Kidnapping and Ransom, an Old and New Business
By Richard Seifman, UNA-NCA Board of Directors
Media front pages and TV screens have recently been filled with the kidnapping of Americans and a Canadian Christian missionary by a Haitian gang which is asking $1,000,000 per man, woman, or child to release them. This is an ongoing and particularly heart-rendering example of another type of “virus” spreading in many places throughout the world, with old and new variants appearing regularly. Kidnapping has a long history, and it comes in many forms.
As with any modern-day threat, a response ultimately emerges, in this case, “kidnapping and ransom insurance” (K&R). But, like most reactive measures, it is at this time only for the select few, with no guarantee of success or survival.
Old-fashioned physical kidnapping
Not far behind the “oldest profession,” kidnappers have been plying their efforts for centuries, and for varied reasons:
- In the 19th century sailors were “shanghaied to supply merchant ships;
- Bride kidnapping is a term to include a bride “abducted” against the will of her parents, even if she is willing to marry the “abductor”;
- Express kidnapping is a method of abduction used in some countries where a small ransom, that a company or family can easily pay, is demanded;
- Tiger kidnapping is taking a hostage to make a loved one or associate do something (e.g. a child is taken hostage to force the shopkeeper to open the safe);
- Kidnapping can refer to removing a member from an alleged cult and beginning a deprogramming process;
- Terrorist organizations kidnap sometimes in order to seek a response, such as a prison release, other than or with money.
With the expansion of global commerce and travel and many more very rich people, there was a need for some way to deal with this increasing threat.
While created in the 1930s it was not until the 1960s when kidnappings in Europe of terrorist groups such as the Red Army Faction in Germany and the Red Brigades in Italy came to the fore that kidnapping and ransom (K&R) insurance really caught on.
The basic idea is to provide a modicum of protection to senior executives or strategic employees operating in risky regions and areas, along with high-profile families, for those representing businesses or multilateral organizations, as well as non-governmental organizations such as those dealing with sensitive human rights issues. This said, as the Economist points out, it is clear that it is a “complicated business model” in which “poorer victims” are losing out.
Coverage typically dealt with kidnapping, extortion, wrongful detention, and hijacking. They are indemnity policies — they reimburse a loss incurred by the insured, but they do not pay ransoms on the behalf of the insured. The insured had first to pay the ransom, thus incurring the loss, and then seek reimbursement under the policy. The losses typically reimbursed by a K&R insurance company will include:
- Ransom funds — Money paid or lost due to kidnapping;
- Transit/delivery — Loss due to destruction, disappearance, confiscation, or wrongful appropriation of ransom money being delivered to a covered kidnapping or extortion;
- Accidental death or dismemberment — Death or permanent physical disablement occurring during a kidnapping;
- Judgments and legal liability — Costs resulting from claims or suits brought by any insured person against the insured;
- Additional expenses — Medical care, severe disruption of operations, potential damage to the company brand, PR counsel, wage and salary replacement, relocation and job retraining, and other expenses related to a kidnapping incident.
K&R insurance business has grown with an estimated 75% of Fortune 500 companies having K&R insurance policies.
U.S. and U.K firms dominate this market, accompanied by a growing cottage industry of security consultancy firms that specialize in various aspects of pre-, during, and after kidnap response. Consultants are security experts — mostly former military and police — who handle hostage negotiations. Such consultancy costs can now be included in a K&R policy and borne by the insurance company.
Today, techniques for hostage negotiation are a subject of conferences, conventions, instruction guides and shared strategies. Probably the lion’s share of conventional kidnappings now are dealt with by professional negotiators who pay a ransom — very few hostages are rescued through high-risk operations. Less than 1% are killed.
This success is not the case in instances where terrorists are involved. If the hostage is from a “no-concessions” country, then theoretically payment is not on the table. However, if the victim is from a country that negotiates, such as France or Spain, their national intelligence agency typically takes over. Apparently, the “no-concessions, no-payment” country track record is not good and may increase the likelihood that the victim will be killed.
