For any company, establishing sound cybersecurity architecture is an expensive venture. Building a professional IT department with a qualified staff is just one of the many expenses that must be taken into account. Upgrading a network with new devices, new software and new protocols are other concerns. Add to all of this the retraining of all employees on how to use the upgraded, more secure network and you can understand why some companies are opting to invest in cyber insurance instead. Cyber insurance firms may require only a basic cyber security architecture for a company to qualify for a policy. Meeting those standards may simply be more cost effective for many companies, and, in the end, you can’t blame a company for trying to make a profit.
Another problem with spending money on cyber security is that there is no guarantee that it will actually prevent a breach. Many large corporations have felt assured that they had good cybersecurity only to find that they did not. Breaches can occur even if the company has hired a third-party cybersecurity firm to secure its network. However, in this case, if a breach occurs, the company can sue the firm that was supposed to protect them. So, in order to protect themselves from such lawsuits, cybersecurity firms themselves will invest in cyber insurance.
It is possible that a company with cyber insurance may be lulled into complacency when it comes to their concern for cybersecurity. Could the same be said for cybersecurity firms? If a cybersecurity firm has cyber insurance, would they, too, be complacent about the cybersecurity of the firms they work for? Sure, most cybersecurity firms wouldn’t want to risk a lawsuit because it would ruin their reputations, but, at least, a lawsuit wouldn’t cause them to go bankrupt. That said, you could make a case for cyber insurance lowering the standards of cybersecurity protection across the board.
Of course, cyber insurance isn’t provided free of charge. The question will always come down to whether its cost is worth the investment. Costs of cyber insurance vary according to a number of factors. The main pricing factor comes down to how big a target the company has on its back. Companies that manage a lot of personal data and healthcare companies will have a bigger target than a firm that produces shoelaces. But, for the most part, small businesses will spend between $1.000 to $2,000 a year. Medium-sized and larger companies will spend a lot more, and the price increases with the number of endpoints that need to be secured. In fact, for companies that rely on workers accessing their networks through their own devices, good endpoint security may be the most cost effective investment. It is also true that many large companies may use cyber insurance as a backup to add another layer to their cyber security architecture.
On the surface, these costs, for small businesses, at least, may seem attractive, especially when you add to this the fact that 62% of reported breaches compromise small to medium-sized businesses with a loss to small businesses averaging around $20,000.
It’s a different matter for large companies and organizations. Large companies normally have more endpoints and are vulnerable to a wider range of attacks, from DDoS attacks which can shut down online sales, to ransomware attacks that can endanger important files and databases. With the broadening risk landscape, cyber liability insurance companies see the costs for their services continuing to rise, as can be seen in the graph on worldwide premiums below.
In truth, both the buyer and seller of cyber insurance are hampered by ignorance. Neither really fully understand, or can be expected to understand, all of the ramifications of an all out cyber attack. Most know that there are risks to the company directly, such as loss of data or money, and most know that there are risks from losses to third parties who may have been harmed by the attack, but the constantly changing threat landscape makes it impossible for buyers to really feel comfortable with the coverage they’re paying for. On the other hand, it is equally impossible for sellers to know whether they are really offering a comprehensive product. The possibility for misunderstanding between the two sides is high and the chances for litigation even higher.
Another dilemma that sellers and buyers of cyber insurance are facing is a moral one. This has to do with ransomware which, according to AIG, is the number one cyber threat.
In short, cyber insurance firms will pay the ransom in the hope that the attackers will decrypt the firm’s encrypted files and shorten the time that the firm or organization is unable to operate. This predisposition towards quick ransom payments flies in the face of advice given by the the F.B.I. They do not recommend paying a ransom, stating that,
“paying a ransom doesn’t guarantee an organization that it will get its data back—there have been cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
It’s the last point that I would like to focus on here. Billions are being made by these extortionists because ransomware is the easiest way for hackers to get a quick payoff. If cyber insurance companies guarantee ransom payments, they, in effect, guarantee an income for novice hackers around the globe. Not only that. They also fund more organized hacking groups, both independent and state-aligned. The reason ransomware has continued to evolve and become more sophisticated is largely due to its success and the increased income that it has generated. The increased income can be funneled into hiring more experienced hackers who can develop more advanced versions of ransomware. This ransomware, in turn, can be used to re-hack all those cyber-insured companies and organizations that were so ready to pay them the first time.
Rise in Ransomware Variants (From F-Secure)
According to F.B.I. statistics given by Rod Rosenstein in an address at the Cambridge Cyber Summit, 100,000 computers a day are being infected with ransomware and this number is steadily increasing. He also noted that, “today, we see more sophisticated and targeted attacks that focus on particular businesses or sectors.”
There is some good news to be found. A coordinated effort by governments and private firms has been able to decrypt many ransomware attacks, making it more difficult for amateur hackers to make money. (Comparitech now publishes a world map of daily ransomware attacks which may prove useful to some researchers.) The bad news is that more sophisticated, targeted attacks are expected to increase. Is this good or bad news for cyber insurance firms? Only time will tell.