back to article The cost of cyber insurance increased 32 per cent last year and shows no signs of easing

The cost of insurance to protect businesses and organisations against the ever-increasing threat of cybercrimes has soared by a third in the last year, according to international insurance brokers Howden. It found that global cyber insurance pricing has increased by an average of 32 per cent in the year to June. Not only are …

  1. sanmigueelbeer Silver badge

    The cost of insurance to protect businesses and organisations against the ever-increasing threat of cybercrimes has soared by a third in the last year

    Gee whiz, Batman. I wonder why?

    The cost of the insurance still costs a tenth of the cost to stand up a fully-functional cyber (protection) team &/or a robust patching regime. At the end of the day it is a "win" to capitalism but a big "epic fail" to common sense.

    `tis fun-and-games until somebody pokes an eye.

    1. Anonymous Coward
      Anonymous Coward

      > At around the same time, Paris-based insurance giant Axa said "non" to French companies looking to buy its cyber insurance amid concerns that paying out when trouble hits was contributing to the explosion in cybercrime.

      To those who already have an insurance contract it may be 1/10 the cost - going forward it may be more difficult to get, and if it is available have a higher risk of not having the insurees claim paid while tied up in court (did the insuree follow the contract's security precaution obligations?).

    2. Neil Barnes Silver badge

      Quite. And it's insuring the wrong thing: a cash return is all very well in the event of some bastard munching your system, but what you really want is a return to the status quo ante... you need to come in the next morning and everything is back to normal, only with the back door fixed.

      Which, as others have pointed out, just ain't happening. And as the experts seem to agree that the only cure is a complete clean and restore (I wonder if that includes bios code too? It probably should) then a financial solution simply doesn't cut it.

      It's all very nice for the companies getting the cash in when they sell the policy, but not so good when they're paying out every other Thursday. Hmm... I wonder what my late grandfather (Riley on Consequential Loss) might have thought...

  2. EricB123

    There's a Policy for That

    Why do Western companies feel the need to insure against things like this when a tighter emphasis on security would prevent the desire (not need) for stupid insurance products like this in the first place? Well, of course we all know why... Some Excel spreadsheet told the suits it was cheaper to insure than fix the problem.

    How sad.

  3. mark l 2 Silver badge

    Do those who pay out to these ransomware hackers honestly think that these scumbags will delete the data they have stolen one they get the payout?

    There is no such thing as an honest criminal and it will come back to bite you in the arse later when they use that stolen data against you for further exploitation.

    1. Anonymous Coward
      Anonymous Coward

      You are 100% right, but that's hardly the point of the insurance

      It's so that if everything has gone sideways and your systems are thoroughly fucked, you can point a finger bone at someone else arse when you get called into the bosses office the next morning. And if it's not the firms actual money, it's too tempting to be "we already paid for the insurance, it's time to cash in" where they are all to happy to demand the insurer pay ransom even if they suspect it's a rip off.

      The insurers need to force companies to keep some skin in the game, like only covering 80% of the negotiated ransom, or not paying ransoms at all and only offering remediation assistance.

  4. amanfromMars 1 Silver badge

    Cyber ....... the Gift that just keeps on Giving to Others on the Make and Take?

    Insuring against the uninsurable is tantamount to criminal support of a massive institutional fraud, is it not?

  5. Filippo Silver badge

    That's good news. Hopefully they'll rise high enough that actually addressing problems, rather than insuring against them, becomes the preferred solution.

    1. Pascal Monett Silver badge

      Agreed. Make the policy cost $100 million/year.

      Companies will look at that and have to admit that putting a few million into actually improving security is not that bad of an idea any more.

  6. Throatwarbler Mangrove Silver badge
    Stop

    More victim-blaming

    While I agree that many, if not most, companies should have a greater focus on security, I think the following facts should be considered:

    1) Bulletproof security is, in fact, difficult. Retrofitting security to systems or environments which weren't designed for maximum security is even more difficult.

    2) Finding qualified staff and/or consultants to build a secure environment is both difficult and expensive. Good security people are in high demand, the more so because of the current elevated threat environment.

    3) The current threat environment is unprecedented. Most companies were able to live with relatively lax security for a long time because the perceived consequences were not as severe as now. Companies and people are still adjusting to the new reality.

