Although a ‘contentious area’, industry leaders said cyber insurers that pay customers’ ransom payments are simply aiming to make ‘sure our customers survive after a particularly unpleasant incident’

Cyber insurers that pay commercial customers’ ransom payments following a cyber attack are simply “trying to make sure our customers survive after a particularly unpleasant incident”, said Neil Arklie, head of cyber insurance at Aviva.

Speaking at an Insurance Times webinar in association with CGI on 3 March – titled Cyber Security and the Pandemic: trends and their implications for insurers – Arklie said the payment of cyber-related ransoms by insurers is often considered “contentious” within the market and poses “a very difficult dilemma” for cyber insurance firms.

This is because failing to pay the cyber criminals’ ransom could potentially lead to the targeted business closing, which contradicts insurers’ main ambition of putting their policyholders back in the position they were in prior to the insured event or incident.

Mark Hawksworth, global technology specialist practice group leader at Sedgwick, explained: “I’ve had businesses where if that ransom isn’t paid, the business will go under and therefore the owners of that business, if there’s no cover under the policy, have still taken that decision to make that ransom payment.”

CFC Underwriting’s cyber development leader Lindsey Nelson also agreed with this perspective.

She added: “It’s interesting that cyber insurers tend to get targeted when only 15% of businesses are actually buying the coverage. Eliminating that 15% really doesn’t solve the other 85% of businesses who are still falling victim to it.

“Cyber insurers and security experts, it’s in our mutual best interest with the amount of limits exposed to get people back to a position that they were operating normally.

“Whatever resources we can provide to aid in those decisions are certainly going to help businesses get back up and running again, otherwise most small businesses at least are going to feel like they have no choice but to pay the ransom because they don’t know how to recover without doing that.”

For Arklie, legal clarity on how insurers should approach ransom payments would be incredibly welcome.

“We avoid at all costs trying to pay the [ransom]. It’s not something that we look to do at all, but you’re left with a very difficult dilemma with a company – do we not pay the ransom and let that business fold, or do we pay the ransom?” he explained.

“We’ve had conversations with law enforcement and we’ve not received clear guidance on exactly how they wish to proceed. I do know the director of the [National Crime Information Centre], has said that cyber insurers shouldn’t be doing that.

“Well, we’re a heavily regulated industry, if government says that to us, we will not pay it. But I’d still ask them to answer that question of ‘how do we deal with our end customer?’ Just through a minor lapse in security, their business is gone and their jobs are gone.

“Tell us, as the Italian government just said, we won’t pay it. But if you are saying we should try and protect our end customers and work with them, then we will try the best way legally to pay those ransoms when it makes sense. It’s a real tough one and I’m not saying it’s not a hard decision but we’re trying to make sure our customers survive after a particularly unpleasant incident.”

Hawksworth echoed this sentiment. He added: “The industry is heavily regulated. We have to jump through hoops before we facilitate anything like this.

“We don’t go into these things lightly. We take these things very seriously and have to make sure that we don’t fall foul of any of the regulations.”

Arklie said that prior to making any ransom payments, he always completes due diligence on the cyber criminals involved to check whether they are “honourable thieves” who will provide de-encryption keys if paid.

The webinar panel also included Richard Holmes, head of cyber security at CGI, and the session was chaired by journalist Matt Scott.