The rise of the cyber insurance has largely failed to promote better cybersecurity practices among the industries they cover, according to a new report released Monday from British security think tank RUSI. (Photo by Spencer Platt/Getty Images)
The security community for the last few years pointed to great potential for cyber insurance to drive progress in cyber best practices: force companies to up their game by making certain standards a requirement for coverage.
But recent research shows thats not happening.
The rise of the cyber insurance has largely failed to promote better cybersecurity practices among the industries they cover, according to a new report released Monday from the British security think tank Royal United Services Institute (RUSI). This is particularly true for the scourge of ransomware, where rising payments and business incentives to pay may pose an existential threat insurance providers in Great Britain and beyond.
Although ransomware is a societal problem, the authors note that cyber insurers are facing some heat for the role they play in financially propping up the cyber-criminal industry.
These add fuel to the fire by incentivizing cybercriminals engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities, write authors Jamie MacColl, Jason R.C. Nurse and James Sullivan. Growing losses from ransomware attacks haveemphasized that the current reality is not sustainable for insurers either.
When a company is hit with ransomware, theyre often faced with three choices: pay up, lean on backups or rebuild the entire IT network. Since insurers usually opt to cover the cheapest option, paying an upfront ransom almost always ends up costing less than starting from scratch or incurring weeks of downtime while systems are restored from backups.
While this model and approach seemingly make business sense to insurers, it ends up putting an absurd amount of money into the pockets of criminal groups. These groups then have more resources to further develop their malware and infrastructure, offer better compensation to entice talented hackers to join their network and buy zero-day exploits or initial access to victim companies.
In February, a report from Chainalysis, which tracks cryptocurrency payments in law enforcement investigations, estimated that these groups took home at least $350 million in ransom payments in 2020, and experts say that many incidents are not publicly reported, because the victim has decided to quietly pay before their information is advertised online and not engage with law enforcement.
Several high-profile incidents in recent months underscored the challenges faced in this area. The U.S. government was initially unable to get information around ransom payment from executives at Colonial Pipeline, and some were outraged when CEO Joseph Blount in a media interview appeared to cast paying the $4.3 million ransom (which Blount later said the company submitted an insurance claim for) as the right thing to do and a patriotic duty to keep vital American infrastructure running. A ransomware attack on insurance giant CNA in March also resulted in a $40 million payment that is believed to be the largest ransom payment to date on record, according to Bloomberg.
The RUSI report, part of a year-long project with the University of Kent studying ways to incentivize better cybersecurity through insurance, finds little hard evidence that indicate this model is forcing companies to reevaluate their own cybersecurity practices and investments. It also warns the current model of making regular large ransom payments will not financially benefit insurers over the long term.
While some of the carriers interviewed for the report touted their pre and post-incident services like forensic analysis, incident response, legal services and public relations as valuable services that help lift a victim organization to a higher, more secure plane of cybersecurity that prevents future attacks, theres only scant, scattered evidence that this is actually happening in some places.
In fact, many companies that buy cyber insurance tend to view it as a tool for resilience against cyber attacks rather than a risk mitigation tool. Research by threat intelligence firm Cybereason in June claimed that an eye-popping 80% of companies that paid the ransom wound up getting infected by ransomware again in the following months, often by the same group.
One example of a favorable impact cited by the authors: claims by U.S. insurance provider Corvus that their scanning for ports and vulnerabilities commonly exploited by ransomware groups resulted in a 65% drop in ransomware-related claims from April to September 2020.
These insurers can do more to sharpen the kind of data they collect, push industry to adopt security standards set by government organizations like the U.S. National Institute for Standards and Technology and rate different cyber security products for their value and impact on premium costs.
There is a solid body of theoretical arguments that cyber insurance could play a meaningful role in improving cyber security among businesses, as referenced in a previous RUSI Emerging Insights paper, the report argues. However, in practice, it is still yet to be seen if cyber insurance can fulfil this promise.
While the paper is geared towards the UK insurance market, the challenges and potential solutions outlined share many parallels with that of the U.S. market, where a ransomware epidemic has forced policymakers to elevate the issue and consider a number of previously extreme solutions, like banning ransom payments, heavily regulating the cryptocurrencies used to pay and directing law enforcement and intelligence agencies to increasingly target the IT infrastructure that these groups rely on to carry out their schemes.
The findings echo similar claims made in a U.S. Government Accountability Office report on cyber insurance in May, which found that the industry on the whole lacked the kind of historical data around data breaches and their effective mitigations to properly price their coverage, though some providers of cyber insurance interviewed by SC Media disputed the conclusions at the time.
If you ever go to a restaurant and felt like having a nice lobster dinner, you probably saw the menu say market priced, because who knows how many lobsters they caught that day, or that time a month or that year? The pricing is really variable in what lobsters cost on a day-to-day basis, it can fluctuate wildly, said John Pescatore, director of emerging security trends at the SANS Institute, in May. Thats sort of what the case is [today] for cyber insurance, its essentially market price.
