back to article Have you heard about ransomware? Now's the time to ask: Are you covered?

Every industry has its collection of shocking stories, but Britain's cyber-insurance sector can always be relied on to top the lot. Take the unnamed British medium-sized enterprise that recently found itself staring at a ludicrous £1m ransom demand after attackers sneaked off with some very important data. This was a straight …

  1. K

    I've been asked to investigate the potential of Cyber Insurance at least half a dozen times over the past 7-8 year, at the various companies I've worked at - None of them ended up purchasing. There are several reasons for this

    - There is no clear info about what your getting.. Just marketing spiel hyping up the dangers (At least with car insurance its clearly mapped out)

    - The costs are not clearly laid out. When discussing with the broker, you almost see the plumber caricature, rubbing his chin and saying "hmmm.. that's gonna cost ya.."

    In all, it was just vague and didn't inspire confidence that the policies would be useful when the sh*t hits the fan...

    In addition, getting indicative costs an details is too consuming, most companies have a very short attention span. By making this so opaque, they are driving potential customers away.

    1. 0laf

      The small amount of investigation I have done led me to believe that insurance would only pay out if you had done your due diligence and basic protective measures to the extent that you would probably be in a position to recover from the incident reasonably well meaning insurance was not economical.

      I could see insurance for specific services such as foreskin investigation or other recovery services being more useful than a catch all payment for an incident.

      1. Anonymous Coward
        Anonymous Coward

        New terminology for me...

        ... but I'm guessing it's a process to determine which bellends are responsible for a cockup.

        1. Anonymous Coward
          Anonymous Coward

          Re: New terminology for me...

          A friend of mine works for a Lloyds Underwriter. Mostly Professional Indemnity, but now more of this stuff.

          She has a very large house and a nice car.

          Just saying....

          1. 0laf
            Paris Hilton

            Re: New terminology for me...

            I see my predictive text was set to "Epic fail / Freudian slip" mode with a misspelling of "forensic" being changed to something more anatomical.

            Coupled with an inherent slapdash attitude to QA (a job on the Daily Mail awaits) resulted in the above substitution.

            If you are offended by my error I must proffer my complete and utter apathy to you, I really truly and deeply don't care. Thank you.

            1. Destroy All Monsters Silver badge

              Re: New terminology for me...

              If you are offended by my error I must proffer my complete and utter apathy to you, I really truly and deeply don't care. Thank you.

              Ah, I sensed some disturbance in the Safe Space.

              "This statement is abhorrent, repugnant and inconsistent with our values. This is not who we are."

      2. bombastic bob Silver badge

        I have to wonder...

        I have to wonder whether the 'insurance' will PAY THE RANSOM and _NOT_ prosecute to the full extent of the law. This has been the case in the past, with car insurance in the USA, where "at fault" drivers were sued for various extortion-level "pain and suffering" claims [like in Cali-Fornicate-You, where "at fault" insurance still exists], and insurance companies "just settle" and have various terms in the policies that try and limit customers from using the legal system for that purpose, etc.. example, you may NOT be able to sue in small claims court for your 'deductible' amount, without having your insurer take legal action against you.

        And of course, this kind of "policy" by the industry would only ENCOURAGE the 'fender bender' scams. In some cases, people have been known to deliberately walk out into traffic and "get hit" [or fake it really well] to scam insurance companies. (A lot of this was happening in the Monterey area a while back).

        Anyway, my biggest concerns here are that "the insurers" will PAY OUT MONEY to scammers, hence making it lucrative for the scammers, while simultaneously making THE INSURED pay for it, even if it's indirectly.

        I'd rather take the chance on the ransomware instead, practice "safe surfing", and do frequent backups and offline storage of anything important.

    2. This post has been deleted by its author

    3. Aodhhan

      This is why INFOSEC people shouldn't work directly with insurance companies.

      This is something which should be handled by the legal department and the chief of risk management.

      With the CISO providing input and technical advice.

      An insurance company is still at heart a business. It's going to get away with and profit from anything no matter what. So if you let them get away with being vague, it's on you. Don't expect an insurance company to be light hearted and friendly... no matter how heart wrenching their commercials are.

      Everything is risk management and cost benefit throughout the company and the insurance underwriter.

      As an InfoSec professional, you need to understand your limitations.

      Also, your wrong about small companies having short attention spans. I guess we know you've never been an executive or even a manager at one.

  2. Miss Config

    Insure AFTER Checking Security ?

    Surely the obvious question here is to what extent cyber insurers actually check the vulnerabilities of their customers ?

    If I sold such insurance I'd make sure the customer had, at least, all the usual suspects in terms of anti-virus software and so on. And if I had to install such software personally at least then I could feel reasonably sure that I would not end up actually paying out a ransom equivalent.

    1. Herring`

      Re: Insure AFTER Checking Security ?

      This was my thought.

      If you're insuring something like motor or life, you've got a vast statistical base on which to calculate an actual cost-of-risk. With something like this, well it's very difficult to quantify. Even if the insurer does a security audit on a customer then they're auditing against known risks - not the one that hits everyone 6 months later.

      For the insurers, the temptation would be to write lots of conditions into the policy. The risk there is a few high profile cases of insurance not paying out (because a company didn't stick to the letter of the policy) would reduce the credibility of the whole sector.

      1. Miss Config

        Re: Insure AFTER Checking Security ?

        they're auditing against known risks

        yes but the question is which particular customers were not even protecting against THOSE risks in the first place ?

