Insurance providers urged not to pay ransom in cyberattacks

Insurance providers in the Netherlands should not pay ransom on behalf of organizations which fall victim to ransomware, Justice and Security Minister Ferd Grapperhaus advised on Wednesday. In a letter addressed to parliament over issues of cybersecurity, Grapperhaus advised insurance providers to instead pay out the cost of damages organizations incur by not paying the ransom, believing that paying the ransoms themselves will only incentivize further criminality.

"Paying a ransom will reward and stimulate criminal activity," the minister wrote, pointing out that police expect that paying a ransom "will lead to more ransomware attacks". Ransomware, an increasingly prevalent type of malware, is used by cybercriminals to wrap stolen files in a layer of encryption. The hijacked or stolen files are then used to demand a ransom, often in exchange for releasing a password to make the files accessible and to keep any stolen information private.

"It is my preference that the insurer does not reimburse the ransom that ends up in the hands of criminals, but rather the damage that is suffered by not paying this ransom," Grapperhaus added.

In January, Maastricht University paid almost 200,000 euros in ransom to regain access to their systems after falling victim to a cyberattack. In light of the incident, Grapperhaus added in Wednesday's letter that insurance providers should place extra emphasis on making sure their policyholders take cybersecurity seriously and put adequate protections and procedures in place.

Insurance firms can incentivize their clients to do this by laying out clear requirements that should be part of the clients' cybersecurity plans. The Dutch Association of Insurers is set to meet to discuss the minister's new recommendation with its members, reports.