Ransomware Insurance: Incentive to Cybercrime?

By November 11, 2021 No Comments

*By Renan Moreira

It is clear that in recent years, cyber attacks are becoming more common and effective, and this is due to some factors that we will not cover in today's article. What we intend to address, in fact, is an aspect that is gaining ground with these attacks: the taking out of insurance policies against cybercrime, more specifically, cybercrime Ransomwares, as they are the type of digital threat where data is hijacked, encrypted, and it is only possible to recover them if you know the key to unlock it.

A brief comparison between material and immaterial goods

Insurance is a very effective mechanism when dealing with material goods, such as an accident with your vehicle, where the insurer, after verifying the fact, reimburses the affected individual. Unfortunately, when dealing with intangible assets, such as data (facts, concepts or statistics) and information (data processed after analysis), once these assets are read or even controlled by undue third parties, we will have a breach of Integrity, which is a fundamental pillar of Information Security (Confidentiality, Integrity and Availability).

Why would an insurance policy be encouraging to cybercriminals?

Once your company has an insurance policy like this, most of the time, Top Management ends up saving financial resources that would be allocated to preventive efforts for an attack, because they have the false feeling that they would be safe in the event of an attack. However, as we know, information is the most valuable asset of recent times, and as much as it is financially reimbursed (most likely only part of the damage, as an attack can cost millions of reais to the victim), the company can stop for a long time, which can even lead to bankruptcy. This would only be minimized if there is a team responsible for maintaining backups, known as backup, according to the real need of the asset.

The incentive would necessarily be on the part of the company, since the thought would be: "we are safe, after all we will have financial support in case there is an attack", instead of having the thought of: "in case there is an attack, we will be ready to data recovery”. Notice the difference? In one of the cases, the concern remains only in the financial area, where, in fact, it would be necessary to recover the data, which opens up a range for attackers to take advantage of this breach.

According to the study by Jason Nurse, senior professor of cybersecurity at the University of Kent, cyber insurance is not a silver bullet, as some people hoped or thought. Furthermore, Nurse adds, saying that another point that cyber insurance does not like would be the wide variation in their due diligence before taking out the policy, with different companies requesting different proof of security. He points out, stating that this possible lack of standardization points to the lack of preparation on the part of the teams involved, which can generate an unfavorable environment.

What strategy should be adopted to minimize risks and costs?

even performing backups, it is still possible to suffer an attack that compromises even the restoration, for example, if it is not stored in a properly secure and isolated place from the company.

The most recommended position would be hiring a consultancy or monitoring an Information Security team, equipped with a Security Operations Center (SOC), as well as the support of a Risk and Compliance Management (GRC) team, where will be closely monitored events and offenses that may be harmful to your company, in addition to providing instructions to your employees in order to minimize risks.

It is worth noting that 80% of companies that consider paying the ransom end up being victims again, according to a survey carried out by Cybereason. The same study shows that only 42% of companies that suffered an attack were able to recover their losses with the use of insurance against cyber incidents.

There are policies on the market, which cover up to 1 million reais in damages, if your company has a defense solution where the customer pays about 5 thousand reais a month for 300 devices. As for a consultancy, its cost may be a little higher, such as R$ 5600.00, with 40 hours of project time and the work hour being equivalent to R$ 140.00, according to the market average. These values vary according to the number of devices, criticality of the environment, project urgency, type of monitoring and some other technical factors, it is worth consulting a representative for further clarification.

Therefore, consider hiring a specialized team against an insurance policy. Most of the time, it is cheaper to have a consultancy at your disposal than just an allowance to repair the damage. If you want, it is still possible to hire both resources at the same time, however, the costs would be much higher, and aiming at efficiency, we maintain the recommended position.

And your company, does it already have a consultancy?

— Renan Moreira is a Servicedesk at [SAFEWAY]

About Safeway:

THE SAFEWAY is an Information Security company, recognized by its clients for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have proudly accumulated several successful projects that have given us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.

Today through more than 23 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!