Executive Summary

As the United States faces a veritable “feeding frenzy” of ransomware crime, the insurance sector risks contributing to the problem by subsidizing and encouraging ransomware crime by allowing victims to pass ransom costs on to insurance carriers. This paper outlines how this has been occurring, with the effect that spiraling costs associated with such crime have driven huge premium increases for cyber insurance policyholders and are leaving portions of the insurance sector “teetering on the edge of profitability.” To help meet this challenge and bring the ransomware epidemic under control, changes are clearly needed.

The adoption of a new model of sector-wide cybersecurity risk assessment and mitigation could contribute to this goal, but especially while we still await successful adaptation by the insurance sector, various public policy interventions also deserve evaluation. The following pages outline several such possibilities: banning insurance coverage for ransom payments; strengthening and better tailoring the cybersecurity reviews required for insurance coverage; increased government use of “primary” sanctions against ransomware threat actors coupled with “secondary” ones against those who pay ransoms to them; broader government regulation of the cyber insurance market; and the development of improved data-sharing within the industry and with government stakeholders. As an initial step, in advance of broad agreement upon one or more of those approaches, this paper advocates the development of a new public-private partnership (PPP) framework to facilitate the aggregation and analysis of cybercrime incident, threat activity, and ransom payment-related data in support of risk mitigation, improved actuarial management, law enforcement, and other shared objectives in the fight against cybercrime.