The American Property and Casualty Insurance Association (APCIA) released a new set of principles regarding the debate over whether insurance carriers should pay ransoms from cyber attacks and what steps insurers can take when they fall victim to an attack.
APCIA’s new set of principles serves as a guide for the industry on what actions insurers can do to fight the ransomware epidemic through partnering with the government, having the right responses when attacked, and developing stronger cybersecurity. Some key guidelines include:
- Cyber threat information sharing by governments and impacted businesses with strong liability protections can increase timely detection, response, and deterrence measures.
Insurance is an important economic recovery resource for victims of ransomware attacks. Prohibitions on the reimbursement of legal ransom payments present potential unintended consequences such as eliminating a meaningful risk management resource.
- The ransomware problem cannot be resolved with insurance-centric policy changes. Insurance can play a role in enhancing resilience, but ultimately cannot cure the criminal behavior that perpetuates the ransomware problem. For this reason, there must be a holistic approach that focuses on the core drivers of criminal behavior utilizing the expertise of all stakeholders.
- Governments should not rely on insurers as the due diligence mechanism for monitoring business compliance and implementation of security measures.
Ransomware attacks have grown in frequency and sophistication over the past several years, and companies are often left with no choice but to meet ransom demands. While some think that paying ransoms encourages attacks on high-value targets and sets a bad precedent, others argue that banning payments would result in the same behavior and leave smaller businesses at higher risk.
The New York State Department of Financial Services (DFS) issued new guidance as well, stating that the organization is joining the FBI in recommending that companies should avoid making payments if their networks are compromised. The National Security Council also suggested private companies should not pay ransoms because there is “no guarantee that companies will get their data back.”
While the question of how to stop the cycle of ransomware attacks and payments has yet to be determined, AM Best suggests insurers rethink their approach to cyber insurance. For example, AXA announced it would stop underwriting new policies in France that reimburse for ransomware altogether, with other insurers seeking to cap their exposure.