Big changes to cyber security insurance mean organisations may need to rethink paying a ransom.
News has just emerged that insurance firms have slashed the amount of cover they provide to companies, over concerns about the sophistication, frequency and cost of cyber attacks, specifically ransomware attacks.
Ransomware is one of the most pressing cyber security issues facing organisations and has been used in recent years to target medium-sized businesses to government offices alike. You’ve likely heard of the ransomware attacks on meat processing giant JBS and cyber insurance firm CNA, organisations that paid millions of dollars in bitcoin to ransomware gangs to decrypt their data and restore their systems.
Ransomware is driving this in particular due to two reasons. Firstly, ransomware attacks are extremely expensive for insurers to deal with. And secondly, the gangs that perpetuate them are developing the tools and techniques they use, making these attacks more sophisticated and even more costly.
Typically, businesses approach their insurers for guidance and help when faced with the overwhelming impact of a cyber attack. In the past, an insurer would provide help to get machines back online again, assist policyholders to cover losses and minimise damage and provide general guidance.
But now, insurers are cutting policy coverage, increasing premiums and even adopting a hostile approach to ransomware claims. This makes sense when you consider that attackers frequently check if their potential victims have policies that would make them likelier to pay a ransom.
An alleged member of ransomware gang REvil earlier this year stated that targeting organisations with cyber insurance were "one of the tastiest morsels" for REvil operators. They also said that operatives like to hack insurers first, looking through their customer list and then hitting a desirable target with an attack.
Limits on the amount an organisation can claim have also been reduced, even halved by many insurers. Lloyds of London is even discouraging its syndicate members from accepting cyber policies next year, according to Reuters.
Insurers cutting policy coverage is likely to lead to more organisations refusing to pay ransoms, a change that would be in line with official advice. The FBI issued a public service announcement last year on how to handle ransom demands, advising not to pay as it funds criminal efforts and is useless if they have a copy of your data.
Cyber security specialist Jack Moore, argues that insurance is “one of the driving factors behind this new phase of attacking companies”.
Paying ransoms, according to Moore only fuels and intensifies the cycle leading to more companies coming under attack. “Many organisations view such hefty payouts as part and parcel of daily business, but the effects are huge and only continuing to rise.”
In this sense, insurers cutting protections while disadvantageous in the short term for organisations may be helpful in the long term if it helps to curb ransom payments. On the other hand, some experts are predicting this will only lead to ransomware gangs demanding even more money.
Either way, as dealing with ransomware or general cyber attack becomes harder for organisations, it’s even more important for them to pursue preventative measures.
Contingency plans, training for staff and robust cybersecurity infrastructure may not entirely prevent an attack but may help you limit its duration, consequences and cost.