New Ransomware Worry: Insurance Can Present Solutions and Problems for Cybersecurity
Insurance policies could be a “guide” for cybercriminals to determine how much to demand in ransomware attacks, said Erik Weinick, attorney and co-founder, Otterbourg P.C.’s Privacy & Cybersecurity practice.
Financial and data losses have been piling up now that the number of cyberattacks on companies, individuals and governments has escalated in recent years. Insurance companies have provided coverage for these victims of ransomware but they have found themselves reevaluating their own policies and protection as insurers, too, have been impacted.
Ironically, cyber insurance policies can even serve as a “guide”—or even a magnet—for cybercriminals to determine how much to demand in ransomware attacks, said Erik Weinick, attorney and co-founder, Otterbourg P.C.'s Privacy & Cybersecurity practice.
Following is an edited transcript of an interview with Weinick, an expert in both cybersecurity and insurance.
Has the issue of cybersecurity been taken seriously in recent years?
There's a growing appreciation among the business community and the nonprofit community that cybersecurity is a pressing issue. I think there's still a misunderstanding among that community as to who the potential victims are … there are still a tremendous number of organizations out there that believe that because they are under the radar or they're a certain size, that they're not a potential victim of these attacks. That's simply not the case.
At the end of the day, as I like to say, most cybercriminals are not looking to become a household name themselves. They're not looking to get into the hall of fame of cyberattacks. They're looking to make a quick buck. What's the easiest way to do that? It's to go after the low-hanging fruit. Very often, the low-hanging fruit are the smaller, lesser-known organizations that have fewer resources to protect themselves and mitigate against these types of attacks.
One of the weapons or defenses that these smaller organizations have at their disposal is a comprehensive cyber insurance policy, which brings with it not just a monetary protection in the event that something goes wrong, but an army of experts that can help those smaller organizations protect themselves and mitigate against the inevitable attack.
There’s mixed evidence out there as to whether or not simply having cyber insurance makes you more or less likely to be attacked.
Some of these attacks have happened as far as seven years ago or even longer. Why does it matter more now? Is it because of the frequency, the size, the impact, the amount of losses?
It's all of the above, and it's also an increase in the reliance of the business community on electronic systems and things like the proliferation of the internet.
Your electronic and connected thermostats and security cameras and things of that nature that can become a potential vulnerability for organizations, it's twofold. It's an increase in the number of attacks, but it's the increased reliance on our electronic systems that leaves us more vulnerable.
One of the issues that's been raised is that despite the appearance of protection, cybersecurity insurance is not only becoming more expensive and less extensive, but it's accidentally painting insurers as potential targets for attacks. Can you speak to that?
There's mixed evidence out there as to whether or not simply having cyber insurance makes you more or less likely to be attacked.
As I said, I think that the criminals are performing a cost-benefit analysis, if you will, as to, “OK, this is who I'm going to attack. This is who I'm able to gain access to, and then if I'm going to effectuate a ransomware attack” … It may be that they just seize information and threaten to leak it out. We've seen that happen with some law firms and other holders of sensitive information. The existence of these insurance policies is perhaps serving as a guide for the criminals as to how much to ask for.
They don't necessarily need to know that you have “x” amount sitting in your corporate bank account, but they know that if your policy limit is $5 million or $10 million, they know that they can ask for that and there's a good chance that they may get it.
What they've done is, from my understanding, infiltrated victims' electronic systems to identify the existence of a policy in order to determine the amount of the policy they may cover. Then, they essentially tailor their ransomware demands to those policy limits to increase the likelihood of payment in return for restoration of data. Is that what's been happening?
Yes, that we're seeing on an anecdotal basis. Again, it's a little early to point to specific data or specific studies that say this is a widespread problem. There's a certain logic to it that's appealing.
I am uncomfortable with consumers and businesses saying to themselves, “Well, I'm not going to get cyber insurance because that makes me a target.” To me, it's the equivalent of saying, “I'm not going to get auto insurance, because it makes it more likely that I'm going to get into a car accident.” You still want to have that protection. I'd rather have it than not have it.
This scenario presents some legal, business, and moral questions for those who are tasked, essentially, with safeguarding the organization's data. Is that fair to say?
That's right. It's one of a host of factors that you were describing. For more sophisticated organizations, the role of a CISO, chief information security officer, is generally tasked with making recommendations to a board of directors or a CEO as to what is their cybersecurity protection going to look like.
Like anything else, you want to have a multilayered defense … in cybersecurity, you should have a robust electronic system. You should have good policies in place. Having the added protection of insurance at a reasonable cost, again — that's a decision that every organization has to make for itself and balance the premium cost versus costs of compliance as well.
Again, it's not just the premium that's a cost of insurance, but doing all of these things, which, at the end of the day, should help to mitigate risk. That's another cost of having the policy. Again, it carries with it the benefit of going through that exercise and improving your cybersecurity standing.
The bottom line is an organization should understand exactly what is covered and what is not and what the organization's own obligations are in order to maintain the coverage. That fair to say?
Absolutely. What I'll add to that is that we encounter a lot of organizations who say to us, “Well, I have a general liability policy,” and they believe that they're covered under that. What we'll say in response is that they should go back and read that very carefully, because they may think it's covered, but it may in fact be explicitly or implicitly not covered.