The Role of Cryptocurrency and Cryptoinsurance in Ransomware Payments

January 24, 2022

In the Risk Forum's end-of-the-year Talk About Paymentswebinar , ransomware was once again, unfortunately, a topic of discussion. For over five years now, our Take on Payments blog has often discussed ransomware, as financial losses due to ransomware attacks have steadily risen. In 2021, the federal government and the US Department of the Treasury issued guidance for the virtual currency industry in an effort to make it difficult for those behind ransomware attacks to receive cryptocurrency, the preferred ransom payment method. Whether or not these steps, or even an outright ban on cryptocurrency payments, will be effective in reducing ransomware attacks and their associated financial losses is still to be determined, but there are skeptics (including yours truly).

In 2019 posts (here and here), Dave Lott and I both wrote about the increasing frequency of people and companies obtaining insurance against ransomware attacks and the payment of ransoms by insurance companies. I think it is time for an evaluation of the costs and benefits of ransomware insurance. In fact, the FBI strongly recommends that ransomware payments not be made.

What are the basics? Organized crime syndicates, generally based in foreign countries, launch the vast majority of ransomware attacks. To protect against the financial consequences of such attacks, businesses may purchase insurance policies for coverage against cyber-related attacks that can include the payment of ransom in the event of a ransomware attack. If a syndicate receives a ransom payment, it not only encourages additional attacks but also allows the syndicate to grow and scale its criminal enterprise. As ransomware attacks flourish, businesses might become more likely to purchase insurance policies or expand existing policies with greater coverage to protect themselves. Another important issue to consider is whether companies that insure against ransomware as a form of protection could become less diligent in preventing an attack. Further, with increased attacks and higher demand for coverage, insurance providers may sell more policies at increased premiums to offset the potential for rising claims. Or perhaps the problem becomes so significant that the costs to insurers from claims outpaces their revenue from such policies, causing them to exit the business.

In a different viewpoint, maybe insurance coverage that includes ransom payments is in fact beneficial, especially in those circumstances when the "the damage inflicted by a cyber attack is greater than the cost of the ransom."

Over the past five years, since the Risk Forum began covering ransomware, we have witnessed significant growth in attacks and financial losses. While I am hopeful that both the public and private sector will find ways to slow the growth and ultimately stamp out ransomware attacks, the challenge is perhaps more daunting now than it was five years ago. It's promising to know that efforts are underway at the Treasury to address the challenge of ransom payments made with crytpocurrencies, but more may need to be done. As for this post, I am hoping that it can lead to a discussion on the pros and cons of this mitigation strategy as part of the effort at large to defeat ransomware.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed