Inside the unusual world of cyber insurance, where ransoms are legally paid to criminal hackers


It was an ordinary October day when startled employees of a Canadian insurance firm discovered their computer files locked and a digital ransom note left by hackers. 

“Hello, your network was hacked and encrypted. No free decryption software is available on the web. Email us to get the ransom amount.”

After some negotiation, with the help of a British cyber insurance firm, the criminals settled on a payment of $950,000 (£747,000) in Bitcoin to unlock the files. The Canadian company was left with little choice but to pay up. Fifteen days later, the files were released. 

This sequence of events was described in a private High Court hearing in December which was unsealed in January.

The businesses involved chose to remain anonymous to avoid tipping off the hackers of their attempt to use the courts to get their ransom money back from a cryptocurrency exchange.

It may seem like a surreal scenario, but experts say it has become a common occurrence.

There is in fact a booming industry in cyber insurance which often involves paying ransoms to shadowy hacking groups using cryptocurrency.

Paying a ransom to regain access to critical systems has become a valid option for many executives. 

Garmin, the smartwatch manufacturer, reportedly paid a multi-million dollar ransom following a hack earlier this year. And Travelex, the foreign exchange business, reportedly paid a $2.3m ransom in April following a similar attack.

American and Canadian businesses may be prime targets for hacking, but many of the world’s cyber crime insurers are headquartered in London.

“The primary goal is to help them get back up and running without having to make a ransom payment, because facilitating ransom payments is complex,” says Graeme Newman, chief innovation officer at CFC Underwriting, a cyber insurance pioneer.

“Under the vast majority of cyber insurance policies, there is a section to cover the reimbursement of ransom payments which are made.”

Experts say the UK market for cyber insurance, with around 15pc of companies taking out policies, lags well behind the US where roughly 35pc of businesses take out the insurance.

“The UK is a large exporter of cyber insurance policies,” says Graham Walsh, a policy adviser at the ABI.

When a company is hacked, executives contact their insurer who introduces them to specialist ransomware negotiators as well as security experts, lawyers and sometimes the police.

Source Article