The City of Riviera Beach, Florida, is in the news again recently. Last week it was because the city decided to pay out $600,000 to hackers who had taken over its network so that they could get their system back (read our blog here). This week, it is because they want their insurance company to pay up, by the city claiming ransom payments and damages incurred under their business and risk management insurance policy. Before the reader concludes that this is outrageous, several insurance companies explicitly offer coverage for online extortion payments in their cyber policies.
But this is changing and we have written about this before with the case of Mondelez International and its ongoing lawsuit against Zurich Insurance, claiming that Zurich should be on the hook for the $100MM financial hit that Mondelez incurred at the hands of hackers. Industry watchers are paying close attention to the outcome of that case because it could have major repercussions on the insurance industry when it comes to what they would be required to cover under their insurance policies; especially those that explicitly cover “cyber events”, aka cyber attacks.
Going back to Riviera Beach, as it is the most recent case, despite the city voting in favour of paying the ransom, against the adamant advice from law enforcement not to give into these demands, as it only further encourages criminals by showing them success in their ongoing pursuits, the question is coming down to “who is on the hook for the costs incurred?”. By having the insurance carriers pay for the cost and damages suffered, it insulates the victims from the cost, and it legitimizes paying ransomware as an accepted and routine cost of doing business.
However, we argue that it sets up a dangerous precedent; the victims are now somewhat removed from having to fork out the ransom payments themselves, making it easier to pull the trigger on agreeing to the ransom payment. This perpetuates the circle as hackers will continue down this path as it is now lucrative for them to do so, insurance companies are stuck with the bill and will start raising premiums to cover the increasing payouts, and the victims will have to pay their increased premiums in order to ensure that they are covered. Overall a net gain for the bad guys, or a double-edged sword, especially if you are holding it with your bare hands – as most of us cybersecurity providers feel day in, day out, indeed.
Insurance as a business is based on actuarial science – the science of managing risk through the rigorous application of mathematical models and data science. It is our opinion that this science is still in its infancy, though there are some landmark papers (see here for a good example, though I warn you this might not be your cup of tea as an easy read) on how to work around developing this model. This is setting up an interesting business proposition for the insurance companies. With the explosion of ransomware cases, there is definitely a market for insurance that covers this business risk. While, insurance companies have to figure out how to enforce better data protection for their clients so that their payouts can be minimized, vendors such as ourselves *would* love to add it as a line item to our products – and if you are an insurance company, I would love to hear from you. I cannot seem to find you though!
Unfortunately, many insurance companies do not have the data on how or even where to start, never mind the fact that they would need to audit implementation of this new data security requirement. Add in the possibility of paying out ransomware, which in some cases – though difficult to swallow – may have been the only option, as the City of Riviera Beach must have found out. In the interim, insurers who have taken the leap into the rapidly growing cyber insurance market, cannot be left in this dilemma; either charging very high premiums so that they can make ransom payments without suffering significant financial loss themselves or finding ways out from their contract. This, is however, an opportunity to disrupt both the business of cybersecurity, not only from a vendor/technology perspective, but from an operational perspective (MSSPs) and insurance perspective.
We feel that for those insurance companies that have taken the leap into cyber insurance, we can at least offer a solution for them that they can mandate their customers use in order to cut down the incidents of ransomware attacks and other malware. The insurance companies are looking for a security solution that can help prevent these incidents so that their payouts are lowered. What better way than to get on board with the “Detect and Block” approach? If these insurance companies had as part of their policies that the organizations that they were insuring were required to utilize a platform such as the Wedge Advanced Malware Blocker, they would quickly start seeing a drop in the number of ransomware payouts they would be facing. With Wedge’s patented Deep Content Inspection, combined with orchestrated industry best-of-breed malware heuristics and artificial intelligence / machine learning, WedgeAMB stops all advanced threats in real-time, BEFORE they have a chance of even touching an organization’s network. Best of all, Wedge offers a FREE 90 day trial of the Wedge Advanced Malware Blocker. If you are an insurance company that has started offering cyber insurance, the WedgeAMB solution could be what you are looking for! For more information, get in touch with our team at firstname.lastname@example.org!