Ransomware cyber insurance "not quite there yet in terms of knowing what to insure"

The landscape's changing fast, and insurance isn't quite keeping up, argues leading security consultant

Cyber security isn't "quite there yet in terms of knowing what it is that we're ensuring," a leading UK cyber security consultant has stated.

The comment, supplied to Computing Research during individual interviews for our upcoming Security & Risk Management Summit 2017, underscores a general belief among the industry that the progress of threat is beginning to outpace CISOs' feeling of coping with security.

"Ransomware is a great example when you talk about this," said the consultant, who has worked with several huge technology and security vendors in the past couple of years but cannot be named in accordance with reseach agreements.

"It gives you so many different angles to address the same problem in that you're essentially talking about an outage and the UK insurance industry have had an annualised loss expectancy on data loss for 20 years - maybe even 25 or longer, I'm not sure."

Nevertheless, said the consultant, tech vendors still talk about ransomware in 2017 like it's a "new shiny thing that's going to wipe out all of your data and your network - if you don't buy this product".

While the consultant acknowledged that both robust backups and problem-solving at the gateway of an organisation "could solve" these ongoing threats, we're now at a stage where "cyber criminals just get one step ahead and find a way round those gateway protections and someone gets popped again".

Thus, the consultant opined, firms are currently more "reliant on recovering from a ransomware attack rather than preventing it, in lots of ways".

"When it comes to insurance you've been able to insure against that for a long time, and so insurance against modern ransomware is also quite possible.

"But I think we're still not quite there in terms of knowing what it is that we're insuring, because I think lots of people think about cyber insurance as insuring a thing rather than a disaster."

Blowing up the tyre, not the tyre itself

"You know, it's like when you buy a new car - they're trying to get you to insure your tyres," said the consultant.

"I'm not going to do that. What I want is insurance against the tyre blowing up, not the tyre itself. So I think until the insurance industry comes out and say ‘here's a policy that will help you in the event of a data breach and it will provide access to experts at that time' and it actually will, just like when your house floods or something - the insurance company has a network of people they can call on - I don't think at the moment insurance companies are doing that."

The consultant explained the feeling that cyber insurers are "still trying to persuade to pay out against a thing - the disaster itself".

"And in lots of ways people don't need to do that, because their existing insurance already covers them for data loss and they don't even define how that data gets lost - it's covered under their normal policy.

"So I think we're still not quite there in terms of really understanding what it is we want. And equally the market hasn't quite worked out what to give us in terms of insurance either."