In many cases, insurance companies shoulder almost the entire financial burden for ransomware victims. When Lake City, Fla., paid hackers nearly $500,000 in 2019, their insurance policy with the Federation of Florida Cities covered all but $10,000. Another Florida city whose computer system was hacked the same year, Riviera Beach, agreed to pay an even larger ransom, close to $600,000. The city itself only gets a $25,000 deduction.
Knowing that insurance will cover ransoms can make it easier for companies to decide to pay, which only fuels future attacks. Knowing that the government can then effectively reimburse them will create an additional incentive for hacked companies to pay. A recent Kaspersky estimate suggested that 56% of victims pay a ransom.
Because insurers have been forced to pay so many ransoms in recent years, the industry appears to be on the verge of trying to raise premiums and rethink its approach to ransomware. So far, however, only one major insurer, France’s AXA, has moved in that direction, announcing last month that it would suspend issuing ransom policies in France for until the authorities clarify whether it is legal or not.
Indeed, regulators in many countries have given unclear instructions to insurers and ransomware victims about paying the ransom. Most law enforcement agencies, including the FBI, discourage but don’t actually prohibit payments. Christopher Wray, the director of the FBI, said at a congressional hearing that companies infected with ransomware should quickly contact law enforcement to find ways to avoid paying hackers. Victims paid nearly $350 million worth of cryptocurrency in ransom last year, incentivizing attackers to take on more high-profile targets this year, like meat processor JBS, which has stores offline slaughterhouse and Colonial, whose fuel pipeline stopped working, causing long lines to fill up with gas throughout the Southeast.
Last year, the Treasury Department warned that paying ransoms to some sanctioned groups and individuals could be illegal. But for many victims, as well as their insurance companies, it’s not always immediately clear to whom they will pay the ransom, nor how Treasury rules apply to their situation. surname. At the same time, some regulators fear that a moratorium on ransom payments will cause many companies to secretly pay their hackers and refuse to report the incident to law enforcement. (Currently, the proportion of unreported attacks is unclear.)