Businesses tend to think about insuring against typical things like theft, floods, and fire. Has your business ever considered insuring its data against theft? How about insuring your business against cyber attacks?
Wikipedia defines cyber insurance as something “used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies.”
The pros of having cyber insurance speak for themselves. If your business should suffer a loss of data through no fault of its own, the insurance is there to aid you in the data recovery process. This includes hiring consultants to help rebuild data and systems, and in some cases, helping with ransomware payments. This is also a potential con. CBC News reports that the insurance that is meant to protect you, may also be encouraging cybercriminals.
Some cyber insurance providers do help with ransomware payments. The same CBC report mentions the town of Essex, ON and the quote they received for cyber insurance, which would cover, “legal costs, regulatory fees, IT assistance and a ransom payment of up to $1 million.” As a cybercriminal, knowing that organizations could get access to this type of payout further spurs ransomware activity. Theresa Payton, a former chief information officer in the George W. Bush White House, said in a telephone interview with the CBC that the quick payments have "created a very unhealthy growth pattern in these cybercriminal syndicates ... they're completely emboldened." She went even further to suggest that "If the insurance companies would lock arms with the rest of us" and make efforts not to pay, "we could turn the tide."
The statistics seem to bear this out. The CBC spoke with Coveware, a Connecticut-based firm that negotiates ransom payments and ensures data recovery, whose own stats indicate that in the fourth quarter of 2019, the average ransom payment cost $84,116 US — more than double the amount in the previous quarter ($41,179 US). As a result, cyber insurers have increased their rates. Insurance broker Marsh reported that rates in the U.S. went up by an average of 96% year over year during Q3 2021.
While having cyber insurance is useful, insurance alone cannot stop the problem of ransomware. Just as having home insurance doesn’t prevent break-ins. One still needs to turn on the alarm systems and lock the door when they leave home. The best ways to prevent ransomware are to invest in cybersecurity and to prepare yourself by backing up your data so that should there be a “break-in” you don’t need to pay a ransom to get your data back. Then get cyber insurance to help you with the clean-up and recovery costs.