Should an insurer reimburse a ransom or not? Minister Grapperhaus is investigating the possibilities for a ban. Nynke Brouwer, who obtained her PhD with a dissertation on cyber insurance, calls a ban pointless. "It doesn't necessarily lead to fewer payments." A conversation about her dissertation, the role of insurers and the sense and nonsense of ransom.
Cyber insurance is in its infancy and is still rarely taken out. Why did you want to dedicate your dissertation to that?
"Cyber insurance is a new product. It is on the rise, but enormous potential is attributed to it. If you delve into it a bit, you soon notice that there is a whole world behind it, with quite fundamental questions. What is a cyber risk? How do you calculate that? How do you convert it into a workable insurance product? Can the risk be properly insured at all? I am particularly fascinated by the world behind it, with people involved from all kinds of disciplines."
Who is Nynke Brouwer?
Dr Nynke Brouwer is a lawyer at Dirkzwager. She specialises in liability and insurance law, and in particular in cybersecurity, cyber insurance and privacy.
On 7 October, she successfully defended her PhD dissertation Cyber insurance from a civil law perspective, at Radboud University in Nijmegen. Brouwer regularly publishes on this subject in the scientific literature and also gives lectures and seminars. She is also a member of the VNAB's Technical Committee on Cyber.
Which aspect fascinates you the most?
"Cyber risks are elusive, but we still try to get a grip on them. Moreover, the risks are also interlinked, which means that more and more multidisciplinary research is being conducted. Economists who 'suddenly' collaborate with technicians, for example. Or a lawyer like me who is looking for more cooperation with computer science. Cyber makes those connections almost automatically and I like that. Just like I like to see how fast it develops. Just look at how quickly such a modern phenomenon as cyber finds its way into a world where the techniques and practices are so much older. If we want to curb cybercrime, we will have to work together a lot more."
We need to work together more? Does that also mean that there should be fewer pigeonholes?
"That's for sure. People always like pigeonholes, because then they can categorise nicely. I always call that labelling, but cyber transcends that. You see that in both companies and industries. A company can no longer say that cyber belongs only to the IT department. Or only at Legal. Tackling cybercrime requires a multidisciplinary approach. So I would say: break down those boxes, step out of your comfort zone, get advice and opt for mutual learning, also within your industry."
Mr. dr. Nynke Brouwer
Insurers have set up iCERT to share knowledge and make each other stronger in the fight against cyber (crime). Should more industries join forces?
"iCert is certainly a good example, but fortunately there are others. The Z-CERT for the healthcare sector, for example, and the Digital Trust Center also does good work for companies. Such cross-sector services are very good, but I also think the Cyber Security Council's call for the government to take more control is more than justified."
For the time being, the government mainly wants no more ransom to be paid. Is that a legitimate wish?
"Paying a ransom is undesirable. Everyone agrees on that. The key question, however, is how best to break the business model of criminals, and that requires a much more nuanced solution than many people think. When it comes to insurance, it is important to distinguish between a ban on paying a ransom and a ban on insurance coverage. People often think that insurers pay the ransom, but that's not the case. To sum it up briefly, you can say that insurers provide coverage for the ransom paid by their insured. We call this a reimbursement construction. I have done separate research into this and looked at the how and what of the long-standing Kidnap and Ransom insurance, among other things. In different countries, this is handled in a very diverse way. In Italy, for example, paying ransoms for kidnappings and hostage-taking is prohibited, but the research shows that such a ban does not necessarily lead to fewer payments. In fact, if you start prohibiting the payment of ransom for everyone, you push it into illegality and you have no control over it at all."
"If you're going to ban the payment of ransoms, you're pushing it into illegality"
Do you also think a ban on insurance coverage is undesirable?
"Yes, I sincerely wonder whether a ban will lead to the desired result: less ransomware. Of course, I also look at it as a lawyer. Insurance is an agreement that offers freedom of contract as a starting point. A ban interferes with that freedom, while no thorough research has been done into payment behaviour at all. Let alone the influence of an underlying insurance. I wonder what a ban is based on? And then there is the argument that the majority of the companies affected are paying, albeit very reluctantly. Simply because there is no acceptable alternative. Another argument is that a relatively small proportion of these companies have insurance. That alone is an indication to me that insurance usually does not play a decisive role at the moment."
Think before you start: more research before a ban can be even considered?
"I don't know if the ministry has already made a decision on any ban or measure, but I think the focus on insurance coverage is too great. Within the larger problem of ransomware , insurance is really only a very small link. I therefore think that we need to tackle the problem much more holistically, with a focus on prevention, detection and response. This starts with an internationally coordinated approach, because cyber does not stop at the border. And as long as there are countries that don't do anything, it's going to be a very complicated story."
"We need to take a much more holistic approach to cyber"
Cyber knows no borders, so should Europe act?
"We can talk about it for a long time, but there is a European Union, so I wouldn't be so surprised if there is an approach at the European level. For me, the most important thing is that the government must take the lead in taking a thorough look at the problem of ransomware and cyber resilience in general. The Cyber Security Council has recently written this down so beautifully in an advice to the government."
What is their main proposal?
"It sounds a bit joking, but more money. They have explained very well what the threat assessment is, how real it is, and also calculated that a financial injection is needed to take our policy to a higher level. The focus should be on education, knowledge gathering, research and information sharing. There is a nice, solid advice that I can fully endorse. Now it's up to the government."
The dissertation Cyber insurance from a civil law perspective is for sale at Wolters Kluwer.
The role of insurers
Although the focus in recent weeks has been on the insurance market, and even more so on the (coverage of) cyber insurance, the market is still very small. In other words, cyber insurance is not yet being taken out en masse, but last month Het Financieele Dagblad wrote that cyber insurers are seeing the number of claims rise so sharply that premiums have to be increased. According to Dr Nynke Brouwer, this is because the cyber insurance market is suffering from its own market forces. "Sufficient risks are needed for the proper development of a new market. Not only bad ones, but also good ones. In order to attract the latter in particular, the product must therefore be extra attractive. Think of low premiums and good coverage. If more and more cyber risks are added and more and more companies are affected, the cost of claims will increase rapidly and that will change the market."
Different definitions
In this sense, Brouwer speaks of a wave movement, as a result of which insurers are more or less forced to charge both higher premiums and higher entry requirements. But insurers should also put their own house in order, she believes. When asked what insurers could do differently and perhaps better, she replies that it would help enormously if insurers used more unambiguous definitions. "Take the concept of cyber incident, for example. That's a core concept in cyber insurance, but just for fun, ask three different people what they mean by an incident? You are sure to get three different answers. Insurers use different definitions and it is precisely these differences in detail that make cyber insurance a product whose size and scope is not always clear."
More clarity
Finally, she stresses that more clarity would be desirable. "I understand very well that insurers who are at the forefront and have invested a lot of money and time in cyber, do not want to share all their knowledge with others who have waited and would now benefit from their knowledge. I think that is also very healthy, but the other side of the coin is that it is one of the reasons why it is difficult for the market to develop. Perhaps the industry could look for definitions for certain key concepts, so that insurers all speak the same language. They could also do the same for certain security standards. This also requires a multidisciplinary approach, but it does create clarity. For the companies that want to take out insurance and for advisers who need to be able to explain cyber insurance."
Was this article useful?