Is Insurance the Solution to, or the Enabler of, Ransomware?

The internet has brought many opportunities to our lives. Agile organizations adapting to online have thrived, whereas staid businesses unable to change have perished. As companies have adapted to a changing world, criminals have also transformed their business models.

The crime of kidnap has been modified and updated for the 21st century in the form of ransomware. In this crime, valuable data and functionality are taken from the legitimate owner and held for ransom by a criminal who will only restore these upon payment.

Ransomware has rapidly grown to become one of the most widespread crimes on the internet. In 2022, up to 71% of companies worldwide were affected by ransomware in some way, with the associated costs totaling $7.5bn in the US alone in 2019. 

Role of Insurance

The heavy financial burden of recovering from ransomware attacks led to the growth of cyber insurance. Underwriters offer insurance products covering breach response costs, downtime, business interruption, and data recovery losses. 

Organizations able to prove they have a good security posture will obtain lower insurance premiums than others. Following a breach and subsequent claim, loss adjusters will carry out due diligence before authorizing a payout to evaluate the affected organization’s security procedures. As such, insurance acts to ensure that businesses are meeting cybersecurity best practices. Yet, ransomware breaches continue.

How to Stop Ransomware

Modern ransomware has been hitting organizations since the mid-2000s. Despite the media coverage, it is not a new crime. We understand how criminals deliver ransomware and the tools and techniques they use to encrypt systems and data.

It is not inevitable that attacks will succeed. Cybersecurity protections can detect and block ransomware attacks. Among the many types of cybercrime, ransomware is uniquely vulnerable to restoring systems from back-ups.

While backing up systems has been considered a best practice since the dawn of computing, implementing a backup strategy and restoring an encrypted system are not necessarily straightforward. Similarly, deploying an effective cybersecurity strategy takes resources and a focus that not all organizations can muster.

Why Ransomware Continues

Even the most effective cybersecurity solutions are not infallible. Criminals are skilled in finding security gaps with the help of luck, persistence and human errors. The lure of illicit profit provides the drive for the attacks to continue.

Studies show that during 2021, the total sums paid as part of ransomware attacks exceeded $600m. In the absence of such sums, or if the costs of conducting attacks were higher, we would expect to see far fewer attacks.

Insurance as an Enabler

Payments transferred to criminal groups incentivize criminal behavior and ‘feed the beast.’ Despite this being detrimental to the security landscape, ransoms continue to be paid.

The price point of ransoms is finely balanced. If set too high, victims may decide to resolve the situations themselves. If set too low, then criminals may be missing out on revenue. At the right price point, although there is no guarantee that criminals will restore data, executives may decide that paying the ransom may be cheaper than attempting recovery.

Insurance policies that pay ransomware demands incite executives to authorize ransom payments. Claiming on the policy adds little or no extra cost to the business. Systems may be quickly restored; if not, the organization is no worse off.

Even insurance policies that exclude ransom payments but provide recovery and remediation costs may act as a disincentive to invest in defenses. An executive who feels confident that the costs of a ransomware breach are covered may feel reticent to invest in protections to reduce the likelihood of it happening. Understandably, if you don’t fear the consequences, why struggle to prevent the occurrence?

Insurance as the Solution

This is not to say that the cyber insurance industry is the cause of ransomware – far from it. Indeed, the insurance industry likely holds the key to solving ransomware. 

A multi-layered approach to cybersecurity protection is regarded as best practice. Many overlapping protections reduce the risk that a threat will impact an organization, improve the likelihood that intrusions will be identified swiftly and help contain and recover from an incident.

Exactly which defenses provide the most effective protection or the best return on investment is hard to prove. Although all defense strategies are likely to be beneficial, and advice on best practices is available, hard data proving this wisdom is currently lacking.

Proving which strategies provide the best defenses requires comparing the security posture of organizations that have experienced a ransomware breach with those that have not. This is not a simple calculation: good luck and poor fortune play a role. 

However, lurking within the data gathered by insurance companies over many years lies the answer to what distinguishes organizations that have claimed their cyber insurance from those that have not.


Information technology is vital for modern business but complex to manage. Strangling the profit motive that encourages criminals to abuse these systems is crucial for long-term security. However, in the short term, the temptation to pay ransomware demands is strong.

Cyber insurance may enable organizations to choose to pay the ransom when hit by ransomware, but the data held by insurance providers contain detailed information regarding which security measures are the most effective in preventing breaches.

Insurance data has contributed to improving safety in the industry and provides incentives for careful vehicle drivers. This same data and incentives can improve cybersecurity outcomes too.

What’s Hot on Infosecurity Magazine?