Researchers at security company WatchGuard have warned that cyber insurance risks fuelling an increase in ransomware. The researchers highlight mandatory breach disclosure as one of the drivers for increased cyber insurance. Companies are increasingly aware of the damage a breach notification can do to their business. As such, they are rightly taking out cyber insurance policies. Those policies not only offer recompense when an incident occurs but also offer to pay for the recovery of data.
According to Corey Nachreiner, CTO at WatchGuard Technologies: “We find it concerning that insurers sometimes pay ransoms to recover their customers’ data. While we understand the business decision, insurers currently have no long-term actuarial data for cyber incidents and ransomware. It is possible that paying ransoms will encourage this criminal business model and increase the number of incidents insurers have to handle or the cost of ransoms.”
What’s wrong with insurers paying out?
Insurers have long provided cover for the recovery of goods and people. Kidnap and ransom policies are common place and cover kidnap, extortion, wrongful detention and hijacking. Some insurers even have their own teams or use specialist, often ex-military contractors to do the recovery before they pay. There is no evidence that K&R insurance has led to any real increase in incidents.
WatchGuard is taking a different view when those services are extended to ransomware. They believe that savvy cybercriminals will seek to exploit those companies with cyber insurance. They will become priority targets as the cybercriminals will be sure of a payday.
Very few cyber insurance policies require an organisation to be audited before the policy is agreed. ET looked at 7 different cyber insurance policies. There was no need to provide any list of security software or policies in force. Nor was there a process that would have led to agents for the insurance companies vetting IT security. This means that there is a significant risk of smaller organisations relying on cyber insurance rather than tightening their security.
The question that this raises is “will insurance companies tighten up their policy requirements?”
Nachreiner continued: “We expect SMBs to continue to adopt extortion insurance in 2018 but cyber insurance should not replace security controls and best practices. We predict that insurance providers will start to implement guidelines that require companies to have strong security controls in place as a prerequisite. When combined with other layers of security, cyber insurance is a great addition to your cyber security strategy.”
What does this mean?
Business are required to hold a number of different types of insurance by law. Adding cyber insurance cover makes sense given how dependent businesses are on technology. SMEs are in a cost crunch. They cannot afford to compete for good quality cybersecurity staff. Many struggle to recruit and retain skilled IT staff. This means that their cybersecurity stance poses a limited challenge for experienced hackers.
With GDPR on the way and greater breach disclosure requirements across all businesses, many know they need a solution. Paying for a cyber insurance policy makes sense. One of the drivers for SMEs moving to the cloud is to get someone else to do their cybersecurity. Paying an insurance company to recovery both their data and their reputation also makes sense. After all, why pay £30K plus for an internal IT security person when a smaller payment to the insurer will make the whole thing go away.
The problem here is that neither moving to the cloud or buying cyber insurance relieves a company of its legal duty. It will be interesting to see if an increase in pay-outs occurs during 2018 and how the insurance industry, especially post GDPR, responds.