network extortion”.

But chief executive Ian Pollard said he agreed with Little that it was never ethical for firms to pay cyber ransoms.

“It is certainly not ethical – that is right.”

Pollard said Delta hadn’t had to meet the cost of a ransom to date, as it had always found better alternatives for clients, and would look at the US Treasury statement.

“We are constantly reviewing our policies with regard to what the current jurisdictional exposures are,” he said.

But if it “tinkered around” with its policy wording by excluding ransom coverage from its insurance that could have unintended consequences, he insisted.

Insurance broker Crombie Lockwood promotes cyber insurance on its website that covers “extortion costs incurred in the threat of an event or a ransomware assault”.

As an example of a claim, the company states that cyber insurance had met the cost of a 5 bitcoin (NZ$78,000) ransomware demand incurred by an unnamed professional services firm.

Spokeswoman Debbie Lowe declined to comment.

Grafton drew a distinction between the ethics of businesses paying ransoms, and insurers reimbursing the costs of them doing so – saying they were not the same.

That was because it was “entirely the decision the insured”, rather than the insurer, to pay the ransom, he said.

In some situations – for example if a hospital was attacked – paying a ransom might be required to save human life, he said.

Generally-speaking, covering ransoms was a last resort for insurers, and the cyber insurance industry encouraged businesses to be more resilient to attacks, he said.

It would be incorrect to say that if there was no insurance for ransomware attacks then no ransoms would be paid, he said.

“Kidnapping has been going on for centuries. That kind of behaviour occurs whether or not there is insurance in place.”

The US Treasury said cyber crime victims should seek permission from the department if they were considering paying off a ransom that might fall foul of its rules, which it would consider “with a presumption of denial”.