Editor's note: The author participated in a panel discussion at the World Economic Forum titled "Ransomware: To Pay or Not to Pay" on January 19, 2023.
While much of the press on the 2023 World Economic Forum in Davos, Switzerland, focused on international strife, on the ground it was a significantly more economic affair. Certainly, many of the conversations focused on how society must do more to align around solutions to the many polycrises we are facing today, including the threat of a third world war, accelerating climate change, and widening income inequality over COVID-19. But chief among the topics was real, tactical discussion on how to reduce the profit motives of cybercriminals — and help enterprises look at their cyber risk in a radically different way.
In our ransomware panel, Catherine De Bolle, executive director for Europol, noted that cybercrime is a risk created by humans, driven by the economic conditions of high profit and easy opportunity. Ransomware is the most recent monetization of these motives and opportunities, and it has evolved from simple malware to advanced exploits and double or triple extortion models.
The motive for cybercrime is clear: to steal money. But the digital nature of cybercrime makes the opportunity uniquely attractive, due to the following:
- Cryptocurrency makes online extortion, trading illicit goods and services, and laundering fraudulent funds highly anonymous and usually beyond the reach of Western financial regulators or inspection.
- There isn't enough fear of getting caught for cybercrime. Recently, the US Department of Justice had a major win bringing the founder of an illicit crypto exchange, Anatoly Legkodymov, to justice. But the US had to wait until he traveled to a country within the jurisdiction of Western law enforcement. Most criminals are not so careless, making such an arrest a rare success.
- With the explosion in spending on digital transformation (16.3% CAGR over the next five years), data is the new gold. And it is incredibly easy to steal, due to lapses in basic hygiene like encrypting data at rest and in transit or limiting access to only authorized users.
- Paying extortion through extensive cyber insurance policies only feeds the ransomware epidemic by incentivizing further crime, as FBI Director Christopher Wray noted.
As a veteran Air Force cyber operations officer who now runs a cyber-risk solutions company writing insurance policies covering extortion payments, I feel these points all too clearly. That is why it's time that enterprises dramatically rethink how they manage their cyber-risk as not just a technical problem but a financial problem as well.
Fighting Cybercrime With Cyber Resilience
While helping companies pay extortion is never the first choice for any insurer, its role is to help make its clients whole and reduce their financial exposure. But insurers have a responsibility to help their clients think proactively and holistically about how they assess, measure, and manage their cyber-risk overall. In other words, ask:
- Is the client investing its cybersecurity budget in the controls that matter most?
- Is the client making an effort to help improve the cyber hygiene of its organization?
- Is the client doing more to break the management silos separating security and business?
- Is the client able to predict and quantify its risk based on its security posture?
- Is the client able to improve its insurance coverage when it does all of the above?
This is the core idea behind cyber resilience, a way to protect digital infrastructure for enterprises by integrating the technical, policy, behavioral, and economic elements necessary to mitigate and manage cyber as a predictable risk.
Compared to insurance lines like property or auto, which have decades of data measuring what keeps a building from burning down or a car crash victim alive, cyber is a less mature line of insurance. Cyber policies are still harder to underwrite, given the difficulty in quantifying and pricing the risk. They require talented underwriters backed by technical knowledge, threat assessment software, and advanced analytics to measure a company's security controls balanced against risks in their sector. But like pushing regulations that require fire sprinklers in buildings and seatbelts in cars, insurance can rewrite the rules of how cyber-risk is managed by helping our clients make their digital infrastructures significantly more resilient to extortion threats.
Best Practices Help Thwart Extortion
Chainalysis, a member of the Institute for Security and Technology's Ransomware Task Force, found that ransomware revenue declined by nearly 50% in 2022. Though we have seen extortion attempts remain strong, we can anecdotally say that fewer companies are deciding to pay extortion due to controls that allow them to restore from backups or rebuild their IT networks.
This tells us that for a certain segment of the corporate ecosystem, sharing best practices builds resilience to extortion and raises the cost for attackers. Our goal now is to shift the view of companies and the insurance industry toward this new approach of cyber resilience and reward those who invest in strong cyber hygiene.
In our discussion group on ransomware, a CEO who had just thwarted an extortion attempt said it best when they noted what saved their company was rehearsing a holistic plan to respond to an incident. Exercising with real-world lessons helped their executive team successfully navigate an intrusion without paying the ransom. Davos' blend of public and private sector leaders made the perfect audience to hear this message.
Fighting cybercrime is a team sport, and to succeed, we must adopt this framework of cyber resilience that integrates the technical, policy, behavioral, and economic elements necessary to manage the reality of ever-growing cybercrime as a predictable and manageable cyber risk.