Security News > 2021 > April > How do we stamp out the ransomware business model? Ban insurance payouts for one, says ex-GCHQ director

Increasing numbers of senior ex-GCHQ people have called for laws preventing businesses using cyber insurance to buy off ransomware attackers - with the money merely perpetuating the criminals' business model.

Marcus Willett, a senior cyber adviser with the International Institute for Strategic Studies and former GCHQ director of cyber, wrote at the end of March that the world needs "New laws establishing disincentives to pay ransoms to cyber criminals."

While dissecting the SolarWinds hack's international policy implications, Willett observed that "It is currently too convenient for companies simply to use their insurance to pay up" to avoid the disruption of a ransomware attack.

In this, the ex-GCHQ/NCSC people seem to be admitting that a 2014 government policy aimed at increasing the takeup of cyber insurance may have flopped; as we said at the time, increasing cyber insurance with the intention of improving cyber hygiene was like encouraging car insurance as a way to reduce road accidents.

Official attitudes towards cyber insurance have varied.

Last year a gathering of cyber-insurance professionals resulted in much gnashing of teeth from insurers who realised their customers were increasingly suspicious of policies claiming to cover cyber incidents, perhaps fuelled by the infamous Zurich lawsuit against Mondelez in the wake of a NotPetya ransomware infection.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/09/ban_cyber_insurance_payouts/