The Case for Banning (and Mandating) Ransomware Insurance

70 Pages Posted: 20 Aug 2021 Last revised: 28 Mar 2022

See all articles by Kyle D. Logue

Kyle D. Logue

University of Michigan Law School

Adam B. Shniderman

University of Michigan Law School

Date Written: August 18, 2021

Abstract

Ransomware attacks are becoming increasingly pervasive and disruptive. Not only are they shutting down (or at least “holding up”) businesses and local governments all around the country, they are disrupting institutions in many sectors of the U.S. economy — from school systems, to medical facilities, to critical elements of the U.S. energy infrastructure as well as the food supply chain. Ransomware attacks are also growing more frequent and the ransom demands more exorbitant. Those ransom payments are increasingly being covered by insurance. That insurance offers coverage for a variety of cyber-related losses, including many of the costs arising out of ransomware attacks, such as the costs of hiring expert negotiators, the costs of recovering data from backups, the legal liabilities for exposing sensitive customer information, and the ransom payments themselves. Some commentators have expressed concern with this market phenomenon. Specifically, the concern is that the presence of insurance is making the ransomware problem worse, on the following theory: Because there is ransomware insurance that covers ransom payments, and because paying the ransom is often far cheaper than paying the restoration costs and business interruption costs also covered under the policy, there is an increased tendency to pay the ransom — and a willingness to pay higher amounts. This fact, known by the criminals, increases their incentive to engage in ransomware attacks in the first place. And the demand for insurance increases; and the cycle continues.

This Article demonstrates that the picture is not as simple as thi story would suggest. Insurance offers a variety of pre-breach and post-breach services that are aimed at reducing the likelihood and severity of a ransomware attack. Thus, over the long-term, cyber insurance has the potential to lower ransomware-related costs. But we are not there yet. This Article discusses ways to help ensure that ransomware insurance is a force for good. Among our suggestions are a limited ban on indemnity for ransomware payments with exceptions for cases involving threats to life and limb, coupled with a mandate that property/casualty insurers provide coverage for the other costs of ransomware attacks. We also explain how a government regulator could serve a coordinating function to help cyber insurers internalize the externalities associated with the insurers’ decisions to reimburse ransomware payments, a role that is played by reinsurers in the context of Kidnap-and-ransom insurance.

Keywords: insurance, ransomware, cyber crime

Suggested Citation

Logue, Kyle D. and Shniderman, Adam B., The Case for Banning (and Mandating) Ransomware Insurance (August 18, 2021). U of Michigan Law & Econ Research Paper No. 21-040, Connecticut Insurance Law Journal, Forthcoming, Available at SSRN: https://ssrn.com/abstract=3907373 or http://dx.doi.org/10.2139/ssrn.3907373

Kyle D. Logue (Contact Author)

University of Michigan Law School ( email )

625 South State Street
Ann Arbor, MI 48109-1215
United States
734.936.2207 (Phone)

HOME PAGE: http://kylelogue.net

Adam B. Shniderman

University of Michigan Law School ( email )

625 South State Street
Ann Arbor, MI 48109-1215
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
370
Abstract Views
1,154
rank
119,451
PlumX Metrics