More must be done to clamp down on exchanges that allow cyber criminals to launder billions of dollars via cryptocurrencies, an insurance expert says.
CIO at CFC Underwriting in London, Graeme Newman, gave the advice in response to calls from security experts in the UK that it be made illegal for cyber insurers to reimburse ransom payments.
Mr Newman says this focus on ransom payments is misguided. Efforts should instead be placed on currency exchange, particularly from cryptocurrencies such as Bitcoin and Monero.
“Cryptocurrencies make it possible to launder billions of dollars with little fear of being caught,” Mr Newman says. “More must be done to clamp down on the exchanges that wittingly or unwittingly facilitate this crime.
“We should be putting our effort into tackling those exchanges that facilitate the payments – the over-the-counter traders that are the money launderers of cryptocurrency. That is an area to focus our efforts.”
Mr Newman, who has two decades of experience in cyber insurance, tells insuranceNEWS.com.au it is “overly simplistic” to think legislation against giving in to ransoms will be a true fix.
He says insurers “would happily support a bill to make the reimbursement of ransoms illegal, if (and only if) that would actually solve the problem”.
“Unfortunately, I don’t think it would,” he says. “That is far, far too simplistic and is lazy thinking. The problem is more nuanced and more complex than that,” he says, adding that governments should be trying to catch the cyber crime actors and not trying to criminalise the victims of the crime.
“What we should be doing is helping them to follow the money trail and catch the perpetrators,” he says.
He advocates a licensing system whereby any payments of this nature are regulated to make sure law enforcement knows what is going on.
“Otherwise you just drive this underground and take it totally out of the purview of law enforcement,” he says.
The economic damage caused by ransomware is often many multiples of the billions the criminals are stealing, making this “the worst form of financial crime”.
Cyber insurance has a “critical role to play,” and by following carefully structured paths and involving the right professionals, can ensure that payments are only made when absolutely necessary and that law enforcement is kept informed so it can use the intelligence gathered to track and ultimately catch the perpetrators, Mr Newman says.
Less than 15% of global businesses purchase cyber insurance, so to suggest that eliminating part of it would fix what is now a global issue would be to “ignore the other 85% of businesses who face the same problem without insurance”.
“There is no evidence to suggest that businesses who purchase cyber insurance are more inclined to pay a ransom demand than those without, in fact in my experience, it is quite the opposite,” Mr Newman says.
Armed with insurance, a company can access the appropriate experts to guide them through the issue and support them through the recovery process. In the absence of this help, most small businesses assume they have no other option but to pay.
He points to global sanctions laws and says that with insurers being regulated entities and most having US assets, “this is already a powerful incentive to seek alternatives to paying ransoms”.
“As an industry we are committed to doing all we can to ultimately eradicate this vile bi-product of the digital age. And with almost a trillion dollars in policy limits exposed I don’t think there is any other part of the economy that has a stronger motivation to make it happen,” Mr Newman says.