Criminal cyber attacks that deprive access to vital digital information and hold it for ransom are a constant and ever-increasing threat. No organization is immune. 

Due to the exponential rise in ransomware attacks, cyber insurance coverage for ransom payments – one of the tools for mitigating cyber risk – now requires steeper premiums for much less coverage. Some argue that insurers’ payments have contributed to the increase in attacks.  Meanwhile, the FBI continues to warn that paying a ransom is never a guarantee that encrypted data will be recovered. 

 Whether to pay a ransom has now become a matter of state public policy. In an effort to deter ransomware attacks on state agencies, North Carolina became the first state to enact laws prohibiting the use of tax dollars to pay ransoms (N.C.G.S. 143‑800). Pennsylvania is considering following suit. A proposed ban on ransom payments in New York would extend to private companies (seeNew York State Senate Bill S6806A). Whether these efforts will successfully deter cybercrime remains to be seen.  

These developments serve as a reminder to focus on cybersecurity fundamentals.  Organizations should review their cybersecurity measures on a regular basis as a matter of good governance. Simple security measures such as multifactor authentication and providing regular employee training on phishing and other social engineering scams can make all the difference.

Whether paying ransoms causes an increase in ransomware attacks by emboldening criminals will continue to be debated. But any such increase likely pales in comparison to the risks associated with the failure to institute appropriate cybersecurity measures. Too many organizations remain easy pickings.