In many cases, insurers shoulder almost all of the financial burden for ransomware victims. When Lake City, Fla., paid hackers nearly $500,000 in 2019, its insurance policy with the Florida League of Cities covered all but $10,000. Another Florida city whose computer system was hacked the same year, Riviera Beach, agreed to an even larger ransom payment, nearly $600,000. The city itself was on the hook only for a $25,000 deductible.
Knowing insurance will cover ransoms can make it easier for companies to decide to pay, which only fuels future attacks. Knowing that the government may then effectively reimburse them adds further incentive for hacked companies to pay. A recent estimate by Kaspersky suggested that 56 percent of victims pay a ransom.
Because insurers have been forced to cover so many ransom payments in recent years, the industry seems to be on the cusp of trying to raise premiums and rethink its approach to ransomware. So far, though, only one major insurer, the French company AXA, has moved in that direction, announcing last month that it would suspend issuing policies that cover ransom payments in France until authorities clarified whether it was legal to do so.
Indeed, regulators in many countries have provided ambiguous guidance to insurers and ransomware victims about paying ransoms. Most law enforcement agencies, including the F.B.I., discourage but do not actually forbid payments. Christopher Wray, the F.B.I.’s director, said at a congressional hearing that companies infected with ransomware should quickly contact law enforcement to find ways to avoid paying hackers. Victims paid nearly $350 million worth of cryptocurrency in ransoms last year, emboldening attackers to take on more high-profile targets this year, like the meat processor JBS, whose slaughterhouses were knocked offline, and Colonial, whose fuel pipeline shutdown prompted long lines for gasoline throughout the Southeast.
Last year, the Treasury Department warned that ransom payments to certain sanctioned groups and individuals might be illegal. But for many victims, as well as their insurers, it’s not always immediately clear to whom they are paying ransoms, nor how the Treasury rules apply to their situations. At the same time, some regulators fear that a ban on ransom payments would drive more companies to pay off their hackers in secret and refuse to report incidents to law enforcement. (Currently, the percentage of attacks that go unreported is unclear.)