Cyber insurance is motivating the black hats to pursue more ransomware attacks. Much like piracy in the Gulf, knowing there is insurance, and requesting a fraction of the insured worth means it is in the best BUSINESS interest of insurance companies to pay the ransoms, which creates a terrible cycle of destruction and costs. The pirates/criminal know the money is there, all they have to do is write the ransomware.
As is the norm in such cases (like piracy) it will require a government to step in and enforce a contractual policy through force. The government must mandate non-payment, which insurers will lobby against. If payment cannot be made, the government will be required to intervene to protect the business assets of the insured and insurance company or a black market will develop to pay the criminals.
If the government doesn’t want the insurers to pay the criminals then the government will need to have an actor (military etc) take action to discourage releasing ransomware. This will not stop the use of ransomware, only decrease the frequency and increase the intensity, just like piracy.
Unfortunately, this will not increase demand for highly qualified cyber security and risk personnel, who can help prevent successful attacks, it will merely increase the size of the insurance market. Consumers, as always, are a secondary consideration, and critical mass affect assets such as health records will be the biggest target, as in any terrorist style criminal activity. Criminal know they need to pick big targets if you want a big payday.
HIPAA security officers need to prepare for this impending increase in risk more than any other industry, because you’ve got the most to lose.