KIA&B September/October 2021 | Page 26

MANAGE & LEAD CYBER SECURITY

DOES CYBER INSURANCE MAKE RANSOMWARE WORSE ?

By : Josh Motta
An increasing number of articles on the topic would have you believe so . It is a question we ' ve long pondered as one of the larger cyber insurance providers in North America .
The WSJ recently published an article , " As Ransomware Proliferates , Insuring for It Becomes Costly and Questioned ," highlighting a surge in the cost of cyber insurance amidst mounting claims from ransomware and speculating that insurance payouts may only be encouraging even more ransomware attacks .
A spokesperson for Tenable stated it plainly : “[ t ] he insurance company pays the ransom , the criminals make more money , so they make more ransomware , which leads to more insurance , which leads to more payment , and so we get into this vicious cycle .”
Logical . Or is it ?
WHAT CAUSES RANSOMWARE ? Ransomware is not just a type of malware ; it is a criminal business model . The perpetrator seeks to benefit by taking hostage a victim ' s data , infrastructure , economic output , intellectual property , or even privacy . It is extortion in its purest form . It won ' t go away for so long as organizations allow valued assets to be taken hostage . Whether an organization purchases insurance or not has no bearing on the value of the underlying assets taken hostage . Nor in most cases are organizations targeted because they have an insurance policy – this isn ' t the information an attacker has before an initial compromise .
Threat actors target organizations because they have made poor technological choices , often exposed to the public internet that makes them targets . They are targets of opportunity . Phishing , internet-exposed remote network access , and unpatched internet-facing software and devices account for the vast majority of ransomware targeting and initial compromise . Unfortunately , there are more opportunities ( i . e ., vulnerable targets ) than criminals to exploit them . As a result , most ransomware actors prioritize targets based on their size and financial resources , which is used as a proxy for the value of assets taken hostage and the victim ' s ability to pay . We have seen first-hand communication between threat actors in which an organization gets a " pass " because they aren ' t large enough .
THE ROLE OF INSURANCE IN PAYING RANSOMS Nearly all cyber insurance policies cover ransomware , including ransom amounts , but also digital forensics and incident response ( DFIR ) costs to respond to the ransomware event , costs to restore and recover lost assets , as well as resulting business interruption losses ( i . e ., lost income ). No one wants to pay a ransom , certainly not the insurance company , and seldom the client . Both have the same amount of hostility as if you ' d kidnapped their children and won ' t agree to pay a ransom unless it is a last resort . Often assets can be restored without doing so . The insurance policy covered the other costs and lost income – exactly as intended .
However , occasionally assets cannot be restored . No backups and no recourse . Pay the ransom or face existential ruin . It is the unenviable position some organizations find themselves in , and the majority do not have insurance . For those that do , there is coverage if the policyholder elects to pay . Because it is impossible ever to be 100 % secure 100 % of the time , insurance is
26