Talking Shop: Accessing Crypto to Pay Ransom in Cyberattacks

# Cryptocurrency and Stablecoins

# Risk Management

Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].

Context: Data released this year by NeuGroup Peer Research found that 83% of companies surveyed purchase cyber insurance. One obvious reason for buying coverage is the costs associated with a ransomware cyberattack. The average cost of an extortion or ransomware incident topped $5 million this year, according to IBM’s Cost of a Data Breach Report.

The IBM report also found that average breach costs in the U.S. reached a record $10.2 million in 2025, a 9% increase over last year, “driven in part by higher regulatory fines and detection and escalation costs.”

Ransom payments almost always require a corporate to have access to cryptocurrency such as bitcoin. But the overwhelming majority of NeuGroup members don’t hold volatile crypto assets on their balance sheets.

Companies that do end up paying ransom—more are refusing to thanks to better preparedness—rely on third parties that in most cases have been approved by their cyber insurance carriers.

Member question: “Are you equipped to access crypto quickly in event of a ransom situation from a cyberattack? Our internal teams just did a table-top exercise on a cyberattack. The question that came up is whether we are equipped to quickly access cryptocurrency and, if not, how can we be prepared? Does anyone have an active plan to access it if needed due to a cyberattack?” Peer answer 1: “We have an outside cybersecurity firm called Northwave that monitors access to our systems. They also can provide bitcoin or other cryptocurrencies (for a fee) in the event of a ransomware attack.

“We first looked at buying some bitcoin as a precaution in the event of an attack, but we were concerned we would have to disclose the holding, which might even invite an attack. Plus, if we held it, we would be subject to the volatility of the currency, which we viewed as a downside and a distraction.”

Peer answer 2: “If you are carrying cyber insurance, there will be a panel of vendors who can assist with cyber incidents, including coordinating the procurement and payment of ransomware in crypto on your behalf.” Peer answer 3: “I concur with the above statements. Our carrier has a list of vendors that support this scenario. Previously, ‘if’ we had a cyber breach we engaged an intermediary firm to manage the crypto settlement if that was the route we went.” NeuGroup Insights reached out to Adam Hart, Vice President of Forensic Services at Charles River Associates (CRA), who spoke about cyberthreats and ransomware at the fall meeting of NeuGroup for Insurance and Risk sponsored by WTW. He offered these insights in response to the NeuGroup member question:

“The best option is to establish a relationship with an incident response firm prior to an incident. Obtaining a list of approved firms from your cyber insurer will be helpful to ensure you will have coverage.

“Many incident response firms such as CRA regularly handle threat negotiations and communications and will guide you in facilitating the purchase of cryptocurrency. An important aspect of this includes completing the proper sanctions checks to confirm you will not be paying a prohibited party.

“If it is decided that a payment will be made, the crypto broker will send the payment to the threat actor, and you will wire the funds to reimburse the broker. Going through trusted third parties for this process minimizes any issues you may have with the insurers.”

In addition to CRA, some other vendors handling various aspects of cyberattacks recommended by insurance companies include Arete Advisors, Booz Allen, Coveware, CrowdStrike, Kroll and the Unit 42 division of Palo Alto Networks.

Talking Shop: Accessing Crypto to Pay Ransom in Cyberattacks

Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].

Popular

Related