“Cyber insurance is busted because everyone is making claims for dumb stuff … The only time you should be making a claim is when you’re going through something like Maersk did.”
Danish shipping giant Maersk suffered a cyberattack in 2017 that wiped out every copy and backup of its Active Directory database, except for one copy that wasn’t online due to a power outage at its office in Lagos, Nigeria.
“Consequently, companies should be making their deductibles as high as possible, so that they’re assuring their insurer ‘We’re going to be self-insuring, right up to the point where there’s a devastating attack’,” Mr Turner said.
James Turner, managing director of CISO Lens, says everyone knows cyber insurance is useless, but they demand it anyway. Janie Barrett
Last June, Australian insurance companies endorsed a government move to outlaw insurance payouts to companies that pay the ransom in a ransomware attack, arguing such payments only create further incentives for cyber criminals.
The cryptocurrency analysis firm Chainalysis estimates that at least $US602 million ($857 million) worth of ransomware payments were made using cryptocurrency in 2021, and probably much more because many payments only emerge long after the event.
Insurers under attack
That spiralling cost has forced insurers to crack down on claims, adding exclusions for nation-state attacks and for acts of war, both of which might render cyber insurance useless for any attacks arising out of Russia’s invasion of Ukraine, Mr Turner said.
“The insurers, because they’re busy trying to minimise their risk, are now asking more intensive and more invasive questions of their prospective holders, and they’re getting reams and reams of answers to questions about customer’s most sensitive controls.
“And so the insurer has become a honeypot for attackers. The attackers know if they breach into the insurer they’re going to get a list of all the organisations that are insured, and they’re going to get inside information about their targets.”
In February, the London-based insurance company Aon suffered a cyberattack thought to be motivated by a desire to get access to confidential information about Aon’s policyholders.
And in 2021, the US-based insurance company CNA reportedly paid a $US40 million ransom to cyberattackers who threatened to leak stolen data about companies insured by CNA.
When the ransomware gangs then turn their attention to the policyholders, “they know they’re insured up to this amount, and that’s how much they’re asking for,” Mr Turner said.
But it would be a mistake to pay the ransom, he warned.
“If an organisation pays a ransom, then the board of directors and the CEO should resign because they have fundamentally failed to prepare their organisation for operation in the 21st century.
“If your only option is to pay a ransom in a ransomware attack, you have failed your organisation,” Mr Turner said.