UK Insurers Defend Covering Ransomware Payments

Written by

Insurance providers in the United Kingdom have defended the inclusion of ransomware payments in first-party cyber-insurance policies.

Cyber-risk insurance covers the cost of restoring loss to business income or reputation caused by damage to computers and computer networks.

The Association of British Insurers (ABI) said that while insurance was "not an alternative" to taking appropriate action to minimize risk, firms could suffer financial ruin without cyber coverage. 

The ABI comments were made in response to a warning issued earlier this week by the UK's former National Cyber Security Centre director Professor Ciaran Martin. Speaking to The Guardian, Martin said that insurers who pay out claims from companies who have paid ransoms to cyber-attackers to regain access to systems and data are funding organized crime. 

Martin, who stepped down from his position as Britain's top cybersecurity official last August, expressed concern that ransomware attacks were "close to getting out of control."

Extortion laws in the UK prohibit the payment of ransoms to terrorists; however, no legal barriers are in place to stop companies from paying ransomware gangs to retrieve exfiltrated data and system access following a cyber-attack. 

“People are paying bitcoin to criminals and claiming back cash. I see this as so avoidable," said Martin. 

"At the moment, companies have incentives to pay ransoms to make sure this all goes away. You have to look seriously about changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry."

He added: “The law is nobody’s fault, it was written for another purpose, but it has become OK to pay out to criminals."

An ABI spokesperson told the BBC that insurers do require customers to take "reasonable precautions" to prevent cyber-attacks from occurring. 

"Some might argue that any insurance that covers against a criminal act could lull the policyholder into a false sense of security," they said.

Martin, who now works at Oxford University's Blavatnik School of Government, told the BBC: "I have some sympathy with insurers, because as long as it's legal, there are incentives to pay."

What’s hot on Infosecurity Magazine?