‘We should aim for a society in which not paying ransom is the benchmark’

Bernold Nieuwesteeg

Currently, insurance companies reimburse companies that pay the ransom after falling victim to ransomware attack. Bernold Nieuwesteeg, Director of the Centre for the Law and Economics of Cyber Security at Erasmus School of Law, argues that insurance companies should only cover the costs of the handling of the ransomware incident. In the Financieele Dagblad he explains why this approach makes not paying ransom more interesting and how it stops criminals from being rewarded for their crimes.

Resigning minister of Justice and Safety Ferdinand Grapperhaus is investigating whether insurance companies can be prohibited from reimbursing the ransom fine for insured companies. Because companies are now insured for this, the insurance company can decide to pay the ransom in consultation with the insured. Only covering the handling costs of a ransomware attack, contributes to a society in which ransom payment is no longer the benchmark.

In the summer of 2021, Nieuwesteeg and thirteen other Cyber ​​Security Professors, plead for making not paying a ransom in case of a ransomware incident the benchmark of national policy. Insurers like Inge Bryan could fear losing their customers and a reduction in cybersecurity if they change the current policy. According to Nieuwesteeg, this reasoning is incorrect: “Bryan makes a wrong assessment when she states that a ransom ban thwarts insurance companies. It assumes that companies purchase cyber insurance purely for the payment of ransom. That is not the case. They can also contact a cyber insurance company to insure the full costs of the settlement of a cyber incident, excluding the payment to the cybercriminal.”

Bryan also expects that a ban on reimbursing ransom will not lead to a decrease in ransom payments. Nieuwesteeg wonders on which information this statement is based: “The amount of research that is conducted into the payment of ransom is very minimal at this point. That is the result of a lack of public data.”

According to Nieuwesteeg, insurance companies do not have to fear a decrease in business. Insurers and cyber security experts are on the same side.

More information

Read the entire opinion piece in het FD here (in Dutch).

Related content
Together with other scientists, Bernold Nieuwesteeg is requesting the government for a cybersecurity dashboard.
Bernold Nieuwesteeg

Compare @count study programme

  • @title

    • Duration: @duration
Compare study programmes