Cybersecurity Insurance: A Cautionary Tale.

According to the latest statistics, a ransomware attack is likely to occur every 11 seconds, with catastrophic consequences for both organisations and broader society. With global cybercrime costs set to top US$10.5 trillion by 2025, cybersecurity insurance policies rising and reducing protection for ransomware attacks, what can organizations do to protect their systems, brand and bottom line when transference of risk and cost is no longer an option?

Ransomware attacks at the IT level are how cybercriminals gain access to locate your OT and go after your critical platforms and systems. All it takes for an employee to unknowingly click on a malicious or phishing link. During the San Francisco water supply attack, the hacker obtained the username and password of a former employee’s account. Within minutes, the bad guys have encrypted files and are holding them hostage. The fallout of such a breach can last weeks or months. Ireland’s health service ransomware attack in May continues to disrupt critical services for doctors, nurses and patients today.

If you’re hoping to call your insurance company in the scramble following a breach, think again. Historically this may have been a safe bet to ward off harm, but that’s now changing. Insurance providers have introduced more onerous requirements to get hold of a policy and premiums are much higher. Besides these challenges, if your organisation falls victim to a breach, regardless of whether you hold insurance or not, you’ll face more scrutiny from the government and regulators regarding the ‘Why’ and ‘How’ your OT was vulnerable.

On top of everything else, did you know that simply having a cybersecurity insurance policy could make you an easy target?

The cybersecurity insurance dilemma.

It’s little surprise that ransomware attacks on organizations with cybersecurity insurance are on the rise. Hackers are seeking out those organizations that hold a policy and identify their vulnerabilities within a few clicks. Insights from recent ransomware attacks show that organisations with cybersecurity insurance are viewed as prime targets because the cyber criminal is guaranteed a ransom payment. Being covered by an insurance premium that includes a guaranteed ransom value means the bad guys will almost certainly be financially rewarded for their efforts and will continue to do so, creating a perpetual spate of cybercrime.

Speak to any cybersecurity or cybercrime expert and you’ll get an explicit recommendation against paying a ransom, as this only encourages more of the same behaviour. As they say, you don’t negotiate with terrorists and the same goes here. Increasingly, nation-states and known international groups are behind the crimes and insurance companies are flagging such attacks as terrorism or acts of war – all of which are generally not covered by cybersecurity policies.

Relying on insurance to pay your way out of an attack might help financially, but what about reputational damage, loss of sensitive data, revenue loss and impact on customers? There’s no catch-all policy to manage the significant fall-out.

Underwriting ransomware just got tougher.

Anyone organisation looking for cybersecurity insurance will come up against increased examination by underwriters. You’ll need to comprehensively demonstrate what you’re currently doing to protect your OT. Are you regularly testing staff against phishing attacks? What education programs do you have with your employees, what types of security patches do you have in place and how long will it take to roll them out in the case of an attack? Reviewing these questions and more is a good place to start for any cybersecurity planning process. If you get these basics done right, you can protect your business and avoid hefty insurance premiums.

Mitigate the risks by preparing and planning.

What is clear is that you shouldn’t be choosing insurance over a cybersecurity planning, vulnerability management and prevention investment.

Attacks are preventable if you can secure your infrastructure. Protecting your OT infrastructure by ramping up protocols, practices and policies will safeguard you from a breach. This, coupled with top-down knowledge and awareness programs for employees on the threats posed by email attachment harm and phishing ploys, will provide an even more vigorous defence.