Insurance company Chubb, which was recently acquired by its larger rival ACE has announced that its Global Cyber Risk Practice has launched a service to assist policyholders with ransomware attacks. The service will use a selected group of security specialists who will work with affected policyholders to assess how real the risk is, what can be done to recover data without paying out and help to minimise the impact of an attack.
According to a statement in the press release by Toby Merrill, Division Senior Vice President and Global Cyber Risk Practice Leader: “Similar to data breaches, many businesses are not equipped to deal with a cyber extortion attempt, where the timeliness of the response is even more critical. If not handled properly, recently publicized cases show that ransomware can be just as damaging as data breaches to a company’s reputation and balance sheet.
“The introduction of our ransomware service underscores Chubb’s commitment to helping businesses face the increasingly complex nature of cyber risk. Cyber exposures have no boundaries, and Chubb is one of the few insurers capable of quickly delivering truly global solutions to all organizations, regardless of size, industry or location.”
While this is a move that many businesses will welcome there are some questions. There is very little information from security companies as to successful solutions to ransomware so what exactly is this policy really offering? The most likely solution to an attack will be to examine corporate backups to see how much data can be recovered as a mitigation process. That still leaves the risk of some loss of data but the issue there will be how much of that data loss and eventual payment will be met by Chubb?
One possible outcome of this is that Chubb may be setting itself up to do a better job than the vast majority of other cyber risk policies in the market. Few policies start with a thorough assessment of the security, data protection, business continuity and data protection policies used by a business. As such, when companies come to claim it leaves a lot of ways for insurance claims to be denied or reduced. If the outcome here really is Chubb getting much more involved in helping its customers that can only be good news for customers and Chubb.
The growing threat from all forms of malware is a serious concern. This move from Chubb, which needs a lot of clarity in terms of how it works and what a company must do to utilise the service, is something to be welcomed. Without more clarity this has the risk of offering people a false hope that an attack can be successfully mitigated.