“The Great Fire of Ransomware”: Should The Insurance Industry Take a Lead In Improving…

“The Great Fire of Ransomware”: Should The Insurance Industry Take a Lead In Improving Cybersecurity?

With ransomware and data exfiltration, we have two blunt weapons that few companies can cope with, let alone put a value on the full cost of an attack. Imagine if someone managed to get all the broadband records of every citizen in the UK, or, indeed all of their emails and WhatsApp chats? With a conviction rate of less than 0.07% for a cyberattack, the rewards from ransomware attacks often vastly outways the risks involved.

With Travelex, we saw a company going from being worth billions to zero in a matter of a few months, and with people losing their jobs. So, the cost of cyber? How knows? Basically, be any figure you could reasonably imagine. The value of data is at the heart of this, along with the value of taking out systems, along with the value of your brand, … and so it goes on.

The FT reports [here] that, within April and May, premiums for cyber insurance jumped 27% from last year. It outlines that many areas of our lives have seen the insurance industry actively invest in methods of reducing claims. The example they give relates to the Great Fire of London, and where insurance companies invested in the creation of fire brigades to avoid high costs in the future. For the insurance companies, the investment in fire brigades would payback as the claims were likely to be reduced.

Want to read this story later? Save it in Journal.

While most of the cybersecurity risks have gone unnoticed by the insurance industry, the increasing attack number of targeted attacks on a range of industries (Figure 2). While the finance sector often has good cybersecurity protection, we can see that health care and professional services can often be a key target. This may be due to the poor cybersecurity protection that they have, and also the value of the data they hold.

The FT reports that some insurance companies are being more diligent in asking for information on cybersecurity security protection. One insurer — Axa — took a stand that ransomware demands should not be paid, after which, hackers identified that they had over 3TB of data related to Axa, and which included highly sensitive information. There are no details on whether Axa actually paid the ransom.

The one thing that worries insurance companies is the all-or-nothing rise in claims, and little is claimed in minor events, but an attack against an organisation could lead to an almost unlimited level of claim. The one great hope is that governments will start to make the payment of ransomware demands illegal, and which may reduce the opportunities for cybercriminals to make money, but they fear is that payments would continue through underground methods.

So what can be done? Well, focusing on the endpoint of the ransomware attack is not the right focus, as this is just the last part of an attack. More work must be done on detecting possible threats at an earlier stage, and that involves an investment in log capture and analysis, and in better understanding the key risks that an organisation faces. Insurance companies must thus understand not only the endpoint damage but the steps that lead to the endpoint. Just like with fire damage, we must invest in the resources to understand the risks of how a fire can start and how we can suppress it before we invest in cleaning up the damage caused by it.

So, in conclusion:

A company should see cyber insurance as a fall-back, and not a way to avoid investing the education of its employees and customers. For insurers, they must understand the full-cost of cyber attack, and support investment in prevention rather than underwriting losses.

And while encryption is being used as a tool for damage, it should be the baseline for the protection of data in a company. It can protect against both ransomware and data exfiltration. Here’s a presentation of the good and evil of encryption: