During the dot-com bubble in the 1990s, cyber liability insurance gained popularity as a layer of protection for these new companies against unauthorized system access, computer viruses and data loss. Back then, companies had it easy compared to the cybercrime and data breaches that organizations deal with today. Today cyber liability Insurance is all about ransomware which is roiling the Liability insurance market.
Ransomware insurance is used to pay ransom demands. The Lake City, Florida City Council decided to pay a ransom of 42 bitcoin, then worth about $460,000 at the cost of a $10,000 deductible, which they paid to their cyber insurer, Beazley, an underwriter at Lloyd’s of London. The city chose to pay the ransom because the cost of a prolonged recovery from backups would have exceeded its $1 million coverage limit, and because it wanted to resume normal services as quickly as possible. The insurance company supported this decision since on the insurance side of things: it was going to cost more to fix it than it would be to pay the ransom.
The FBI and security researchers say paying ransoms contributes to the profitability and spread of cybercrime and in some cases may ultimately be funding terrorist regimes. But for insurers, it often makes financial sense, industry insiders said. It holds down claim costs by avoiding expenses such as covering lost revenue from snarled services and ongoing fees for consultants aiding in data recovery. And some skeptics go as far as to say that by rewarding hackers, it encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying more policies.
However, this year we have seen an escalation of ransomware amounts and demands which are making insurance companies rethink their policies. It was quite different when most of the targets were small businesses and the ransom was a few bitcoins. Today the attacks are against large companies and the ransom is in the tens of millions, or they are supply chain attacks like the one against Kaseya which affected thousands of small businesses simultaneously and involve cumulative, multi-million, dollar ransoms. Some hackers target companies with insurance policies since they would be more likely to pay the ransom. They could even hack an insurance company’s files to find their most lucrative insured customer targets.
Insurance companies are of course responding by raising premiums and capping payouts. But one of the more constructive responses is playing an active role in disrupting the ransomware business by encouraging or even requiring policy holders to improve their defenses in order to do as much as possible to prevent them from falling victim to a ransomware attack in the first place. While in the past Insurance companies may have only required a self-certification of security safeguards, now many insurance companies require an audit for minimum ransomware controls as part of any ransomware coverage. These controls may include timely patching of critical vulnerabilities in externally facing IT structures, multi-factor authentication on remote access services, adopting network segmentation, strong encryption and keyword management, and procedures to ensure that regular backups are created.
Although no one wants to support cyber criminals, organizations are forced to weigh the option of paying ransomware demands against the risk of operational disruptions that could last weeks or months and cost far more, as well as the impact on their customers, reputation, and business continuity. Insurers should not make the decisions about whether to pay extortionists — the insurance buyer always makes the final call. If an insured declines to pay, the insurer supports it up to the limits of the policy.
Although Ransomware insurance has come under some criticism for paying ransom demands and encouraging hackers. Ransomware Insurance vendors can help to educate and encourage good practices against the vulnerabilities of ransomware.#Blog#Hu'sPlace