Banning ransomware payments altogether has intuitive appeal, but there could be unintended consequences from an insurance perspective, a cyber insurance professional tells Canadian Underwriter.
For example, some desperate victims would still pay criminals and not cooperate with law enforcement, thus depriving law enforcement and government of data about the problem, says John Sinclair, portfolio partnerships practice leader at CFC. This would also further victimize organizations impacted by ransomware.
As well, a ban could lead to the targeting of specific providers of critical services, such as energy and healthcare. Criminal groups may believe authorities would not enforce the ban when facing the possibility of physical harm caused to citizens, Sinclair says.
“A blanket ban could backfire,” he writes last month in a LinkedIn article, The Perils of Prohibition: the unintended consequences of banning ransom payments. “Threat actors might start explicitly targeting critical national infrastructure, betting that if exemptions are to be made, they’ll be for services we can’t live without.”
The role of insurers has also come under scrutiny during these debates. “Critics argue they’re exacerbating the ransomware problem by providing victim companies the liquidity to finance large ransom payments — and therefore fuel the very problem we’re trying to solve,” Sinclair writes.
From an insurance perspective, it’s worth remembering cyber insurance penetration rates are still very low, with probably less than 10% to 15% of small- and medium-sized enterprises buying a cyber insurance policy in Canada (and much lower outside North America), Sinclair tells CU. “This cannot be seen as a narrow, cyber insurance-related issue.”
To ban or not to ban
Certain U.S. states like North Carolina and Florida have already banned certain public bodies from paying ransomware, Sinclair writes in the blog. Britain plans to do the same for public entities and critical infrastructure operators. The Australian government calls a ban “inevitable,” although it has backed away from implementing one just yet.
In Canada, there has not been the same intensity of debate around banning payments. The federal government’s 2025 National Cyber Security Strategy says it’s “exploring additional ways to further discourage ransomware payments and impose costs on cybercriminals.
“This includes improving Canada’s approach to cyber insurance policies to make cybercriminal business models, particularly ransomware, less profitable. The Government of Canada is also committed to working with industry to dissuade businesses from paying ransoms…”
Says Sinclair: “Notably, they stop short of mentioning any payment bans. The focus has really been on resilience and preparedness rather than legislative changes.”
Would it be safe to say most cyber insurers/MGAs recommend clients don’t pay ransom demands? What about as a last resort?
“It is fair to say that it is always considered the option of last resort,” Sinclair says. “The only time we really see where it can make sense is if an organization does not have any access to backups from which to restore their systems, so then an extortion payment can be the only viable option for the organization to recover.”
Preparing brokers to navigate an increasingly complex insurance landscape.
Ransom payment safe harbours?
Government and insurers have the tools and incentives to improve cybersecurity maturity across the global economy, he writes. One promising idea is ransom payment safe harbours. Essentially, governments can incentivize best practice around notification and cybersecurity controls by legally permitting ransom payments once certain requirements are fulfilled.
Sinclair tells CU there is nothing as explicit as a ransom payment safe harbour yet, but certain regulatory regimes have elements of a safe harbour.
For example, the U.S. Office of Foreign Assets Control came out with guidance in 2021 on potential sanctions risk for facilitating payments. The guidance explicitly states there are various mitigating factors in any enforcement actions, such as reporting an incident to the appropriate authorities and adopting or improving cybersecurity practices that reduce the risk of extortion. “They even list out some specific controls such as offline backups and incident response plans.”
And Australia has introduced a reporting requirement in which organizations must inform authorities within 72 hours of making an extortion payment or face penalties. “By doing this they have made it clear that as long as reporting requirements (and presumably other sanctions requirements) are met, there will not be punishment for making a payment.”
Click Here For The Original Source.
