Two new articles from opposite ends of the spectrum – the muckraking journalist group ProPublica and the academic publication IEEE Security & Privacy – present evidence that insurance industry practices encourage payment of ransomware and don’t incentivize good cybersecurity.
In The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks, ProPublica covers in particular the experience of city governments, citing Lakeland, Florida’s decision to pay $460,000 in ransom, an amount covered by its insurance policy with a $10,000 deductible—even though its IT staff was attempting to restore backup files at the time. The insurer, according to ProPublica, argued that a prolonged recovery would exceed the $10 million coverage limit. “Our insurance company made [the decision] for us.” ProPublica quotes a city official.
ProPublica says it’s a common situation, insurance companies preferring to pay the ransom rather than potentially higher recovery and remediation costs, perhaps a good short-term business decision but one that fuels more ransomware attacks. Attackers are actually using public information sources to look for organizations that carry cyber insurance, the article says.
Meanwhile, ProPublica argues that “cyber policies have been more profitable for insurers than other lines of insurance”, with a loss ratio of 35% vs. 62% across all property and casualty lines, and well-publicized cyber incidents have led to a high growth rate in sales. “The attacks are good for business,” the article concludes. In their defense, insurance industry spokespersons told ProPublica that it's the client's decision to pay ransom, as well as to maintain cyber defenses – the insurer's job is to help clients get back in business after a loss event.
In Does Insurance Have a Future in Governing Cybersecurity?, a paper forthcoming on the IEEE Security & Privacy journal (hat tip to security blogger Bruce Schneier for finding it), computer scientists Daniel W. Woods of Oxford University and Tyler Moore of the University of Tulsa, consider the premise that, in effect, the situation described in the ProPublica article should eventually be fixed by market forces, with insurers enforcing better security on the insured.
Not happening now, the researchers conclude after their own interviews with players in the industry as well as the findings of other studies. Insurers “rarely include basic security procedures in contracts and offer discounts that only offer a marginal incentive to invest in security. However, the cost of external response services is covered [in policies], which suggests insurers believe ex-post responses to be more effective than ex-ante mitigation.” Competitive pressures to sell policies drive this “race-to-the-bottom in risk assessment standards and prevent insurers including security procedures in contracts.”
Here’s an answer to this downward spiral described by the journalists and academics: Take a quantitative approach to cybersecurity risk generally and cyber insurance specifically. With the FAIR model for quantifying risk in financial terms, public and private organizations can identify their critical assets from a dollar value point of view, their likely threat actors and probability of attack, and analyze where and how much to spend on controls or on insurance to deal with a range of probable risk scenarios – ultimately, putting cyber insurance on a sustainable path for both the insurers and the insured.