WASHINGTON – The American Property Casualty Insurance Association (APCIA) today announced its Cyber Extortion/Ransomware Guiding Principles that will provide guidance as the industry develops thoughtful action-driven opportunities to address this societal problem.
“Insurers want to be partners with business leaders and policymakers in finding meaningful solutions for addressing the proliferation of ransomware attacks,” said David A. Sampson, APCIA president and CEO.
“The APCIA Board of Directors today endorsed principles that will guide our work to develop thoughtful, action-driven opportunities to address this societal problem. Singling out insurance as a reason for increased attacks negates the holistic benefit of cyber insurance and takes a simplistic approach to a complex problem. We all have a role in this fight and insurers are ready to participate.”
APCIA’s Board of Directors adopted and endorsed the following Cyber Extortion/Ransomware Guiding Principles.
Increasing Cyber Resiliency Through Partnership
- The insurance industry, business community and government have parallel interests in encouraging stronger cybersecurity and tamping down ransomware demands. We must all work together to fight the ransomware epidemic through advocating better cybersecurity, preparing to respond and recover when attacked, and pursuing and prosecuting the actors perpetuating the attacks.
- The insurance industry wants to partner with government and policyholders to help drive policy objectives that will increase cyber resiliency and support competition.
- Insurance is but one aspect of a far broader solution to increasing our nation’s cyber resiliency. Sophisticated cyber insurers have already invested in technology designed to help public and private sector policyholders minimize and protect against the reality of ransomware threats.
- Creating greater cyber resiliency is a societal obligation achievable with the involvement of both the public and private sectors coming together to identify the core drivers of ransomware incidents, and cyber threats generally.
- Cyber threat information sharing by government and impacted businesses with strong liability protections can increase timely detection, response, and deterrence measures.
- The Federal government should continue to utilize and improve on its multi-layered cyber defense tools and strategies and international partnerships to deter and combat cyber-crime.
- Support of broad policy options should, to the extent feasible, factor in customer viewpoints and insurer operational considerations.
- Laws, rules, and guidance must be workable, risk-based, clear, transparent, and consistently applied across companies and jurisdictions.
Regulation of Cyber Insurance
- Cyber risks are a continually evolving threat and today’s risks will not be the same risks we confront in the future. Insurance products are designed to meet this dynamic landscape and customer demands. But an exclusively insurance-focused solution that manipulates the insurance policy or underwriting process as the means of managing ransomware risks devalues the cyber insurance product and could stifle innovation and product offerings.
- Subject to applicable sanction and other laws, insurers must be permitted to provide reimbursement coverage for the policyholder’s payment of ransom for cyber extortion. This principle is consistent with the long-standing approach to the parallel issue of crime or kidnap & ransom coverages, which are allowed by regulators so long as those payments do not violate sanctions laws.
- Insurance is an important economic recovery resource for victims of ransomware attacks. Prohibitions on the reimbursement of legal ransom payments presents potential unintended consequence such as eliminating a meaningful risk management resource.
- The role of insurance must be balanced with the business’s obligation to identify and implement risk-based security measures. Insurance alone cannot be considered the solution to drive business behavior or to deter criminals. Rather, cyber insurance should be recognized as a beneficial tool to create awareness of the risk and further encourage and enable adoption of robust security measures supporting our nation’s cyber resilience.
- Insurers must be equipped with the specific and actionable guidance needed to make decisions which support governmental objectives. For example, the identity of malicious cyber actors may be unknown. Insurers will establish risk-based processes designed to verify the identity of the malicious cyber actor and avoid payments in violation of sanctions (i.e., enhanced due diligence often with engagement by independent cyber forensics firms). In the absence of a conclusive outcome to these (due diligence) processes, insurers are left with their obligation to honor the commitment to its policyholders.
- The ransomware problem cannot be resolved with insurance-centric policy changes. Insurance can play a role in enhancing resiliency, but ultimately cannot cure the criminal behavior that perpetuates the ransomware problem. For this reason, there must be a holistic approach that focuses on the core drivers of the criminal behavior utilizing the expertise of all stakeholders.
- Government should not rely on insurers as its due diligence mechanism for monitoring business compliance and implementation of security measures.
- Insurance policy and underwriting activities should not be misconstrued as cybersecurity risk assessments, which provide the insured with confidence that their security measures are sufficient to avoid or eliminate ransomware attacks.
- Like a customer’s decision on how to manage cyber risk, insurers must also be able to determine their risk appetite through careful underwriting and appropriate coverage offerings.