How Should We Handle Ransom Payments to Hackers? Very Carefully.

https://www.nytimes.com/2021/06/17/opinion/hackers-ransom-insurance.html

Version 0 of 1.

The announcement last week that U.S. law enforcement officials had managed to recover $2.3 million of the roughly $4.4 million ransom that Colonial Pipeline paid hackers was a welcome development. But it also raised questions about who should bear the costs of ransom payments as the threat of online extortion grows.

The Colonial Pipeline ransom retrieval sends a strong message to American companies that are hacked that the government can help. This will, hopefully, encourage victims to report these attacks to the authorities. But it may also make companies more willing to pay ransom — and that would be good news for cybercriminals.

Any effort by the government to more aggressively reclaim ransom payments must, then, go hand in hand with a regulatory crackdown on insurance coverage for ransoms. We also need careful consideration of how much — if any — of the reclaimed ransoms should be returned to the victims who paid them. (In the case of Colonial, the U.S. government has not made a statement about who will receive the recovered funds.)

Insurance plays a significant yet often overlooked role in the ransomware economy. Most ransomware victims do not announce that they are making ransom payments, nor that those payments are covered at least in part by their insurers. It took questioning at a House Homeland Security Committee hearing for Joseph Blount, the chief executive of Colonial Pipeline, to acknowledge that, “I think there were consultations going on” with the company’s insurer before the ransom was paid. He also said Colonial had filed an insurance claim for the payment that he expected would be covered.

In many cases, insurers shoulder almost all of the financial burden for ransomware victims. When Lake City, Fla., paid hackers nearly $500,000 in 2019, its insurance policy with the Florida League of Cities covered all but $10,000. Another Florida city whose computer system was hacked the same year, Riviera Beach, agreed to an even larger ransom payment, nearly $600,000. The city itself was on the hook only for a $25,000 deductible.

Knowing insurance will cover ransoms can make it easier for companies to decide to pay, which only fuels future attacks. Knowing that the government may then effectively reimburse them adds further incentive for hacked companies to pay. A recent estimate by Kaspersky suggested that 56 percent of victims pay a ransom.

Because insurers have been forced to cover so many ransom payments in recent years, the industry seems to be on the cusp of trying to raise premiums and rethink its approach to ransomware. So far, though, only one major insurer, the French company AXA, has moved in that direction, announcing last month that it would suspend issuing policies that cover ransom payments in France until authorities clarified whether it was legal to do so.

Indeed, regulators in many countries have provided ambiguous guidance to insurers and ransomware victims about paying ransoms. Most law enforcement agencies, including the F.B.I., discourage but do not actually forbid payments. Christopher Wray, the F.B.I.’s director, said at a congressional hearing that companies infected with ransomware should quickly contact law enforcement to find ways to avoid paying hackers. Victims paid nearly $350 million worth of cryptocurrency in ransoms last year, emboldening attackers to take on more high-profile targets this year, like the meat processor JBS, whose slaughterhouses were knocked offline, and Colonial, whose fuel pipeline shutdown prompted long lines for gasoline throughout the Southeast.

Last year, the Treasury Department warned that ransom payments to certain sanctioned groups and individuals might be illegal. But for many victims, as well as their insurers, it’s not always immediately clear to whom they are paying ransoms, nor how the Treasury rules apply to their situations. At the same time, some regulators fear that a ban on ransom payments would drive more companies to pay off their hackers in secret and refuse to report incidents to law enforcement. (Currently, the percentage of attacks that go unreported is unclear.)

Retrieving ransom payments is an important element in making ransomware less profitable, and the U.S. government should continue to pursue this option as aggressively as possible. But the government should also specify that no more than a quarter of the recouped payments will be returned to the victims. That creates an incentive for companies to work with law enforcement, but not enough for them to make such payments without a second thought.

The rest of the recovered money could go to help fund investigations into ransomware incidents. That way it can be part of the solution to ransomware, not part of the problem.

At a time when attacks are targeting increasingly high-stakes infrastructure, including fuel pipelines and food supply chains, effectively insulating insurance companies from the full costs of ransom payments would be a serious mistake.

Josephine Wolff is an assistant professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy and the author of “You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches.”

The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: letters@nytimes.com.

Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.