Boardroom woes on ransomware intensify
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
This week, techie eyes have been fastened on Bletchley Park in Britain, where the UK government has been trying to launch cross-border collaboration against artificial intelligence threats — with mixed success.
However, over in Washington another global digital initiative has been unfolding too: the International Counter Ransomware Initiative (CRI) held its third meeting on Wednesday to fight the malware attacks that encrypt computer files to prevent access, unless a ransom is paid. This has not grabbed headlines. But it should probably matter more for investors than the flashy Bletchley summit — at least for now.
For one message from this week’s CRI event is that the White House and its western allies want to stop institutions from paying cyber ransoms. This could create new corporate boardroom headaches — and controversy around the morally-tangled role of insurance companies.
To understand why, a little background will be needed. In recent years, ransomware attacks have exploded in scale, as criminals increasingly engage in “big game hunting” — attacking deep-pocketed groups, as the consultancy Chainanalysis noted in a recent report.
The numbers are startling. A survey by Splunk consultancy says that 90 per cent of companies were hit by ransomware attacks this year, while a poll by Cybereason consultancy suggests that 73 per cent of companies have experienced a ransomware attack in the previous 24 months — up from 55 per cent in 2021. Meanwhile, security consultants guess that ransomware attacks generated $20bn of losses in 2021 — and project a tripling in 2026.
The White House has strong self-interest in fighting this: Anne Neuberger, deputy national security adviser in the Biden administration, says that 46 per cent of recent ransomware attacks involved American companies.
But Neuberger has no hope of tackling the problem without both cross-border and public-private sector collaboration. Hence Washington’s hosting of the CRI.
The good news is that on the first point, cross-border governmental collaboration, progress is accelerating. This week, the 50 members of the CRI adopted new protocols around information sharing and, most importantly, jointly called for an end to ransom payments.
But the bad news is that this pledge only covers the institutions directly controlled by those governments — and the private sector seems unlikely to comply. On the contrary, Splunk’s research suggests that 83 per cent of companies attacked in the past year did pay a ransom, exceeding $100,000 in more than half of all cases.
One reason is that hackers usually set their ransom demands well below the likely financial hit from data breaches. Another is that companies are increasingly buying cyber insurance to transfer the costs.
That makes it rational for companies to furtively pay up, at least from a short-term, individual perspective; and doubly so given the opacity of this world. But this also makes the problem worse for the system as a whole, since it encourages more attacks — particularly against insured groups.
So, as a survey by the Barracuda consultancy notes, while “companies with cyber insurance were more likely to pay the ransom to get their data back”, some “77 per cent of organisations with cyber insurance were hit by a successful ransomware attack, compared to 65 per cent without cyber insurance”.
Meanwhile, Cybereason found that 80 per cent of organisations that paid a ransom demand were hit by ransomware a second time. Apparently, in 68 per cent of cases the second attack came less than a month later — and with bigger ransom demands. Ouch.
The White House is pushing the insurance industry to change. “The insurance market fuelled that rise in ransomware because they made payment of ransoms far easier to happen,” Brandon Wales, director of the Cybersecurity and Infrastructure Security Agency said this year, noting that “insurance companies didn’t price the market correctly”.
However, not everyone accepts the insurers are at fault: a study commissioned by Britain’s National Cyber Security Centre this summer argued that “the conclusion that ransomware operators are deliberately targeting organisations with insurance has been overstated”.
Can you negotiate out of a ransomware attack?
Almost 60 per cent of organisations targeted in the past year paid a ransom to restore their data. Find out if you can protect your company from hackers and avoid a crippling payout in this interactive game
In any case, there is little sign that insurance companies are ready to roll over. “Companies want this [insurance], so we are offering it,” one senior insurance executive tells me. “It’s business.” Or, as an economist might say, there is a collective action problem.
This might eventually prompt the White House to use more draconian measures, such as invoking money-laundering rules to punish those paying ransoms. In the meantime, expect to hear more rhetoric from America about the need for reform.
Don’t hold your breath that this will work; with ransomware, as in AI, it is hard to persuade companies to champion collective long-term digital interests over their individual short-term incentives.
Either way, the worse the problem gets, the more pressure for governments to act — and for insurance companies to come out of the shadows and discuss their contradictory role in this dark side of the digital world.
Comments