‘We should aim for a society in which not paying ransom is the benchmark’

Resigning minister of Justice and Safety Ferdinand Grapperhaus is investigating whether insurance companies can be prohibited from reimbursing the ransom fine for insured companies. Because companies are now insured for this, the insurance company can decide to pay the ransom in consultation with the insured. Only covering the handling costs of a ransomware attack, contributes to a society in which ransom payment is no longer the benchmark.

In the summer of 2021, Nieuwesteeg and thirteen other Cyber ​​Security Professors, plead for making not paying a ransom in case of a ransomware incident the benchmark of national policy. Insurers like Inge Bryan could fear losing their customers and a reduction in cybersecurity if they change the current policy. According to Nieuwesteeg, this reasoning is incorrect: “Bryan makes a wrong assessment when she states that a ransom ban thwarts insurance companies. It assumes that companies purchase cyber insurance purely for the payment of ransom. That is not the case. They can also contact a cyber insurance company to insure the full costs of the settlement of a cyber incident, excluding the payment to the cybercriminal.”

Bryan also expects that a ban on reimbursing ransom will not lead to a decrease in ransom payments. Nieuwesteeg wonders on which information this statement is based: “The amount of research that is conducted into the payment of ransom is very minimal at this point. That is the result of a lack of public data.”

According to Nieuwesteeg, insurance companies do not have to fear a decrease in business. Insurers and cyber security experts are on the same side.