    A lot of entities have been caught wrong-footed by the sudden spate of ransomware and don't immediately have the resources or the expertise to address the need for a more rigorous defensive posture. Dog-piling on the victims hardly seems warranted.

    1. DS999 Silver badge

      Re: More victim-blaming

      The problem with insurance is that it pays the extortionists. We need laws making that illegal. That will hurt some unprepared organizations that get hit in the meantime, but once the criminals are unable to make any money off ransomware, it will stop.

      1. Throatwarbler Mangrove Silver badge
        Pirate

        Re: More victim-blaming

        "but once the criminals are unable to make any money off ransomware, it will stop."

        One theory about the source of these ransomware attacks is that they come from state-sponsored actors, essentially making the ransomware scum the equivalent of privateers raiding maritime shipping. Seizing some or all of the cargo on a commercial ship was obviously ideal for the privateers, but sinking enemy shipping was also acceptable. What you're advising is the equivalent of demanding that a ship's captain refuse to strike colors and surrender to a privateer and instead allow his ship to be sunk. Either way, the adversary wins, but in the former case, at least the merchant ship can continue to sail while in the latter case both ship and cargo are lost. Which is better depends on your outlook; it might be better in the long term for the privateers to be denied their spoils, but it sure sucks for the crews of the sunk ships, and as long as a nation-state is willing to pay the privateers, they will continue to operate; the ransom just provides an additional (significant) incentive.

        1. DS999 Silver badge

          Re: More victim-blaming

          It is probably only state "sponsored" in that Russia's government looks the other way so long as they don't attack any friendly countries. It isn't state sponsored in the same way attacks via APTs are like Solarwinds.

      2. Throatwarbler Mangrove Silver badge
        Facepalm

        Re: More victim-blaming

        You know what . . . I've seen the light. In fact, I think merely making the payment of ransomware illegal and the jailing of corporate executives do not go far enough. In fact, we should summarily execute everyone who has ever worked for a company that paid ransomware. After all, just losing their jobs when the company goes under is clearly insufficiently punishing to the workers; we need sterner measures! I'm thinking something appropriately medieval like drawing and quartering or public gibbets.

        1. DS999 Silver badge
          Facepalm

          Re: More victim-blaming

          I guess you would say that the US government should get rid of the law banning payment of ransom for US citizens kidnapped overseas. I'm sure that if that was done and kidnapping insurance could be purchased by every American international traveler for a reasonable cost that wouldn't increase the number of such kidnappings at all.

          1. Throatwarbler Mangrove Silver badge
            Facepalm

            Re: More victim-blaming

            "I guess you would say that the US government should get rid of the law banning payment of ransom for US citizens kidnapped overseas."

            Such a law does seem inhumane to me. It also seems unconstitutional, since the Citizens United decision has firmly established that spending money is speech and hence subject to First Amendment protections.

            In any case, I recognize the incentives created by paying off ransomers, whether through insurance or one's own funding. My objection is to the mindset a lot of people in these comment pages seem to have, which is that the businesses afflicted by ransomware deserve to go out of business (businesses which include places like hospitals, lest we forget), and I was calling attention to the difficulty of defending against ransomware, but I suppose that point was difficult to see from the great height of your horse.

            1. DS999 Silver badge

              Re: More victim-blaming

              That's just an example of a law that while a detriment for the few is undeniably good for the many. That's true of almost everything government does, other than I suppose military defense of its borders.

  7. Mike 137 Silver badge

    Cost/benefit

    ""I think, based on what we've found, cyber insurance is not that silver bullet that maybe people were hoping or thought it was.""

    It never really was.

    Many moons ago I evaluated a handful of policies for an international business. At the two ends of the scale were capped payout plans with minimal obligations attached and adequate payout plans with considerable obligations on the insured.

    The policy with optimal cover included an obligation to advise the insurer of any changes to the infrastructure within a very short time. As my client was a dynamic business frequently introducing new online services and opening new local offices all the time world wide, the combined cost of the premiums, the notifications and the excess terms rendered the policy uneconomic unless a claim were made successfully more often than once every couple of years.

    I finally recommended self insurance, whereby an emergency reserve could be retained, earning interest while not called upon, rather than the business making a regular annual payout accompanied by a trickle of ongoing management costs.

  8. Aussie Doc Bronze badge
    Pint

    Oh FFS.

    Global Head Of Cyber?

    That's a thing?

    We're doomed, I tells ya.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021