A counter argument to the “Insurance encourages ransomware” statement that’s often seen…:
[…] And, those who have criticized cyber insurance have some important facts wrong:
- Ransomware victims are rarely targeted. Why would they be? Targeting victims takes time, research and money. A better strategy for attackers is to target a specific but widespread vulnerability that will quickly cause chaos and distribute links to ransomware to the maximum number of potential victims — and see who takes the bait. Each success is another quick smash and grab.
- Insurance hardly creates an incentive for extortionists. As even critics concede, ransomware demands usually top out at five figures. For many, that cost is a nuisance. And although no one wants to support cyber criminals, organizations are forced to weigh the option of paying ransomware demands against the risk of operational disruptions that could last weeks or months and cost far more. For example, after the City of Baltimore refused to pay a ransom demand of around $76,000, it incurred prolonged outages and racked up nearly $20 million in losses. Small and midsize businesses may not be able to absorb the same pain from a prolonged disruption. And if your company does not have cyber insurance to absorb those losses, you have even more incentive to pay a ransom demand.
- Insurers do not make decisions about whether to pay extortionists — the insurance buyer always makes the final call. The unfortunate truth is that, for many organizations, paying a ransom demand is the cheaper and more effective option. Even if cyber insurance absorbs the cost of a disruption, victims have many other considerations. How many initiatives will be sidelined as an organization flounders with its networks down? What happens to customers who depend on the services your company provides? What happens to your reputation? If an insured refuses to pay, its insurer supports the insured, paying network recovery costs and reimbursing it for income lost as a result of the attack.