According to a White House national security adviser, generous coverage has been fueling the growth of ransomware — “a troubling practice”

In an opinion piece on the Financial Times, Anne Neuberger, the US Deputy National Security Adviser for Cyber and Emerging Technology, has proposed a controversial solution: banning insurance reimbursements for ransomware payments.

Neuberger has argued that such reimbursements incentivize ransom payments, thereby fueling the cybercrime ecosystem. Her opinion piece also suggests that insurers should require clients to implement robust cybersecurity measures as a condition for underwriting policies, similar to how fire alarm systems are mandated for home insurance.

The debate over this proposal is heated. Proponents believe that eliminating insurance payouts for ransom payments could reduce the profitability of ransomware attacks, thereby dampening ransomware activity. However, critics argue that this approach may not significantly impact large corporations that can afford the costs associated with ransomware attacks, including business interruption and remediation.

Monica Shokrai, Google Cloud’s head of business risk and insurance, has expressed skepticism about the effectiveness of banning ransom payments from insurance policies, pointing out that the cost of the ransom itself is often negligible compared to the financial impact of business interruption in large firms. Therefore, even without insurance coverage for ransom payments, such organizations would still face substantial costs.

Other industry observers have suggested taking the policy a step further by banning ransom payments from insurers and corporations altogether. This is similar to the US government’s long-standing policy of not negotiating with terrorists. The argument is that the money spent on insurance and recovery could be better invested in preventive measures and cybersecurity infrastructure.

The broader implications of such a ban, should it ever happen, are significant. It could lead to increased cybersecurity measures as a condition for insurance underwriting, potentially improving overall cyber resilience. However, it also raises concerns about the financial burden on smaller organizations that may struggle to afford the necessary cybersecurity investments.