The above video dates back to 2020 — since then, Alexanda Kotey, an Islamic State (IS) suspect from the UK (he is mentioned in the video), was caught and put to trial in a US court where he pleaded guilty to the murder of four American hostages, including the young Kayla Mueller we see in the video.
There is no universal agreement among western developed countries on how to approach a physical terrorist situation. They have different public and non-public stances, a seeming willingness (or not) to look the other way when “others” offer to pay.
For example, Joel Simon, who in nearly two decades at the Committee to Protect Journalists has worked on dozens of hostages cases, delves into the heated hostage policy debate in his bestselling book We Want to Negotiate (published in 2019), arguing that a firm no-concessions policy that relies on meager evidence is inexcusable when lives hang in the balance. This is what Simon has to say:
The new form of kidnapping: “Cybernapping”
Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
Ransomware actors often target and threaten “to sell or leak exfiltrated data or authentication information if the ransom is not paid”, according to the U.S. Government’s Cybersecurity and Infrastructure Assurance Agency (CISA).
The cyber insurance industry had grown fast in recent years but now cyber insurance is likely to become more expensive moving forward. Businesses (and individuals) will need to focus on strengthening their own cybersecurity rather than rely on insurance payments.
I call such nefarious acts “cybernapping,” and it is different than physical kidnapping in that neither the hacker nor the victim is physically together, with both possibly being on separate continents.
Victims may range from one person, one family, to many. Healthcare industries, municipalities, and educational facilities are seen as plum targets during this pandemic period, each desperate to pay a ransom quickly to protect and save lives. This institutional vulnerability is coupled with that of employees working remotely on their personal devices.
Perhaps the most disturbing attacks are those on the health sector during the pandemic. A study by Comparitech has shown that ransomware attacks had a huge financial impact on the healthcare sector, with over $20 billion lost in impacted revenue, lawsuits, and ransom paid in 2020 alone.
The problem is even more troubling because cybernappers can enter managed service providers (MSPs), platforms that serve many clients at once, and are not limited even to one industry.
This means if a hacker gains access to one MSP, that person can reach all clients served as well. Note that MSPs are hacked due to remote access tools that are poorly secured.
Major ransomware attacks have made headlines in the U.S. in 2021, including on Colonial Pipeline, JBS Foods (the world’s largest meatpacker), and other major organizations such as the Steamship Authority of Massachusetts and Washington DC Metropolitan Police Department.
There is another new feature to cybernapping and that is how payments can be made.
With the advent of cryptocurrencies, a whole new avenue of deception and virtual anonymity opened up. “If we were talking two years ago, we would not be talking about Bitcoin as being the dominant form of paying off the ransom,” said Hitesh Sheth, president of the cybersecurity company Vectra in San Jose, California. Further, according to Marsh McLennan, bitcoins “account for approximately 98% of ransomware payments. “
Governments are trying to ramp up their efforts to deal with this very serious new threat. The U.S. Justice Department is stepping up actions to combat ransomware and cybercrime through arrests and other actions, its №2 official, Deputy Attorney General Lisa Monaco told The Associated Press this week. But there is much more governments will need to do to contain the damages.
Beyond these obvious aspects of criminality, the extensive use of cryptocurrencies does harm to the environment by adding to the energy drain.
Vulnerabilities Exist but Don’t Let Them Rule Your Life
This is a time when both physical threats and threats we cannot see but know exist, have us feel more prone to harm.
Vulnerability can be perceived as growing for individuals and public and private institutions on which all rely. But the reality is that most of us can lead reasonably safe lives, and the systems on which we rely after an attack find their footing once again. And yes, the sun does come up and will every morning.
This article was originally published on Impakter.com. Richard Seifman is a former World Bank Senior Health Advisor and U.S. Senior Foreign Service Officer. He is currently a Board Member of the United Nations Association-National Capital Area.
