> Organizations should be legally prevented from being able to pay these ransoms and should instead receive funding to help them recover from the damages
Isn’t a simpler solution insurance? The insurance company becomes a specialist in pricing and reducing this risk. And the malware writers become, in effect, ersatz pen testers.
Like a ban, you’re reducing the incidence rate. Unlike the ban, you’re extracting a public good from the ransom era’ work in the form of better infosec.
Right now - a lot of hacked organizations may just say "it's not worth the payout" but if they are already paying insurance then of course they are going to tell the insurance company its important and ask for the ransom to be paid.
I think the bright spot of the ban would be that if it was legally enforced then all hackers would see this and quickly realize it wasn't worth the risk.
(Not sure if I'm for this 100% - but I think it is worth considering)
Insurance companies still have a lot of trouble pricing and selling cyber insurance. Ransomware is a bit of a outlier here, being the most popular category of cyber insurance and all, but it seems to still be difficult for insurers to price their premiums.
It's mostly because there aren't a lot of good measurements for assessing how likely a company is to get hacked / hit by RW (I'm not a believer in infosec through Q&A / self-assessment).
These are of course growing pains and especially for SMB some form of insurance + cybersecurity tooling basics will be the dominating approach to managing cyber risk.
Software purchasers in a lot of enterprise IT are contractually and legally required to carry such insurance in the US. The problem is that the organizations usually impacted are similar to people refusing to pay for car insurance - ones that keep trying to skimp on security so much for legit budgetary reasons (small town police departments come to mind) or because they are institutionally so incompetent and covering it up (Equifax) auditors and actuaries would have trouble pricing their insurance correctly.
The insurance policy would be tied to following some (infosec) best practices. In the best of all worlds, insurances would then check on their customers to make sure best practices are followed in the same way that we follow best practices for avoiding fires in terms of building construction and not having flammable materials lying around too much.
Isn’t a simpler solution insurance? The insurance company becomes a specialist in pricing and reducing this risk. And the malware writers become, in effect, ersatz pen testers.
Like a ban, you’re reducing the incidence rate. Unlike the ban, you’re extracting a public good from the ransom era’ work in the form of better infosec.