White House Cybersecurity Advisor Calls for Ban on Using Insurance Claims for Ransomware Payments

Anne Neuberger, Deputy National Security Adviser for Cyber and Emerging Technologies, is calling for an end to insurance companies covering reimbursement of ransomware payments. The senior White House official hasn’t proposed a new policy but if her opinion piece for the Financial Times is any indication, the insurance industry may be headed towards more regulation.

“The insurance industry can also play a constructive role, by, among other thing, requiring and verifying implementation of effective cyber security measures as a condition of underwriting its policies, akin to the way fire alarm systems are required for home insurance,” Neuberger told FT. “Some insurance company policies — for example covering reimbursement of ransomware payments — incentivize payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end.“

The White House held its 4th annual Counter Ransomware Initiative conference this week with 68 member countries, international organizations, and industry leaders. It’s one of the largest cyber partnerships in the world where they discuss solutions for the immense challenges posed by ransomware.

In November 2023, the Center for Strategic and International Studies held a panel discussion about the 2023 Counter Ransomware Initiative, where participants commented on how cyber insurance companies often create a skewed incentive system.

David Koh, Chief Executive of Cyber at the Security Agency of Singapore, suggested that there are two types of cyber insurance on the market today, one that addresses risk management, and another that incentivizes criminal activity:

There’s two types of insurance. There’s one type of insurance that is modeled after all of the types of insurance, fire insurance, et cetera, and you deal with the disruption, the cost of remediation, the loss of business, liabilities that you have with your customers. I think that type of insurance, where basically if you view cyber disruptions as not a technical issue but as a risk-management issue, then you deal with risk management. As with all other risk-management issues, you try to insure it, et cetera. I think, for want of a better term, that is good insurance.

Koh described the second type as the kind that’s modeled after companies working in countries where they regularly have real concerns of kidnapping, ransom, and other risks:

For the other type of insurance, this is actually payments which go direct to the criminals, and there’s a real question as to whether this type of insurance actually incentivize good cyber hygiene, incentivize good behavior, or actually whether it incentivize the criminals inadvertently. So I think we should deconstruct insurance and not just say insurance is good. The first type of insurance is good. I’m a bit more skeptical about the value of the second type of insurance.

Neuberger, also a participant in the panel, said the government’s stated policy is to discourage ransom payments and requests that if entities do pay a ransom, they notify law enforcement and work with them to get visibility.

Neuberger noted that the US has seen an increase in attacks with overall payments going up, alongside the increased ability of these attacks to disrupt critical services and local governments. Taking the easier route of paying has become a “collective action problem,” as some entities are not well prepared with backups and may feel it’s faster and less expensive for them to pay a ransom.

“But that fuels the broader network and ecosystem because it is an ecosystem of malware, of money movements that is driving ransomware. So what we’re looking at is to say, how do we drive down and discourage the ransom payments while leaving an approach for those critical entities – every day is a delay in recovery. And looking through that and grappling with the policy aspects of that is something we’re looking at.”

The push to ban ransomware payments has been gaining momentum in 2024, but statements from the US Ransomware Task Force indicates that such a ban is likely at least several years away. Their general consensus has been that banning ransomware payment today could bankrupt very small and medium sized business that the economy relies on and several milestones would need to be reached before the country would be prepared.

Cyber claims reached record levels in 2023, passing 1,800 claims in the US and Canada, which Marsh attributes to cyberattacks, supply chain vulnerabilities, and a larger number of clients opting for cyber insurance coverage. These claims are accompanied by record-high ransom demands. In 2023, the median ransom request surged to $20 million, up from $1.4 million in 2022. Similarly, Marsh reported that the median extortion payment jumped to $6.5 million in 2023, compared to $335,000 the previous year.

As a precursor to an outright ban, US policy may steer towards banning the use of insurance to pay for ransom payments in the near future. The White House recommends maintaining and testing backups, encrypting data and deploying network monitoring and multi-factor authentication, as actions that organizations can take immediately, which have an outsized impact on the risk of a successful ransomware attack. Even for those who have cyber insurance, preventing these disruptions with good cyber hygiene is far better than having to make a claim.