A new Geneva Association report has highlighted the important role of private (re)insurers, alongside governments, in boosting society’s resilience to ransomware and ensuring the full benefits of digitalisation can be realised.
The report, titled ‘Ransomware: An insurance market perspective’, explores the significant value add of cyber insurance beyond risk transfer, amid ongoing debate on whether to ban ransom payments or associated insurance coverage.
The frequency of ransomware attacks, a form of cyber extortion, is increasing, along with the size and nature of ransom demands. Cyber criminals are deploying more sophisticated approaches to target governments, businesses and individuals, with serious and costly effects. The growth of the ransomware-as-a-service (RaaS) business model has also enabled threat actors with limited technical skills to launch highly disruptive attacks.
Cyber insurance provides vital financial protection and operational support in the event of an attack, but ransomware has contributed to the recent deterioration in cyber insurers’ underwriting performance. Ransomware accounted for 75% of all cyber insurance claims in 2020 (according to AM Best) and is also likely to have been the costliest loss event category in 2021 (according to Willis Towers Watson).
The Geneva Association’s report analyses the complex policy issues surrounding ransomware and possible solutions to counter this epidemic in cybercrime, including the contribution of insurance to boosting firms’ cyber resilience.
The report’s main messages include the following:
- Liberalise mandatory insurance tariffs to stop underwriting losses.
- Motivate insurers to merge with each other to enhance their financial solvency and create strong economic institutions able to increase risk retention and design new insurance schemes that meet the needs of individuals and organisations.
- Review the unified motor insurance agreement (‘Orange Card’) related to the movement of vehicles between Arab countries in light of the developments that have occurred since its signing in 1975 in a way that safeguards the interests of all parties to the agreement. The developments include economic and political conditions faced by some Arab countries which have made it difficult for them to settle compensation.
- Amend tax legislation to provide incentives to purchase life and medical insurance policies as well as other types of insurance.
The Geneva Association managing director Jad Ariss said, “With ransomware we see an example of the important ‘prevention and mitigation’ role insurers play as risk managers. They control a critical lever with their ability to incentivise customers to maintain strong cybersecurity controls and standards, helping to reduce firms’ vulnerability to attack and boost their cyber resilience. Governments and regulators have their levers, too, and as our report highlights, they need to rein in the illegal use of cryptocurrencies and do more to ensure information exchange about incidents as well as improve international cooperation among law enforcement.”
The Geneva Association director of cyber and evolving liability and author of the report Darren Pain said, “The ransomware landscape is now highly evolved and sophisticated, especially with the development of RaaS. Such ransomware attacks are driving significant increases in insurance claims and, as a consequence, premiums. Would banning ransom payments be a viable solution? According to our study, insurance companies do not think so. Prohibiting ransom payments or their reimbursement by insurers would likely drive transactions underground, forfeiting the ability of the authorities to record and analyse incidents and prosecute criminals. Furthermore, the last thing we should do is take steps that might discourage smaller firms from taking out cyber insurance, the benefits of which go well beyond reimbursing ransoms.” M