Ex White House CIO attacks insurance firms for 'fuelling ransomware industry'
Theresa Payton argues companies are manipulating victims to avoid paying higher bills


Former CIO of the White House Theresa Payton has warned that cyber insurance companies are supporting the ransomware industry by manipulating organisations into paying to have their systems returned after a cyber attack.
Insurance companies, according to Payton, are encouraging customers to pay ransomware demands as the costs associated with data recovery often outweigh those incurred by the ransom, meaning insurance providers pay far less as a result.
"I'm increasingly frustrated at the trend where the insurance companies are encouraging the victims to pay," said Theresa Payton, former White House CIO and security authority.
"The insurance company looks at what the potential incident response and forensics bill might be and that's going to be bigger in many cases because many organisations are not prepared and they would actually rather pay," she said.
Speaking at CloudSec 2019 in London, Payton said she was recently approached by an organisation seeking advice on how to proceed after its insurance company attempted to handle the ransomware issue directly. In that case, the insurance firm said it was "experienced at negotiating with the ransomware syndicates" and that it could "get the price to go way down".
However, Payton argued that it's important to trust your playbook, which typically tells an organisation not to pay and subsequently fund cyber crime. She added that if an insurance company tells you to pay, it could be an indicator that they're trying to save money.
Ransomware is typically pitched to victims at a slightly lower cost than what it would take to recover, which has been one of the reasons why it has proved to be such a highly successful form of cyber attack over recent years. However, in addition to concerns about funding cyber criminals, organisations are generally advised not to agree to any ransomware payments as there is no guarantee that paying the demand will result in the decryption of files.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Days prior to the successful coordinated ransomware attack on 22 Texas state municipalities, Payton was in Texas with small municipal and county groups advising on cyber security when an insurance company attempted to convince a security officer that they could be up and running within a day if they paid a ransom.
"I'm like: 'how', that's not how this works," said Payton. "It's not like buying on Amazon and a drone drops off the key - it doesn't work that way."
The 22 Texas municipalities were the most recent targets in a string of ransomware attacks on US state infrastructure since the start of the year. Starting in Baltimore, a series of other small government bodies across the country have been successfully infected with ransomware with many paying their respective ransoms.
Payton suggested the attacks are taking advantage of outdated systems and underfunding.
"At the city county and even the state-level in some cases, they're still dealing with legacy technology," she said. "It's taxpayer dollars that are required to pull in to do modernisation efforts and taxpayers don't see the cloud, they don't see the other things.
"They want their mobile app that lets them get their permit to do the remodelling on their house, but they don't see how their money goes to protect infrastructure."
She said that most of the technology has gone end of life and so many systems are no longer receiving vendor security updates.
Payton's warning follows a report issued earlier this year that showed ransomware attacks on UK businesses soared 195% in 2019 following a reduction in 2018.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
A threat to Google’s dominance? The AI browser wars have begun – here are the top contenders vying for the crown
News Perplexity has unveiled its Comet browser while OpenAI is reportedly planning to follow suit
-
Google Cloud Summit London 2025: Practical AI deployment
ITPro Podcast As startups take hold of technologies such as AI agents, where is the sector headed?
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector