Cyber insurance is not an exhaustive replacement for robust security capabilities, warns Niel Harper, founder and chairman of Octave Consulting Group, in a session at the Barbados Risk and Insurance Management (BRIM) conference.
Speaking at the ‘Risk, ransomware and cybersecurity’ session, Harper began by defining ransomware as malicious software (malware) that is designed to deny a user or organisation access to critical files on their computer system.
He explained that ransomware is so disruptive because of the extensive network of paid services it has spawned, such as access brokers, malware packing, phishing kits, hosting and infrastructure, anonymity and encryption, and hardware for sale.
In addition, distribution networks include social network spam, instant messaging spam, exploit kit development, spam email distribution, and traffic distribution systems.
Further contributing to widespread disruption, the monetisation of ransomware spans money mules, cashing services, money laundering, wire fraud, cryptocurrency services, reshipping fraud networks, and ransom payments and extortion.
There were more than 1,500 data leak site posts observed in 2021, where threat actors threaten to leak sensitive information if the victims do not pay the ransom.
The most targeted sectors are industrial and engineering (16 per cent), manufacturing (15.9 per cent) and technology (10.1 per cent).
Harper noted that organisations are not just subjected to ransom costs, but must also invest to rebuild their infrastructure, pay relevant fines to the regulator, and may even be liable in class action suits over the breached information.
Cyber insurance, therefore, can cover ancillary services — such as forensics and incident response, ransomware negotiation and payment, crisis management and public relations — as well as typical business interruption losses.
However, more insurers are explicitly excluding ransomware from renewed property and casualty policies, instead requiring insured parties to purchase ransomware as a special policy.
Harper added that the insured must be mindful to deliver accurate information to the insurer both during the underwriting process and during incident response. He also warned that insurers may have different priorities from the insured, for example, they may want to pay a cheaper ransom or negotiate, while the insured will be focused on recovering business operations.
Describing ransomware as having “changed the game” of cyber insurance, Harper concluded the BRIM session by noting that cyber insurance is not a replacement for good security; companies still require effective capabilities in order to prevent more widespread compromise of their organisation.