Zeguro, like all insurers, evaluates the security risk, make recommendations for changes, but also offers a security platform at a subscription fee. Gavirneni said that adopting the platform makes the company immediately insurable.
“The whole cyber insurance space is broken,” he claimed. “It’s still done the same way as any other lines of insurance, like home insurance or simple business insurance but the insurers don’t know much about cybersecurity. If there is a breach, they lack understanding of how the client can recover.” Gavirneni’s experience as a security analyst goes back 18 years. Zeguro is his first foray into the world of insurance.
Insured companies are attractive targets because payouts are guaranteed
But even if a company is insurable, there is no guarantee their losses are covered. Ransomware gangs may not return control, not return data or deliver a decryption tool that doesn’t work. Even as insurers negotiate ransoms, insured companies are attractive targets because payouts are guaranteed. Criminals will start to inflate their ransom and negotiate down to their desired amount.
But because the gangs cannot or will not guarantee to restore what they stole, some companies without cyber insurance may just bite the bullet and try to clean up the network without getting the data back or paying any ransom.
Matthew Rosenquist, CISO for CISO at eclipz.io Inc., considers the latter a good trend. “Ransomware is on the rise because cybercriminals are being rewarded, he reported on his Medium page in February. “The right path forward, to crush ransomware attacks, is better cybersecurity preparedness and a willingness to not pay.”
State-sponsored crime
Governments support this trend because cyberattacks are rarely local crimes. Some attackers are in Africa, India, or Southeast Asia. Many more are state-sponsored in North Korea, China, Russia, and Iran targeting US companies and organizations. The US State Department has warned paying ransoms to people in those countries is a violation of the sanctions and victims could face fines. Other Western countries don’t go that far but they do advise against paying ransoms. Gavirneni said their policy explicitly states that any ransomware demand from a sanctioned country is not covered and most insurance companies are following suit.
Even without ransomware coverage, cyber insurance is not a bad idea. Stolen data angering customers, theft of intellectual property, and malicious DDoS attacks are just as expensive and more likely to be covered. Companies looking to add cyber insurance to risk management practices should consider purchasing small amounts increasing over time. Right now, companies with at least $200 million in cyber insurance account for a fifth of the current market for about $1.1 billion in premiums. Five companies submitting maximum claims could wipe out an entire year’s premiums. That would likely take decades for insurers to earn back such losses, according to PCS. If more companies followed a minimalist approach, the insurance pool could grow without large outlays. That is good for both insurance companies and the insured.
As C-suites and boards of directors become more personally liable for data breaches that follow poor budgeting for security, the optimal course forward requires longer-term thinking mixed with near-term action. That means investing in independent security audits, adopting security technology, and training workers more effectively in secure practices.
“Thirty years of history have shown us that cyber risk is difficult to understand, problematic to hedge, only likely to grow, and characterized by a continually changing threat environment,” said Tom Johansmeyer. head of PCS, in a January article in the Harvard Business Review. “Tomorrow’s cyberattacks may not look much like today’s. For insurers to respond to this unique threat, they have to become comfortable allocating capital to the sector, and that comfort will vary over time until the industry’s body of knowledge becomes sufficient to treat cybersecurity like mature classes of business. Until then, companies will need to invest in protection while working with their insurers to increase the types and amounts of insurance available. As a buyer, there’s no substitute for having a plan.”
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.
Pingback: Insurance industry using weak reasons to not pay - Cyber Protection Magazine