A city in Florida wants its insurance company to pay $600,000 to hackers holding its computers hostage.
Every time I read or hear about another individual or organization paying an online ransomware demand, my heart sinks a little bit. Every time, I worry we’re getting further away from being able to demonetize cybercriminals and discourage them from pursuing these schemes. But nothing is more discouraging than the ransoms that are paid out by insurance firms as part of a cyber insurance policy. That’s what happened in Riviera Beach, Florida, this week, when the City Council unanimously voted to ask its insurance carrier to pay nearly $600,000 worth of cryptocurrency to the hackers who took over the city’s computer systems.
It’s bad enough when victims of ransomware make these payments themselves—it encourages more ransomware by funding the criminals in their ongoing pursuits. It also alerts others to the fact that these targets have funds to spare and a willingness to cave to ransom demands. But when those payments come from their insurance carriers, the victims become so insulated from those costs, so used to paying for their insurance policies as a regular risk management expense, that ransomware becomes even more accepted and legitimized as a routine cost of doing business.
Ransomware is when someone infects your computer with malware, which typically encrypts the hard drive, and then offers to decrypt it for you after you make a payment to them using an anonymous cryptocurrency like bitcoin. I’ve argued in the past that it is a mistake—from a societal perspective, if not a personal one—to acquiesce to ransomware demands except in cases of absolute life and death. The more people who make those payments, the more lucrative the business model is, the more criminals try it out for themselves. Some companies have also attempted to use kidnapping policies to cover online ransom payments.
Unlike other forms of cybercrime, such as payment card fraud or identity theft, the costs of ransomware fall squarely on the individual victims rather than their banks or payment card networks. This means that there are no powerful, well-funded centralized intermediaries like Visa or Mastercard or the IRS that have a strong incentive to detect, investigate, or crack down on ransomware, because the costs are so dispersed.
It also means that instead of selling your stolen data to other criminals—who will use that data to open accounts in your name or file for your tax refund or purchase something with your credit card number—the perpetrators are selling it directly back to you. So, lots of data that would probably otherwise be worthless on the black market (your photos, your Word documents, your emails) is suddenly worth something—unlike your Social Security number or birthday or address, all of which have probably been stolen and sold several times over at this point. And on top of that, in ransomware schemes, law enforcement loses out on one of its prime avenues for investigating cybercrimes and catching cybercriminals: monitoring online black-market forums.
For all of these reasons, ransomware can be a very lucrative and relatively low-risk form of cybercrime for criminals to pursue. This is even more true when cyber insurers get involved. Because now the individual victims are one step removed from the ransom payments—they no longer feel that they themselves are losing money or directly rewarding the criminals. Instead, they are just making use of premium payments they were already sending their insurer. That makes it even easier to pull the trigger on a ransom payment.
Several major insurance companies explicitly offer coverage for online extortion payments in their cyber policies, and those demanded payouts have been gradually increasing. Some companies have also attempted to use kidnapping policies to cover online ransom payments, though it is unclear whether any have been successful. While few organizations publicize it when they use insurance to make these payments, cyber insurance can also cover several other types of costs related to ransomware attacks, including the costs of restoring or replacing affected systems.
But these policies are new and untested enough that insurers and their customers do not always agree about what, exactly, is covered under them. For instance, food company Mondelez International is currently suing Zurich Insurance for refusing to cover computer equipment replacement costs related to the NotPetya ransomware attack in 2017. So it’s possible that Riviera Beach’s insurer may refuse to make the payment depending on the specifics of the city’s policy and this particular attack. (Zurich’s refusal rested on the argument that NotPetya was akin to an act of terrorism, which was excluded from its policy.) But the very idea that the City Council believes its insurer will make the payment of more than half a million dollars indicates that it has coverage for online extortion payments that high—which is itself concerning.
These types of policies create a confusing set of incentives for the insurers as well as customers. On the one hand, insurers clearly have an incentive to protect their clients from ransomware if they are on the hook to pay that ransom. Ideally, the insurance firms might even serve as the centralized, powerful intermediaries that have the data and reach to implement better protections against ransomware across their customer base, in a similar vein to what Mastercard and Visa do for payment card fraud.
However, many insurance firms do not have the technical know-how to even identify those protections, much less require them or audit their implementation. Additionally, cyber insurance is a rapidly growing market right now with very high premiums. So, at least for the moment, insurers can make ransom payments for some of their customers without necessarily suffering significant financial losses themselves because they can charge such high premiums for those policies.
That’s how all insurance works, in some sense—individuals and organizations pay over the same amount of money they might have spent on a large-scale disastrous event to an insurance company in increments, and that way, when the event actually happens, be it an earthquake, a cancer diagnosis, or a ransomware attack, the victim is not on the line to come up with the entire sum at that moment. The difference here is that ransom payments go directly to support criminal enterprises. So cyber insurance payouts like the one authorized by the Riviera Beach City Council don’t just insulate organizations against the high costs of making a one-time large payment. They also fuel criminal enterprise. And they fold the costs of fueling that criminal enterprise into the very tidy, responsible, ethically unambiguous work of risk management and insurance purchases.
But buying insurance to replace infected computers or notify breach victims or pay lawyers in the event of a security incident is a very different thing from buying insurance to pay off criminals directly. The latter option may be cheaper than ignoring the ransomers’ demands and insisting on restoring a system the hard way. But it makes insurance companies and their customers complicit in supporting criminals and insures the stability of those criminals’ profits for years to come.