Alarm bells should be ringing for companies that rely on insurance as their cyber defence strategy after a decision in the Federal Court earlier this month.
The court ruled that an insurance firm was not liable for costs incurred in the clean-up and recovery process from a ransomware attack suffered by a client.
The case revolved around the definition of ‘direct financial loss’ and legal experts believe it may have a broader impact on the interpretation of claimable costs under cyber insurance policies.
The question of cyber insurance is one that has perplexed many people and organisations.
Cyber insurance can provide financial help to companies who have been targeted by a cyber attack, in the same way that building and contents insurance provides relief in the event of fire or flood.
This is the mindset behind insurance as a concept — a backstop if the worst should occur, a mechanism to help a person or an organisation to return to normal as soon as possible.
Few organisations would gamble on business insurance, knowing the potential impact on business continuity should a natural or other disaster affect their operations. Similarly, this mentality exists in other aspects of life — as the saying goes, if you can’t afford travel insurance, you can’t afford to travel. The same goes for driving a car.
Having said that, there is a line of thought that discourages taking out a cyber insurance policy in the first place — proponents argue that insurance actually attracts attention from cyber criminals because they know an organisation has the capacity to pay.
Insurance giant AXA took a stand against ransom demands last year, withdrawing insurance for ransomware attacks in France. Days later, AXA itself suffered a ransomware attack.
But no insurance results in an organisation absorbing all the risk alone — a strategy that few boards or executives would be willing to endorse, and certainly not without a comprehensive strategy for monitoring threats and weaknesses.
Part of the insurance question is that, in many cases, business leaders rely on insurance itself as the cyber defence strategy, transferring the risk to the insurer. It leaves an organisation vulnerable to attacks while ignoring a fundamental aspect of protecting organisations — prevention.
People with car insurance don’t go looking for an accident or drive a car that is unsafe. So why would organisations not take preventative action and monitor their networks for weaknesses to be remedied before the worst occurs?
Yet only 20% of critical infrastructure companies have moved to zero trust strategies to secure their networks, the equivalent of driving a car without a seatbelt.
Businesses that are comfortable with transferring all risk to insurance companies have not considered the consequences of an attack or their networks being compromised by a third party.
Like some health or home insurance, cyber insurance provides peace of mind but people think they’ll never need it. When they do, they’ve not really looked at what it covers or what additional costs are required.
The damage caused by cyber attacks can’t always be easily fixed after the fact and attacks have a long tail, with business continuity and repair costs just two of the considerations.
Take the Colonial Pipeline attack in the United States. Even after they paid a ransom and received a decryption key from their attackers, it wasn’t enough to immediately restore the pipeline’s systems.
And no amount of insurance can bring back lost files or quickly repair damaged reputations.
In addition, once a claim is made, would your insurance company continue to provide cover?
Many insurers are becoming more selective about who they are willing to cover and may deny those who pose too big a risk — such as those who have been attacked before. Insurance underwriters are well aware that two-thirds of targeted organisations are attacked again within 12 months, which encourages a malicious cycle of criminal activity.
Insurers are also increasingly requiring organisations to demonstrate they have taken reasonable measures to protect themselves against cyber attack — the equivalent of not leaving your doors unlocked and your windows wide open when you leave your house.
Insurance should be part of a defence plan but it should be the last line of a vulnerability and threat management strategy, not the front line.
Many organisations are ignoring the first lines of defence such as thorough cyber safety monitoring that detect weaknesses before they are exploited.
Company boards and executives should be asking their insurers if they have the right level of insurance for their threat exposure.
But they also need to ditch the risk transfer mindset when it comes to insurance and take steps to prevent attacks with a layered cybersecurity strategy encompassing vulnerability and threat management.
Rochelle Fleming is acting CEO at cyber security company Sapien Cyber.