Cyber insurance was supposed to do for digital risk what fire insurance did for buildings: spread the cost of catastrophe and create financial incentives for prevention. Instead, over the last decade, it has helped underwrite the most lucrative organized crime business of the internet era. The claim is uncomfortable, contested, and supported by a growing body of evidence from researchers, law enforcement, and the insurers themselves.
Calling out the dynamic is not a defense of doing nothing. It is an argument that the current arrangement has been making the problem worse on net, even as it protects individual policyholders from the worst.
How the loop forms
A typical ransomware incident now follows a familiar script. Attackers gain access, encrypt data, exfiltrate copies for leverage, and demand a payment in cryptocurrency. The victim calls a breach response firm, often dictated by the cyber insurance policy. The breach response firm assesses the damage, evaluates the demand, and frequently recommends payment, particularly when backups are inadequate or operational pressure is high. The insurer covers the ransom, the recovery costs, and often the legal fees, up to policy limits.
From the criminal’s perspective, this is a near-perfect customer base. Insurance turns ransomware victims into reliable payers with deep pockets, professional intermediaries, and predictable timelines. Multiple analyses, including reports from the UK’s Royal United Services Institute and the US Department of the Treasury, have documented how the existence of cyber insurance has correlated with both the volume of attacks and the size of average ransom demands.
The incentive problem
Insurers can argue, fairly, that they are responding to a market they did not create. The deeper problem is that paying ransoms is rational at the level of a single firm and irrational at the level of the system. Each individual payment looks like the cheapest way out of a crisis. Aggregate payments tell criminals that the model works, attracting more entrants and funding more sophisticated operations.
Insurers have tightened underwriting since 2021, requiring multifactor authentication, endpoint detection, and tested backups before issuing policies. That is progress. But as long as the policies cover ransom payment itself, the central perverse incentive remains intact. A firm with strong coverage has less reason to invest in resilience that would let it refuse to pay.
What might break the cycle
A serious response would make ransom payments either uninsurable or illegal in most circumstances. France’s regulators flirted with the first approach. The United States has moved toward the second through OFAC sanctions on certain criminal groups, though enforcement has been inconsistent. Either path forces firms to invest in the prevention and recovery capabilities that actually reduce systemic risk.
The transition would be painful. Some firms would fail catastrophic incidents. The longer-term result, based on how other cybersecurity incentives have shifted historical behavior, is a smaller and less profitable ransomware market.
The bottom line
Cyber insurance solved an individual problem and created a collective one. The ransomware industry is now structured around the assumption that victims can pay because someone else is paying for them. Until that assumption breaks, the attacks will continue to scale, and prevention will keep losing the budget battle.
Leave a Reply