clindell
(CLINDELL)
1
I wonder with all the changes in insurance, increases in costs, and scrutiny to get it with further limitations when possibly needing coverage is it even worth getting coverage when most IT leaders agree to refuse paying any ransom?
Are you confident enough with your systems protections, processes and recovery that you can minimize losses and forgo the ransom that insurance coverage requires?
Cyber Insurance Yes/No?
- Yes
- No
- Self Insured
- Not renewing coverage
9 Spice ups
The insurance is not there to pay the ransom. The insurance is to help with the costs of remediation after an incident.
4 Spice ups
clindell
(CLINDELL)
4
In some cases, it may cover ransom, it all depends on your coverage and what you’re willing to pay for. If the carrier refuses because they feel you were deficient or negligent in your initial assessment and were not truthful, they don’t pay? What if they don’t agree to the costs to remediate and restore, then what, take them to court and what’s that cost? Have you reviewed any case studies on post breech results and payouts?
But nowadays, Insurance companies which are offering a cyber insurance cover are offering a new deal with the fallout in the event of such crimes. And that is to pay the demanded ransom in Cryptocurrencies such as Bitcoins or Monero to get back the files. According to a report published by ProPublica early this week insurance companies are now preferring to fork tens and thousands of dollars in ransom to minimize the detriment to the affected parties.
Don’t be so sure of that
That needs to be outlawed then. Cyberinsurance paying criminals just increases the problem as they know they are more likely to get money.
Exactly! There is so much to do including confirming the breach, patching vulnerabilities, notifying employees, alerting authorities, telling customers in a timely matter, responding to customer concerns and so much more. Cyber insurance can help cover those costs associated with a cyberattack, such as public relations and forensics investigation.
For those looking into Cyber Insurance we recently had an [INFOGRAPHIC] Save on Cyber Insurance with LastPass - The LastPass Blog blog post and infographic come out that you might find helpful.
I’m in agreement to those who recommend cyber Insurance - As noted in our " Cyber Insurance Explained " 101 doc,
“Given the increase in cyberattacks, as well as the high cost associated with remediation, cyber insurance is a necessity for any digital business. One of the primary targets for hackers and cybercriminals is data, including PII, such as the names, addresses, social security numbers, bank account information, credit card numbers and other information that can be used to carry out fraud, advance secondary attacks or be sold on the dark web.”
Now, It’s also good to note that Insurance criteria has become more strict due to the increase in volume and severity of ransomware and other cyber-related events. The key to improving insurability lies in the organization’s ability to demonstrate comprehensive security coverage (aka: proving that they have made investments in their tech stack and strengthened IT hygiene).
Ethan6123
(Ethan6123)
8
A rep from our Cyber Insurance underwriter told me they will pay the ransom if the ransomware group has a history of restoring files after receiving payment.
I was shocked when I heard this but I have no say in which company we use.
kenkvale
(ken525)
9
The problem and answer are nuanced.
Assumptions: Attack includes egress of data and threat of public disclosure along with ransoming of files.
If your business is in a regulated industry and includes ePHI, PCI or PII/SPI data, then you have several issues/costs
-
Incident Response / Forensics -
-
how did attacker get in,
-
what did they get access to,
-
what did they egress (hope you have good logs)
-
how to we know we have kicked them out of the system
-
how do we prevent this from happening again (basically AFTER you have been impacted you will go about building systems you should have had BEFORE the attack)
-
Recovery of data and systems - restore from backup OR pay ransom for recovery (this is typically not advised and in some cases illegal, but generally you pay a company to “restore” your business and they deal with the “how”.)
-
Breach notifications and public relations
-
If your business is NOT regulated and you have none of the above data types then you are mostly dealing with recovery
- Loss of intellectual property (IP)
- Reputation damage
- Lost production
If you are not doing a good job at security, like measuring yourself against CIS 18 and ensuring you have adequate people, process and technology in place, it is a matter of time before you fall victim to ransomware or a hack. The insurance companies to some limited extent understand this risk and will charge a lot for not a lot of coverage, understanding the payout is probable and the money taken in need to be greater than the money paid out. So if your expected loss is $10M and the expected loss across 10 years is 100%, then your premium would have to be more than $1M per year or they are not making money.
You need to
- build a risk model
- understanding what a breach / ransomware event will cost your company
- determine probability of this loss across 5 years
- use this to build a security budget and hire people or outsource to MDR vendor
- get an insurance company that sends a team out to do an actual assessment on your security and charges you accordingly OR Risk/Execs determine they will self-insure for that loss
Yes, in many cases cyber insurance is about recovery not necessarily about the ransom but there are special cases for sure. I believe the help with recovery makes it worth it for many organizations. We have a guide on Cyber Insurance and its usefulness if you’re looking for information.
@Nutanix
