And for now, cyber insurers are mostly resisting
calls to halt reimbursements for ransoms paid.
In a May earnings call, the CEO of U.K.-based
Beazley, Adrian Cox, said “generally speaking
network security is not good enough at the
moment.” He said it is up to government to decide
whether payments are bad public policy. CEO Evan
Greenberg of the leading U.S. cyber insurer, Chubb
Limited, agreed in the company’s annual report in
February that deciding on a ban is government’s
purview. But he did endorse outlawing payments.
Jan Lemnitzer, a Copenhagen Business School
lecturer, thinks cyber insurance should be
compulsory for businesses large and small,
just as everyone who drives must have car
insurance and seat belts. The Royal United
Services Institute study recommends it for all
government suppliers and vendors.
While he considers banning ransom payments
problematic, Lemnitzer says it would be a “no-
brainer” to compel insurers to stop reimbursing
for them.
Some have suggested imposing fines on ransom
payments as a disincentive. Or the government
could retain a percentage of any cryptocurrency
recovered from ransomware criminals, the
proceeds going to a federal ransomware
defense fund.
Such measures could bite into criminal revenues,
said attorney Stewart Baker of Steptoe and
Johnson, a former NSA general counsel.
“In the long run, it probably means that resources
that are currently going to Russia to pay for
Ferraris in Moscow will instead go to improve
cybersecurity in the United States.”