Cyber Insurance is Supporting the Fight Against Ransomware
As the cyber insurance market continues to grow, it’s only natural to discuss its role in the battle against ransomware, which has been a prevalent topic in recent months, and other cyber-attacks.
Most discussions highlight its value as a risk mitigation tool and its ability to respond to fast-evolving cyber threats, including ransomware.
But some opposing viewpoints have emerged in the media in regard to ransomware, including a recent critique arguing that cyber insurance has served as an incentive for cyber extortion attacks.
This argument does not hold up. The truth is that ransomware attacks against businesses occur for one reason only: criminals are succeeding.
Far from being part of the problem, cyber insurance can be a valuable tool in the fight against ransomware and other cyber threats. Fulfilling its traditional role, cyber insurance pools insureds that are similarly at risk and spreads their potential losses.
And those who have criticized it have gotten some important facts wrong:
- Ransomware victims are rarely “targeted.” More often, attackers target a specific but widespread vulnerability that will distribute ransomware to the maximum number of potential victims.
- Insurance hardly creates an incentive for extortionists. Ransomware demands usually top out at five figures and for many businesses, that cost is a nuisance.
- Although no one wants to support cyber criminals, organizations are forced to weigh the option of paying ransomware demands against the risk of operational disruptions that could last weeks or months and cost far more, as well as impact on customers, reputation, and business continuity.
- Insurers do not make decisions about whether to pay extortionists — the insurance buyer always makes the final call. If an insured declines to pay, the insurer supports it, paying network recovery costs and reimbursing it for income lost as a result of the attack.
Beyond its specific purpose in thwarting ransomware attacks, cyber insurance is valuable for other reasons. The insurance underwriting process raises awareness of cyber threats, identifies how companies should be responding, and educates insureds.
After an attack, cyber insurance serves as a mechanism for convening the right team of experts, including legal counsel and computer forensic analysts, to assess the incident and recommend a response in a timely fashion.
So what do the critics get right? Cyber insurance pays claims. For more than a decade, cyber insurance policies have reliably paid claims for ransomware, network interruptions, data breaches, and related liability. Leading insurers handle thousands of claims a year, and US carriers paid cyber claims totaling an estimated $394 million in 2018.
Cyber insurance is a valuable component in a larger risk management strategy, which includes technology as well as training, education, and testing. To combat ransomware, companies still need to teach employees how to recognize threats, patch regularly, limit user privileges, and establish sufficient cyber hygiene to avoid being an easy target.
Companies are fighting hackers on an unbalanced playing field, where defense is much harder than offense, and cyber insurance has proven to be a valuable partner in that fight.