        1. Paul Crawford Silver badge

          Re: Insure AFTER Checking Security ?

          <= This

          There is a tendency to look at the high-profile and possibly state-sponsored attacks and thing of the Dr Moriarty of cyber crime. But it seems many of the successful attacks come down to no planning: no procedure for folk to follow/report blunders with email, not patching machines, not having any form of internal controls/network segregation, and not having frequent tested backups to recover from.

          1. Miss Config

            Re: Insure AFTER Checking Security ?

            and probably the most important procedure of all : BACKUPS

            Any organisation that actually does their overnight backups properly every night can tell, in particular, any ransomware black hats to go whistle.

            1. Peter2 Silver badge

              Re: Insure AFTER Checking Security ?

              and probably the most important procedure of all : BACKUPS

              Any organisation that actually does their overnight backups properly every night can tell, in particular, any ransomware black hats to go whistle.

              If they've done offline backups, yep. If they have done online backups which have just backed up the randomwared files without any form of reversion, then they are still fucked.

        2. Herring`

          Re: Insure AFTER Checking Security ?

          What I was thinking of was, well a case from many years back. A re-insurer had been taken over by a large European company. Shortly after that, a bunch of things happened where the particular re-insurer had significant exposure to them. The company that had advised on the acquisition had said that the re-insurer was worth £50m but actually it turned out to be worth -£350m (or something).

          If you're underwriting ransomware insurance on, say, 20 companies and 10 of them get hit (as part of a global outbreak), you're in deep shit.

    2. Peter Clarke 1

      Re: Insure AFTER Checking Security ?

      This may link to an article a few months ago. Will the insurer insist of the customer using products/services from a security company they have a deal with?

    3. This post has been deleted by its author

    4. bombastic bob Silver badge

      Re: Insure AFTER Checking Security ?

      ack - like homeowner's insurance might require you to get some kind of inspection done, or life insurance might require a physical. This is _reasonable_ cost cutting on the insurance company side, which generally means more affordable rates for customers.

      But I can't help thinking of cyber insurance being similar to, let's say, a bunch of thugs smashing up your home or business, then "the mob boss" asking you if you want to buy an insurance policy, which is basically "ensuring we don't come along and smash your home/business up again".

      So it's still extortion, just on a different level. probably earns more money for the mob boss, too...

  3. Miss Config

    Will the insurer insist of the customer using products/services from a security company they have a deal with ?

    The important point is that the company DOES use proper security products and services.

    Whether they get charged too much for that is a secondary question.

    And by the way any company thinking of buying this insurance should INSTEAD hire an IT security firm to check they are doing everything properly in terms of IT security.

  4. Velv

    Perhaps it should really be called Cyber Assurance.

    Because let’s face it, it’s not a case of “if”, but “when” a company will have a cyber incident.

  5. GnuTzu

    Incident Response Services, Risk Assessment, And Bean Counters

    I've been to presentations with incidence response services that include monetary insurance, as well as forensics, public relations (damage control), and such. It was much food for thought.

    Consider that risk assessment is something too few companies do. They may have a sense of what their some of their data assets are, but way too few have actually assessed the risk or responded to it and identified all of the assets adequately.

    And, with too little emphasis on risk assessment, you can easily find infosec zealots, that while well meaning, often flap their jaw about what tech is needed for infosec without understanding cost-benefit trade offs. But, such trade offs can only be evaluated with a proper risk assessment. I've seen too many IT teams struggle with the bean counters in getting tech because they didn't understand this.

    Then consider that the insurance industry is the founder of formalized risk underwriting, with a much richer history and contribution to our modern market and concept of money than most be are aware. So, the prediction that I've been trying to sell is this: when this history becomes better understood in the infosec industry, security standards will start to get fleshed out at a much better level than they are now, and insurance companies will then be able to rate your company accordingly. That means that the bean counters will be able to set an infosec budget based on market standards measured not just in terms of risk assessment but how much insurance, in terms of money, a company can get for what price. And, that's a free-market viewpoint that I think should work for everyone--conservatives, centrists, and liberals.

  6. CheesyTheClown

    Sure... why simply protect yourself?

    Ransomware is for people who can’t turn on Windows Backup/Restore or Apple Time Machine.

    How bloody hard is it to simply enable automatic recovery options in the OS? If your company is ever hit by ransomware, it’s because your IT staff or firm is incompetent.

    In Windows, it’s a single group policy setting.

    On Mac, if you haven’t read “Mac for enterprise” documentation and learned how to onboard a Mac for management, you’re a fool. It’s just like group policy.

    These are not advanced features. These are sys admin 101 things.

    1. Peter2 Silver badge

      Re: Sure... why simply protect yourself?

      Yep. I think many people have never encountered the Tao of Backup.

      Yes, it's 21 years old. Yes, that might be older than you, if your a new entrant to the profession. Yes, it's still relevant. Refer to the wailing wall at the end for tales of woe. Learning from other peoples mistakes and not your own can be quite handy.

  7. Miss Config

    Backup, Backup, Backup

    You do not need Asian wisdom to know the importance of backups.

    Just remember ( especially if you are American ) 911.

    Cantor Fitzgerald is a financial services firm that had its HQ in the WTC.

    When it was attacked on 911 600 of its staff were killed.

    The company is still in business. ( As it happens I pass one of its local offices in a bus several times a week. )

    The reason for its survival is summed up in one word : backups.

    The company were meticulous in doing them and dumping them to their London offices via satellite.

    The moral of the story is that it is impossible to exagerate the importance of backups.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like