Are Ransomware Attacks Becoming Uninsurable?

Ransomware Attack

Are Ransomware Attacks Becoming Uninsurable?

When you read about how many ransomware attacks have happened over the last months, you start to wonder: are cyber insurances making things even worse? The situation appears to be a never-ending cycle in which an organization hires a cyber insurance company. Cyber-criminals perform their attack, the insurance pays the ransom, the organizations renew their service with an increase in the fee, and so on. But what is really happening? What is exactly the role of cyber insurance? Is it really making things worse? 

What is a Ransomware Attack?  

Before we start answering those questions, we believe it is appropriate for us to share an explanation of ransomware attacks. These are types of malware that encrypt your information, databases, and/or applications in exchange for a ransom. It is an illegal procedure that can quickly stop your organization, causing extreme damage to your operations, reputation, and finances.  

Although the perpetrators always ask for a high amount of money so you can gain access back and give a certain amount of time to pay them, almost no one wants to pay them and work with their cybersecurity partners to look for ways to gain back access to their systems and files. There are times when there are no other options. We have seen organizations with no way of recovering the data lost or getting the systems back and running. Also, some have been threatened with making sensitive information public,  so they had to sit down and negotiate with the criminals.  

Just this year, we have seen how many large organizations have fallen victim, putting the people of our country at risk,  giving millions of dollars to the criminals.  

What Is The Role of Cyber Insurance?  

While the attacks are getting more targeted and more serious (just last year, there were over 65,000 attacks in the US), more organizations are looking to upskill their cybersecurity defenses. One way is to hire more talented and specialized personnel and add an extra layer of security by getting a cybersecurity insurance policy.  

Cyber insurance is no other than a contract that you, as an organization, can purchase to help reduce the risks associated with the online world. It usually covers your business’ liability for a data breach, including legal counseling and defense, a digital forensics team, incident response costs, costs to restore operations and recover lost assets, crisis communications, and even ransom amounts.  

In other words, in case your organization suffers a ransomware attack, with a cyber insurance, you will be able to pay the criminals and gain access back to your systems while also getting an amount for the costs associated with this situation.  

This has generated a discussion about the responsibility of cyber insurance. Is it an incentive for more ransomware attacks? Or is it a great way of protecting an organization?  

Cyber Insurance: What Should Happen Now? 

You need to understand that when cyber criminals gain access to your systems, they will know if you have an insurance policy and how much it will cover in terms of ransom. They are not going to ask anything below what you can pay them. That is why these policies are getting that much negative criticism.  

While some people believe that there should be no ransomware insurance at all, we believe that not everything is black or white. Recently, French authorities started questioning the role of cyber insurance in the sudden growth of these attacks, a comment that was followed by the decision of AXA, a global insurer, that they would not continue reimbursing companies for ransomware payments to criminals.  

But is this really the solution? By eliminating this coverage, you are putting at risk every organization, especially the smaller ones. Anyone can fall victim, but not everyone has the means to recover from it. 

We believe that every insurance policy should come with a list of security best practices that organizations need to implement (such as using Multi-Factor Authentication, security controls, identity and access management, employee training) to improve their security posture avoid the risks. Insurance companies should also share the lessons learned from other experiences as a way of helping their clients easily identify risks and better protect themselves.  

It is a matter of working as teams, where clients and insurance firms have the same goal: fighting cyber-crime.