Between a rock and a hard(ening) place: Cyber insurance in the ransomware era

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link. Cyber insurance and ransomware are two of the most studied areas within security research and practice to date, and their interplay continues to raise concerns in industry and government. This article offers substantial new insights and analysis into the complex question of whether cyber insurance can help organisations in mitigating the threat of ransomware, particularly its impacts. Having conducted an interview or workshop with 96 industry professionals spanning the cyber insurance, cyber security, ransomware negotiations, policy, and law enforcement sectors, we identify that ransomware has been a key cause of the ‘hardening’ of the cyber insurance market, which is exhibited at almost all levels of the market. Such hardening has been beneficial in raising the security standards required prior to purchase, but has also created a situation where some organisations may not be able to acquire viable cyber insurance at all. In presenting the outcomes of our thematic analysis of the interview and workshop outputs, the paper provides significant new empirical evidence to support the theory that cyber insurance can act as a form of governance for improving cyber security among organisations. Nonetheless, the hardening market does nothing to increase the penetration of cyber insurance. Questions were also raised as to the likelihood of unintended unethical – and potentially illegal – outcomes given the professionalisation of a remediation process that has to determine the most cost-effective solution to an organisation being held ransom. We conclude that insurance, at best, can help to mitigate the ransomware threat for those that can access it, as part of a wider basket of actions that must also come from different stakeholders.