Dutch government considering ban on ransom payments by insurers

According to Dutch news website NOS, the Ministry of Justice is considering the ban but has not yet made a decision on what actions it would take. Last year justice minister Ferd Grapperhaus wrote to the Dutch parliament raising cybersecurity issues, and advised insurers to pay for the damages incurred by not paying a ransom rather than paying the ransom itself.

Cybersecurity expert Sari van Grondelle of Pinsent Masons, the law firm behind Out-Law, said a prohibition on ransom payment may not be a solution to the problem, as companies falling victim to a ransomware attack will generally experience great pressure on getting the business up and running again and may not see alternatives to paying ransoms.

“In many cases the criminals have been able to gain access to the deeper layers of systems used by companies, making it harder and more time-consuming to restore systems. Additionally, criminals often demand amounts that are equal to the amount required to repel an attack and remediate its effects, so companies may still be inclined to pay the criminals ransom money – whether or not covered by an insurance company,” van Grondelle said.

Van Grondelle said a ransomware payment prohibition could nudge companies to invest in better protecting their businesses against cybersecurity threats and to think of alternatives to paying ransoms, but in order to do this, companies would need the right tools and support.

“A ransomware payment prohibition should therefore not stand alone, and should sit along additional measures and support. Governments and businesses should aim for a more ‘holistic’ approach towards combatting cybersecurity threats and incidents,” van Grondelle said.

The Dutch moves are part of a wider trend, with similar developments in other jurisdictions. The

UK/US Cyber Taskforce recently published a report suggesting it wanted to look at the legality of paying ransoms. The report included a framework for action aimed at helping policymakers and industry leaders take action through legislation, collaboration and funding programmes to combat the challenge of ransom attacks.

Writing from a US perspective, the taskforce proposed a nationally and internationally coordinated comprehensive strategy against ransomware and hacking attacks, including better cooperation between governments to send a signal to cybercriminals that the issue was a diplomatic and law enforcement priority.

Pinsent Masons data protection expert Wouter Seinen said: “A local Dutch piece of legislation may not be a very helpful tool, as the problem generally transcends borders. It will rather create inequality between companies that are established or insured in the Netherlands and those who are established or insured elsewhere.”