When you think of business insurance, you think about insuring against the typical things: theft, floods, fire, etc. What about insuring your data against theft? What about insuring your business against cyber attacks?
Wikipedia defines cyber insurance as something “used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies.”
The pros for having cyber insurance speak for themselves. If you should suffer a loss of data through no fault of your own, the insurance is there to aid you in the data recovery process. There is also a potential con. CBC news reports that the insurance that is meant to protect you, could also be something that has helped embolden cyber criminals.
One of the things some cyber insurance providers do is help with ransomware payments. The same CBC report mentions the town of Essex, ON and the quote they received for cyber insurance, which would cover, “legal costs, regulatory fees, IT assistance and a ransom payment of up to $1 million.” As a cyber criminal, knowing that organizations could get access to these funds further spurs on the ransomware activity. Theresa Payton, a former chief information officer in the George W. Bush White House, said in a telephone interview with the CBC that the quick payments have "created a very unhealthy growth pattern in these cyber criminal syndicates ... they're completely emboldened." She went even further to suggest that, "If the insurance companies would lock arms with the rest of us" and make efforts not to pay, "we could turn the tide."
There seems to be something missing here in the cyber insurance reporting. Are insurance companies looking at risk factors when they are providing insurance? In a previous blog, we wrote about Cyber Cope, which was developed by Chubb Insurance as a way to evaluate a businesses risk factors. A 2019 global survey carried out for Microsoft and insurance broker Marsh found that 47 per cent of businesses said they carry cyber crime insurance, up from 34 per cent in 2017. The CBC spoke with Coveware, a Connecticut-based firm that negotiates ransom payments and ensures data recovery, whose own stats indicate that in the fourth quarter of 2019, the average ransom payment cost $84,116 US — more than double the amount in the previous quarter ($41,179 US).
While having cyber insurance is useful, it seems that insurance alone cannot stop the problem of ransomware. Just as having home insurance cannot prevent break-ins. Indeed, if that were true, when I leave my house, I wouldn’t have to turn on the alarm systems and lock the door. Instead I would think, “I have insurance that can pay for new stuff. Come on in and take what you like!” The best ways to prevent ransomware are to invest in cyber security and to prepare yourself that should there be a “break-in” you don’t need to pay a ransom to get your data back.
Need help? Contact Uzado today.