Insurance as Crime Governance: Comparing Kidnap for Ransom and Ransomware

Insurers have a financial interest in limiting the losses they cover. It is commonly known that insurers routinely manage moral hazard and adverse selection among the insured population by incentivising behaviour that limits risk and penalises excessive risk taking. Insurers also create processes that reduce the overall cost of claims by making it more difficult for third parties to benefit from the insurance relationship.

This report applies this approach to insurance as crime governance. The report proposes that insurance measures fall broadly into three categories:

1. Making it more difficult and/or risky to commit a crime.
2. Reducing the cost of a crime to the insured/insurer.
3. Reducing the profitability of a crime for the criminals.

This framework has been tested in a joint workshop organised by RUSI and King’s College, London, which was attended by 25 specialists in kidnap-for-ransom (KfR) and ransomware: underwriters, brokers, security advisors, crisis responders and negotiators. KfR insurance is a mature product that has existed since the 1930s. It faced sustainability problems similar to those of the current ransomware epidemic in the past but has since created a sophisticated system to discourage and stabilise kidnapping. By contrast, ransomware coverage, which is generally included in broader cyber insurance packages, is a relatively new product. At the workshop, representatives from both KfR and ransomware response were invited to comment on the extent to which the above governance functions were fulfilled in their sector, where the gaps existed, and what problems needed to be resolved to fill them.

This report finds that the KfR insurance industry has created effective norms and processes to:

• Lower the number of claims by hardening targets.
• Incentivise kidnappers to limit violence against hostages and damage to assets.
• Manage hostage recovery and ensure companies’ compliance with duty-of-care standards to prevent costly litigation (thereby reducing the insurance pay out).
• Identify and reward best practice in ransom negotiations and maintain ransom discipline by taking control of negotiations.
• Ensure that participants in the insurance and crisis response market follow established norms and do not compete on terms that could undermine the stability of the overall market.

By contrast, the cyber insurance and ransomware response has:

• Struggled to agree on common minimal cyber hygiene standards, leaving the insured to make their own cyber security decisions. However, the current hard market for cyber insurance is likely to be driving some insureds to become more cautious and resilient. (In a hard market, demand outstrips supply, premiums increase and capacity decreases, due to losses or other factors. In such a market, the insurer has the upper hand when it comes to setting prices or conditions for cover.)
• Not yet arrived at a consensus on what best practice in ransom negotiations is, nor identified tactics to drive down ransoms, especially in the case of data exfiltration.
• In a growing and highly competitive market, failed to create institutions that prioritise the common good over individual self-interest.

Workshop participants agreed that the two crimes and related insurance markets were very different, and that the negotiation protocols developed in KfR could not be used as blueprints for solving the problems of ransomware.

However, through taking a broader ‘governance system’ view, it became clearer which deficits cyber insurance should address as a priority in tackling the ransomware boom. The cyber insurance market must prioritise discovering and disseminating best practice standards for preventing, containing and resolving cybercrime that serve both the market and the public interest, and creating institutions to enforce these broadly (perhaps with the aid of governments).