Interview: Andrew Rabie, Head of IT and Security at HUMAN, on the Role of Insurance in Combating the Ransomware Epidemic

In recent months, there have been many high-profile ransomware attacks, and many organizations will now be wondering if they will be targeted next. This attack vector has affected bodies across various industries, such as the Colonial Pipeline, the US’ largest fuel pipeline operator, Ireland’s healthcare system provider, HSE, and Japanese electronics company Fujifilm, to name just a few. According to a recent Bitdefender study, this trend has continued from 2020, in which an astonishing 485% rise in ransomware attacks took place compared to 2019.

All of this has ignited the debate on whether organizations should ever pay a ransom, with a spotlight being placed on the role of insurance firms in covering the cost of these payments, which some argue is only fuelling the ransomware epidemic and funding criminal activity. Recently, insurance company AXA took a brave stand, announcing it would no longer be reimbursing French clients who fall victim to ransomware for any costs they incur paying their extorters. Just days later, AXA was hit by a ransomware attack, apparently in revenge for this stance, with the threat group claiming to have encrypted data from the multinational firm in Thailand, the Philippines, Hong Kong and Malaysia.

Amid this backdrop, Infosecurity recently spoke to Andrew Rabie, head of IT and security at cybersecurity company HUMAN, to gain more insights into this wide-ranging topic.

Insurance company AXA was recently struck with a ransomware attack just days after announcing a new policy that would see them no longer reimbursing customers for any ransomware payments made to threat groups. What do you think the broader impact of this attack will be on the insurance industry and policyholders? 

‘They say hindsight is 20/20’ - Hopefully, AXA has a good backup strategy, or they have now realized how their decision could impact their customers.

We’ve seen a significant rise in ransomware attacks, and there doesn’t seem to be an end in sight just yet. Attacks and threat actors are getting more sophisticated, and businesses are less equipped to protect themselves from new tactics. Frankly, security teams are less prepared compared to where they were three to five years ago. New threats are emerging, and they aren’t where they thought they would be right now based on the current ransomware trends.  

If other insurers plan to follow AXA’s lead by not covering ransomware payments, they should be expected to lower their premiums. If they don’t, they may see their policyholders turn to competitors who do cover ransomware payments. 

Would you like to see other insurance companies take a similar stance to AXA regarding ransomware payments, or are there other steps that need to be taken to make this a realistic prospect? 

I believe that ransomware payments should never be paid. This is a line in the sand that a business should never be willing to cross. Businesses pay ransom demands to recover their data but don’t realize that by acquiescing, they keep incentivizing criminal behavior. Criminal enterprises adapt fast and follow where it makes financial sense, and as long as they keep receiving ransomware payments, they will only spur other criminal actors to follow suit.  

It’s a vicious circle, and fair play to AXA for taking a stance to break it. As long as businesses keep paying criminals, the activity will continue, and criminals will continue to win. AXA has dedicated itself to break this cycle, and more insurers and businesses must move to a similar stance. Nobody should be funding criminals.   

"As long as businesses keep paying criminals, the activity will continue, and criminals will continue to win"

What trends are we seeing concerning cyber-insurance? How do you expect this area to develop in the coming years? 

Over recent years we’ve seen the insurance industry develop a bigger and better understanding of the cybersecurity space. This has led to insurers having a more stringent set of requirements that companies need to fulfil before being insurable, which in turn is driving better corporate cybersecurity practices. 

As threats and tactics evolve, I expect that insurers will continue to do the same to ensure that businesses are adequately protecting themselves. However, I don’t think we’ll see a change in what policies cover in the short term. Currently, insurance premiums only cover specific, well-defined criteria such as loss of business and interruptions to operations. They can’t account for every type of loss that is out there today. I can’t envisage insurers protecting businesses from reputation impact such as damage to a brand name due to a security incident.  

We have recently seen numerous high profile ransomware incidents. Why is this tactic proving so fruitful for cyber-criminals? 

Businesses reluctantly cough up the cash to have their data returned to them. While this continues, criminals aren’t going to stop what is a lucrative way of making money for them.  

Businesses are also increasingly vulnerable. There’s a significant talent shortage within our industry, and we’re seeing that cybersecurity and tech teams are stretched extremely thin, especially while businesses adapt to working remotely. Combined with teams on a constant high alert means that burnout is a real consideration. This creates a considerable risk for companies as it only takes one small mistake for an attack to happen.   

People can’t be trained up overnight, so businesses should reconsider some of their data practices instead. I always look back to the age old adage of “Empty hands”. `What you don’t have cannot be stolen`   so businesses must think about whether they need to hold onto swathes of data that is, most likely, not even relevant anymore. Companies should only hold onto data for the smallest period of time before completely deleting it. Not only will this reduce the risk dramatically, but it encourages a better customer understanding of what a company does with the data it does collect.  

What more can the cybersecurity industry do collectively to tackle the scourge of ransomware? 

This is two-fold. As mentioned, businesses need to rethink their data practices. Alongside this, they should invest in robust backup solutions instead of anti-ransomware solutions. If data is gone but recoverable, is it really gone?

As an industry, we need to collectively identify emerging threats and close the gaps before attacks can happen. HUMAN is a big believer in this tactic; recently, we launched the HUMAN Collective to create a collectively protected ecosystem within the digital advertising space. We know that if we all work together, not only will companies protect themselves, but by removing the incentive, they’ll make it harder for cyber-criminals to operate. I hope that soon we will see this across all industries.   

What’s Hot on Infosecurity Magazine?