M+E Connections

Cybersecurity threats continue to grow each year and 2022 was no exception as ransomware attacks increased 87% against industrial organisations, according to a Dragos report.

Those breaches can come at a very high cost if successful. After all, ransomware extortion totalled $456.8 million in 2022, after achieving a high of $765.6 million in 2021.

On May 16, during the webinar “Risk & Reward: Navigating Cyber Insurance in 2023,” companies including Amazon Web Services (AWS) and Presidio pondered whether cyber insurance is the answer to solve this dilemma. They pointed to the positives and negatives of cyber insurance.

For one thing, unlike other forms of insurance, cyber insurance language is not standardised and that can lead to significant variations in policy coverage.

Meanwhile, certain offences, including cyber warfare, are often excluded from coverage, while individual insurers may disagree on what constitutes an approved “loss event.”

But is it worse to be left without any protection at all? In the latest instalment of the BrightTALK Original series CISO Insights, the industry experts looked at how to navigate the question of cyber insurance in 2023.

Among the specific topics: The real stakes of cyber security right now. What comprises a robust cyber insurance policy? How has the market changed in 2023?

“When you think about cyber insurance and you think about how entities are using it as a mechanism to transfer their risk … they’re not necessarily doing some of the key things that they’re supposed to do,” according to Maria Thompson, state and local government (SLG) leader for cybersecurity at AWS.

“Prior to the pandemic and during the pandemic, you saw a lot of – and I definitely saw – ransomware attacks that were impacting organisations and some of them were looking to pay the ransom,” she said. “Some of them weren’t. But one of the key things that I noticed: the organisations that didn’t pay the ransomware … had resources. And I think that if an organisation has those resources available to them, such as incident response, boots on the ground, forensics, leveraging their federal partners, those type of things, if they’re aware of them, they’re more resistant to paying ransomware.”

The US government has tried to discourage companies and people from paying ransoms, she noted, explaining: “If a cyber insurance company is still facilitating this type of payment, one, it obviously sends the wrong message because it’s just going to keep the ransomware attacks coming at us. Whether you believe that or not, it’s a profit game. If the hackers don’t think that they’re getting anything. If there’s no value in it. If there’s no financial viability to that, they’re not going to keep doing it. But if the insurance companies are paying the ransomwares, then it’s going to keep the game going.”

Organisations should instead focus their efforts on “doing the right things, hardening your environment and not paying the ransomware,” she told viewers, adding she liked the fact that “you’re starting to see more and more states putting out these prohibitions for the payment of ransomware.” North Carolina was one of the first to do that, she said.

Dan Lohrmann, field chief information security officer for public sector at Presidio, said he agreed with much of what Thompson said but disagreed that we should make ransomware payments illegal.

For one thing, he explained, “I think there’s some pretty compelling arguments around stories that are out there you can read … where literally companies would go bankrupt, would basically have to … shut their doors” over ransomware attacks.

Many companies may be opting out of cyber insurance now, he went on to say. “Yet I’ve read a number of reports in the last couple of months saying that the number of policies sold is actually going up pretty dramatically,” he noted. “A lot of people see the need for it.”

But Thompson warned: “Buyer beware…. There’s people out there, organisations out there that don’t even know what’s in their cyber insurance policies. Until something happens.”

Interjecting, moderator Earl Duby, chief information security officer at Auxiom, said: “I would say most of them don’t understand what’s in that policy.”

Summing up the main themes at the end of the session, Thompson said:
“I’m going to sound like a broken record here. Insurance has its place. It’s not a replacement move from your security programme. I think that you should go in eyes wide open … [and] make sure that it meets your business needs and addresses the risks within your environment.”

To see the entire presentation, click here.