The obvious answer is “success”. A criminal, by nature, will typically take the path of least resistance to a payday. Therefore, we can understand why, on the surface, it appears that there is a correlation between the uptick in ransomware frequency and severity and the growth of cyber insurance coverage. But, upon closer inspection, are the two really related?
The path of least resistance is a two-way street. The criminals will take the road one way, to a payday, and legitimate businesses will take the path in the other way, towards operational continuity and profitability. There are times when these two travelers meet, as businesses have what the criminals desire – money, inventory and resources. Businesses are constantly susceptible to attack both physically (robbery, shoplifting, fake slip and fall claims) and digitally (hacking, data theft, ransomware). Crimes against businesses are largely seen as victimless crimes. However, most business owners, elected officials or IT professionals would tell you that they are not.
Insurance can offer financial stability to organizations both large and small, public and private – helping to allow them to level the playing field. It provides resources – both financial and physical that otherwise would not be available. These resources, such as breach response and computer forensic vendors, have been able to integrate themselves into the incident response process and can help an impacted organization determine the credibility of the ransomware incident and, in many cases, negotiate a reduced payment.
In recent years, cyber insurance has become more readily available and coverage has expanded to address network risk holistically. The insurance purchasing process itself causes an organization to look inward and have a better understanding of their security controls. Assessment products like Aon’s CyQu, can provide insight into an organization’s vulnerabilities and feedback on how to improve posture.
Insurance is part of the cyber risk solution, not a catalyst for new threats. The presence of insurance helps to make an organization more
resilient, brings to bear incident response and investigative resources in the event of a breach, and can often lower, or eliminate, the amount of ransom paid. Cyber insurance presents a significant “speedbump” on the criminal’s path of least resistance.