Is Cyber Insurance Ethical?
When you work in IT and you’re at a dinner party and somebody asks, ‘What do you do?’ you can usually see the blood run from their face as they’re like, "Oh my God, why me? My one night out this week! Why did I ask?!" However, recently, I was invited to a dinner party with place names (a little over the top? Or strategic?) and I was placed next to an insurer. Naturally, the host knew that people in IT and insurance would get along like a house on fire. Or was it to keep the nerds down one end of the room, I’m not entirely sure.
Anyway, after he introduced his role and company to me, it was my turn to divulge what area of IT I was in. I mentioned the word cyber and before I could say security, he was telling me that there is cyber insurance that will "cover everything". Everything?! This was a bold claim and suddenly our end of the table became the noisy end. I instantly questioned his statement as to what level people are covered and he claimed as a cyber insurance broker that they pay out for all ransomware attacks - whatever value the ransom is. I was astonished! For all my time at the police I had it ingrained in my mind that crime doesn't pay and by fuelling cyber crime you are funding the bigger picture of international organised criminal gangs which will just increase the more they receive.
Due Diligence
So this took me to Google to not just research this claim but also to question his ethics as this was now starting to sound illegal. My research suggested that “Due diligence is required to ensure ransoms are not paid to ‘terrorist’ cyber attackers”. Pointing this out made him even more smug yet there was nothing I could do to suggest that they will never know the origin of the cyber attacker. So how can insurers pay a ransom when it could be going to a terrorist? His defence angle was vice versa suggesting that there is nothing to prove they are!
Ethically this is against everything I know but who’s in the wrong here? The cyber insurers or the governing rules? What on earth are companies thinking when they are sold cyber insurance? Are they of the mindset that if the worst case scenario occurs, that their broker will just pay the ransom and get them out of the hole they are in? Well yes - that seems to be exactly what is happening. We have become accustom to the fact that the cyber criminals are winning and the law is allowing it.
Cyber insurance is currently booming and many insurers are offering varying levels of protection to customers who (personally) seem in the dark about a lot when it comes to cyber security. We all know that scaring tactics aren’t the best way to go about selling a product yet increasing hacking stories in the media are certainly making CEOs a bit twitchy. Rightly so that C suite staff should be rising their heads above their monitors when it comes to their infrastructure security but is insurance better than prevention? Do they think insurance is prevention? Even forgetting ethics for a moment, paying a criminal to receive your data back could be just as catastrophic should malware be transmitted along with the back up – along with your premium increasing in the next year with your insurer.
By simply reducing the risk beforehand is a far better way to keep this threat from exploding within a company? This is easily achievable by training, anti malware software and setting privilege rights correctly.
GDPR
And would the ICO ever know about this? Would these 'attacks' be churcned through a government database of cyber stats? In a word, no. Essentially, Ransomware locks you out of your house and just holds the key at ransom. Nothing is ever stolen so it isn't a burglary for the cops to investigate.
So back to my new acquaintance at the dinner party, which I was now in a full on debate even with interjections from other professions around the table giving their 2 cents worth. It seems very few people believe that prevention is the best option because people will always seek the easiest way out. Unless we force people to include prevention methods from the offset, people will inevitably fall back on reactive measures which we have seen do not always work.
About me:
Jake Moore is a Cyber Security Specialist for ESET, Europe’s number one Internet Security and Antivirus company. He is also a well respected industry expert when it comes to commenting in the media regularly in a range of tier one publications. He previously worked for Dorset Police spanning 14 years primarily investigating computer crime in the Digital Forensics Unit on a range of offences from murders to missing people. Within law enforcement powers, he learnt how to retrieve digital evidence from all devices whilst learning all sorts of ways to ethically break security in order to help protect innocent victims of crime. He then became a cyber security consultant for the force delivering tailored advice to the public and local businesses in order to help protect the community and build upon their security foundations.
Cyber Crime Investigator
5yOh and I can imagine his company will get sued following on from ICO investigations where the company gets fined because they don’t invest in their cyber security because their insurance will cover the “ransom”.
Bringing civility and kindness to all the places that matter online | Customer Success | Generate Business Value from AI
5yGreat read. My only disgreement is with this sentence: " This is easily achievable by training, anti malware software and setting privilege rights correctly" If it were easy, you (and me!) would be out of a job. Protecting your network' and more importantly your vital business processes, is a daunting task that is constantly changing. It's nothing like installing a better lock, but more like maintaining a balance diet every single day from now until eternity.
Director at Alan & Thomas Insurance Group, Brown & Brown UK Cyber Group Practice Leader
5yIt's a really good article, Jake. Prevention is always the best policy and getting your staff trained and up to spec, as well as your own firms security, is by far the best way to be. Why spend that extra time and energy sorting out a problem if you can avoid the problem in the first place ! Your discussion at dinner though was a little one dimensional, concerning and not completely accurate from an insurance perspective. Any amount of Ransomware cover is not just handed out without full checks being made on the how the business secures its data and also, the amount covered is far from unlimited. Ransomware cover is very much a last resort and should always be treated that way. Cyber insurance however, is very much needed in another way altogether. It's required for the scenario where a hack does get through, when information is stolen, despite your best efforts and procedures to protect yourself from the attack occurring. We all know how quickly the format to theft changes and how systems have to adapt at a seemingly ever increasing rate. Cyber insurance is a whole package and pays for the Cyber forensic costs to strategically find out how and why the breach occurred. At a £1,000 per day or maybe more, depending on the size of a firm, a business is not going to want this to come their bottom line when it's that expensive. It also pays for the containment of bad publicity, brand protection specialists are bought in to protect the brand of the business and if affected, costs are also offered for the re branding of the business if required. What if the individuals take you to court for their data that has been stolen and misused? This can potentially go into the millions on a single incident depending on the type and amount of data stolen. It could certainly bankrupt the majority of SME type business if no help was offered here. A Cyber policy will also continue to indemnify your loss of profits if the business can't trade to it's full potential after an attack, as far ahead as 12,18,24, 36 months into the future, to get you back to where you were before the event occurred. The list goes on including software and hardware damage etc, but my point is that Cyber insurance should never be sold as a brimming bank account, just waiting to pay thieves after they have locked you out of your systems. It can do that but also does so much more.
MD @ Bespoke Computing Ltd | Chartered Technology Professional & Business Leader | Helping businesses use tech to 📈 and operate more efficiently with IT done better, faster and more effectively.
5yI cannot understand why any underwriter would pay out on a policy where the claimant has failed to undertake preventative measures in the first instance. The loss adjusters will have a field day if they turn up to find a business has failed to take basic steps like decent a/v, backups et al. It would be interesting to see some statistics on what has actually been paid out via cyber insurance.