Former CIO of the White House Theresa Payton has warned that cyber insurance companies are supporting the ransomware industry by manipulating organisations into paying to have their systems returned after a cyber attack.
Insurance companies, according to Payton, are encouraging customers to pay ransomware demands as the costs associated with data recovery often outweigh those incurred by the ransom, meaning insurance providers pay far less as a result.
"I'm increasingly frustrated at the trend where the insurance companies are encouraging the victims to pay," said Theresa Payton, former White House CIO and security authority.
"The insurance company looks at what the potential incident response and forensics bill might be and that's going to be bigger in many cases because many organisations are not prepared and they would actually rather pay," she said.
Speaking at CloudSec 2019 in London, Payton said she was recently approached by an organisation seeking advice on how to proceed after its insurance company attempted to handle the ransomware issue directly. In that case, the insurance firm said it was "experienced at negotiating with the ransomware syndicates" and that it could "get the price to go way down".
However, Payton argued that it's important to trust your playbook, which typically tells an organisation not to pay and subsequently fund cyber crime. She added that if an insurance company tells you to pay, it could be an indicator that they're trying to save money.
Ransomware is typically pitched to victims at a slightly lower cost than what it would take to recover, which has been one of the reasons why it has proved to be such a highly successful form of cyber attack over recent years. However, in addition to concerns about funding cyber criminals, organisations are generally advised not to agree to any ransomware payments as there is no guarantee that paying the demand will result in the decryption of files.
Days prior to the successful coordinated ransomware attack on 22 Texas state municipalities, Payton was in Texas with small municipal and county groups advising on cyber security when an insurance company attempted to convince a security officer that they could be up and running within a day if they paid a ransom.
"I'm like: 'how', that's not how this works," said Payton. "It's not like buying on Amazon and a drone drops off the key - it doesn't work that way."
The 22 Texas municipalities were the most recent targets in a string of ransomware attacks on US state infrastructure since the start of the year. Starting in Baltimore, a series of other small government bodies across the country have been successfully infected with ransomware with many paying their respective ransoms.
Payton suggested the attacks are taking advantage of outdated systems and underfunding.
"At the city county and even the state-level in some cases, they're still dealing with legacy technology," she said. "It's taxpayer dollars that are required to pull in to do modernisation efforts and taxpayers don't see the cloud, they don't see the other things.
"They want their mobile app that lets them get their permit to do the remodelling on their house, but they don't see how their money goes to protect infrastructure."
She said that most of the technology has gone end of life and so many systems are no longer receiving vendor security updates.
Payton's warning follows a report issued earlier this year that showed ransomware attacks on UK businesses soared 195% in 2019 following a reduction in 2018.
-
AI is helping bad bots take over the internetNews Automated bot traffic has surpassed human activity for the first time in a decade, according to Imperva
-
Two years on from its Series B round, Hack the Box is targeting further growthNews Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
