Kyle D. Logue (University of Michigan Law School) & Adam B. Shniderman (University of Michigan Law School) have posted “The Case for Banning (and Mandating) Ransomware Insurance” on SSRN. Here is the abstract:
Ransomware attacks are becoming increasingly pervasive and disruptive. Not only are they shutting down (or at least “holding up”) businesses and local governments all around the country, they are disrupting institutions in many sectors of the U.S. economy — from school systems, to medical facilities, to critical elements of the U.S. energy infrastructure as well as the food supply chain. Ransomware attacks are also growing more frequent and the ransom demands more exorbitant. Those ransom payments are increasingly being covered by insurance. That insurance offers coverage for a variety of cyber-related losses, including many of the costs arising out of ransomware attacks, such as the costs of hiring expert negotiators, the costs of recovering data from backups, the legal liabilities for exposing sensitive customer information, and the ransom payments themselves. Some commentators have expressed concern with this market phenomenon. Specifically, the concern is that the presence of insurance is making the ransomware problem worse, on the following theory: Because there is ransomware insurance that covers ransom payments, and because paying the ransom is often far cheaper than paying the restoration costs and business interruption costs also covered under the policy, there is an increased tendency to pay the ransom — and a willingness to pay higher amounts. This fact, known by the criminals, increases their incentive to engage in ransomware attacks in the first place. And the demand for insurance increases; and the cycle continues.
This Article demonstrates that the picture is not as simple as this story would suggest. Insurance offers a variety of pre-breach and post-breach services that are aimed at reducing the likelihood and severity of a ransomware attack. Thus, over the long-term, cyber insurance has the potential to lower ransomware-related costs. But we are not there yet. This Article discusses ways to help ensure that ransomware insurance is a force for good. Among our suggestions are a limited ban on indemnity for ransomware payments with exceptions for cases involving threats to life and limb, coupled with a mandate that property/casualty insurers provide coverage for the other costs of ransomware attacks. We also explain how a government regulator could serve a coordinating function to help cyber insurers internalize the externalities associated with the insurers’ decisions to reimburse ransomware payments, a role that is played by reinsurers in the context of Kidnap-and-ransom insurance.