CyberGuide - Information Security and Cyber Risk Management

This week in cyber risk: Ransomware, of course

By Erin Ayers, Advisen

Aug 30, 2021 – As private and public sector stakeholders gather to fight ransomware, many are looking to the cyber insurance industry to help make the nation’s businesses more cyber-ready. It’s the industry’s big moment to do the thing … it’s already been working on for a while now.

Following a cyber summit on Aug. 25, Pres. Joe Biden issued a statement on the “ambitious initiatives” participants in the event agreed to launch. Google will invest $10 billion over the next five years to expand zero-trust security programs, while IBM will train 150,000 in cybersecurity skills, as well as partner with Historically Black Colleges and Universities (HBCU) to develop a more diverse cyber workforce. Microsoft pledged $20 billion to develop advanced security solutions and boost “security by design” in product development.

The insurance firms included in the event have their own pledges – Resilience will require cyber policyholders to demonstrate cybersecurity best practices as a condition of coverage, while Coalition will provide its cyber risk assessment and continuous monitoring platform free to any organization, per the White House. Travelers Insurance will be collaborating with the National Institute of Standards and Technology (NIST) on a new framework dedicated to improving technology supply chains.

READ: Insurers at the table as Pres. Biden issues ‘call to action’ on cyber threats originally published in Cyber Front Page News on Aug 26.

I love this for the cyber insurance industry, obviously. Going forward, it would be ideal if the entire sector continued to come up with even more “greater good” initiatives to promote responsible cyber hygiene for businesses, despite not being at the White House. As the insurers involved in the event noted, the industry is uniquely positioned to encourage (or compel, given current market conditions and threat landscape) organizations to put those cyber-sprinklers and seat belts to work for them.

The insurance industry as a whole frequently gets a bad rap. In cyber, the public lament has shifted from “Cyber doesn’t pay claims!” to “Ugh, cyber keeps paying ransomware claims!” Indeed, even a recent survey of UK infosec professionals on “ransomware perceptions” revealed the majority opinion that ransomware payments should be illegal and that insurance payments can worsen the problem.

However, read a bit further in that study or, honestly, most reports on ransomware and the real issue becomes clear, and it’s usually several steps before a ransom is paid. Most cyber incidents, ransomware or otherwise, could be prevented with proper patching, better employee education, or otherwise securing the digital perimeter. That’s where the cyber insurance industry is going to retain its relevance and achieve its long-term value, by highlighting those necessary steps long before an event occurs.

An industry that has made its name on being a stickler for detail can 100% drive the needed changes going forward. No multi-factor authentication? No insurance policy for you! Didn’t back-up your systems? Big ol’ ransomware sublimit until that’s fixed.

While the sting of hearing “no” from underwriters might seem minor, any organization scoffing at cybersecurity requirements can also take a lesson from the CEOs making headlines for their firms’ terrible security and lack of preparedness. Lack of insurance is one thing; long-term reputational and financial damage is another and the cyber risk sector needs to connect those two dots for its clients.

Yes, as we frequently hear, there’s no silver bullet to vanquish cybercriminals. However, there are absolutely essentials tools, behaviors, and partnerships that look shinier and more promising than ever now.

Editor Erin Ayers can be reached at [email protected]