Businesses increasingly rely on cybercrime insurers to protect their business against hackers. Photo / Getty Images
It was an ordinary October day when startled employees of a Canadian insurance firm discovered their computer files locked and a digital ransom note left by hackers.
"Hello, your network was hacked and encrypted. No free decryption software is available on the web. Email us to get the ransom amount."
After some negotiation, with the help of a British cyber insurance firm, the criminals settled on a payment of US$950,000 (NZ$1.4 million) in Bitcoin to unlock the files. The Canadian company was left with little choice but to pay up. Fifteen days later, the files were released.
This sequence of events was described in a private High Court hearing in December which was unsealed in January.
The businesses involved chose to remain anonymous to avoid tipping off the hackers of their attempt to use the courts to get their ransom money back from a cryptocurrency exchange.
It may seem like a surreal scenario, but experts say it has become a common occurrence.
There is in fact a booming industry in cyber insurance which often involves paying ransoms to shadowy hacking groups using cryptocurrency.
Paying a ransom to regain access to critical systems has become a valid option for many executives.
Garmin, the smartwatch manufacturer, reportedly paid a multi-million dollar ransom following a hack earlier this year. And Travelex, the foreign exchange business, reportedly paid a $2.3m ransom in April following a similar attack.
American and Canadian businesses may be prime targets for hacking, but many of the world's cybercrime insurers are headquartered in London.
"The primary goal is to help them get back up and running without having to make a ransom payment, because facilitating ransom payments is complex," says Graeme Newman, chief innovation officer at CFC Underwriting, a cyber insurance pioneer.
"Under the vast majority of cyber insurance policies, there is a section to cover the reimbursement of ransom payments which are made."
Experts say the UK market for cyber insurance, with around 15 per cent of companies taking out policies, lags well behind the US where roughly 35 per cent of businesses take out the insurance.
"The UK is a large exporter of cyber insurance policies," says Graham Walsh, a policy adviser at the ABI.
When a company is hacked, executives contact their insurer who introduces them to specialist ransomware negotiators as well as security experts, lawyers and sometimes the police.
To prepare for attacks, many businesses purchase Bitcoin in advance so that they have a ransom payment ready and waiting. Companies are also investing in tape backups of their data, an antiquated technology which retains its appeal for a simple reason: Hackers can't encrypt it.
If a business decides that the only way to get back to business as usual is to pay a ransom, then their insurer can research whether the hacking group is trustworthy.
It might seem surreal to consider whether an anonymous hacker group could ever be trusted, but it is in the interest of ransomware gangs to build up their reputation.
One ransomware group, known as MAZE, published a press release in March promising not to target healthcare organisations during the pandemic. It also offered a discount on unlocking files.
"We are starting exclusive discounts season for everyone who have faced our product," the group wrote.
Matt Walmsley, a director of cybersecurity business Vectra says these hacking groups "want to build up brand trust. It's so that if people trust them to some degree, they're more likely to make a payment."
Insurers often consult lawyers to check that paying the ransom is legal. Most payments of this kind do not break the law, but a British business risks committing an offence under the Terrorism Act 2000 if it sends a payment to a group which is known to be linked to a terrorist organisation.
This can be a tricky area for companies. "It is usually impossible to know whether they have any connections to terrorism," says Ashley Hurst, the head of technology at law firm Osborne Clarke. "If there is a suspicion of terrorist activity, there is a risk of committing a criminal offence by paying the ransom."
Being able to legally pay ransoms, and then claiming the payment back through an insurance policy, has prompted concern that the industry is fueling a rise in ransomware attacks. Just as the payment of ransoms to kidnappers creates a moral hazard, by encouraging further activity, so the payment of ransoms to hacker groups risks escalating the problem.
Ciaran Martin, the former chief executive of the National Cyber Security Centre, has called for laws to block all ransomware payments. The current mix of regulations around these payments "doesn't make sense," he has said.
Etay Maor of cybersecurity business IntSights agrees with him. "The fact that they're getting paid is something that fuels them. I don't see any way around that," he says.
But insurers say businesses would pay the ransoms anyway and believe that offering a safe way to handle the transactions reduces the risk of money being lost.
"If a business is on its knees, they will find a way of doing it," Newman says. "We can put the proper controls and procedures in place and hopefully use that to help law enforcement catch perpetrators."
The nature of the threat cyber insurers face has recently changed. Hacking groups have switched focus in the last 18 months to prey on fears of breaching GDPR in order to extort higher ransoms stretching to millions of pounds.
Two years ago, it was common for hackers to simply encrypt files, locking the business out of its data until a ransom was paid.
Now, hackers often smuggle out a company's files and hold them to ransom. If no payment is made, the groups leak the information and force the victim to disclose a data breach to regulators.
"The criminals changed their tactics," Newman says. "They now exfiltrate the data then encrypt it."
With no change in the law imminent, and an industry of specialist ransom negotiators forming, the market for cyber insurance looks set to continue to grow.
That leaves hacked businesses, insurers and lawyers grappling with the moral dilemma of handing money to criminals.
"No one wants to support criminal activity by paying," Hurst says. "But it may still be the right thing to do to protect confidential information and personal data."