Read more:
Scant evidence that cyber insurance boom is leading to better security SC Magazine - SC Magazine
- Amazon just slashed the price of our favorite budget home security camera - Tom's Guide - March 14th, 2024 [March 14th, 2024]
- Los Angeles Police Department warning home owners to hard-wire home security systems as organized theft rings ... - Notebookcheck.net - March 14th, 2024 [March 14th, 2024]
- Mesa family upping home security as burglaries increase - Yahoo! Voices - March 14th, 2024 [March 14th, 2024]
- An attempted kidnapping in Glendale is caught on camera - The Arizona Republic - March 14th, 2024 [March 14th, 2024]
- Best Security Systems For Apartments Of 2024 Forbes Home - Forbes - March 14th, 2024 [March 14th, 2024]
- Airbnb's Unexpected Home Security Ban Sets A New Standard For Rental Property Owners - House Digest - March 14th, 2024 [March 14th, 2024]
- Wayward 450-pound pig named Kevin Bacon hams it up for home security camera - The Associated Press - March 14th, 2024 [March 14th, 2024]
- The Best Home Security Cameras According To Rigorous, Hands-On Testing - Forbes - March 14th, 2024 [March 14th, 2024]
- Best home security deal: Get the Arlo Essential Wired Video Doorbell for just $49.99 at Amazon. - Mashable - March 14th, 2024 [March 14th, 2024]
- The 6 Hottest Outdoor Design Trends You'll See Everywhere This Spring and Summer - SFGATE - March 14th, 2024 [March 14th, 2024]
- This smart security camera impressed me in the most unexpected way - ZDNet - March 14th, 2024 [March 14th, 2024]
- Lithe Audio and Lilin integrate AI for home security - HiddenWires - March 14th, 2024 [March 14th, 2024]
- Why Airbnb Is Banning Cameras in Rentals - TIME - March 14th, 2024 [March 14th, 2024]
- PC students gift overnight security guard trip home to Nigeria - WPRI.com - March 14th, 2024 [March 14th, 2024]
- Influencer suing Tyreek Hill for 'breaking her leg' DEMANDS he hand over his private texts and home security f - Daily Mail - March 14th, 2024 [March 14th, 2024]
- Ring's Battery Doorbell Pro is one of the best security systems I've tested (but there's a catch) - ZDNet - March 14th, 2024 [March 14th, 2024]
- Ring Spotlight Cam Pro Review: Compact, Reliable And Long Battery Life - Forbes - March 14th, 2024 [March 14th, 2024]
- Home security video catch person taking mail that results in $8,000 worth of fraudulent checks - AOL - February 16th, 2024 [February 16th, 2024]
- Best Home Security Cameras of 2024 - CNET - February 16th, 2024 [February 16th, 2024]
- Ring sale: Save on Ring doorbells and home security cameras today - Digital Trends - February 16th, 2024 [February 16th, 2024]
- Blink's video doorbell just crashed to $44 and it doesn't require a subscription - Tom's Guide - February 16th, 2024 [February 16th, 2024]
- Snag Up to 43% off These Blink Security Cameras and Doorbells - CNET - February 16th, 2024 [February 16th, 2024]
- U.S. House Republicans impeach Homeland Security chief Mayorkas on second try Oregon Capital Chronicle - Oregon Capital Chronicle - February 16th, 2024 [February 16th, 2024]
- Wi-Fi jamming to knock out cameras suspected in nine Minnesota burglaries -- smart security systems vulnerable as ... - Tom's Hardware - February 16th, 2024 [February 16th, 2024]
- The 4 Best Security Cameras for Your Home of 2024 | Reviews by Wirecutter - The New York Times - February 16th, 2024 [February 16th, 2024]
- Security guard shoots man allegedly trying to run people over in Home Depot parking lot - CBS Los Angeles - February 16th, 2024 [February 16th, 2024]
- The 4 Best Smart Doorbell Cameras of 2024 | Reviews by Wirecutter - The New York Times - February 16th, 2024 [February 16th, 2024]
- Everything you need to know about the Ring Protect price hike - Digital Trends - February 16th, 2024 [February 16th, 2024]
- Vory Threatens To 'Kill' Girlfriend In Alleged Footage Of Domestic Abuse - HipHopDX - February 16th, 2024 [February 16th, 2024]
- Angry Airbnb host sent guest's wife security photo of him with another woman, lawsuit claims - New York Post - February 16th, 2024 [February 16th, 2024]
- Best Smart Locks of 2024 - CNET - February 16th, 2024 [February 16th, 2024]
- Bear tries to enter Washington home through doggie door - UPI News - February 16th, 2024 [February 16th, 2024]
- The Ring Battery Doorbell Pro has 3D motion detection - Gadget Flow - February 16th, 2024 [February 16th, 2024]
- We test some of the latest home security cameras to see how far the technology has come - Nottinghamshire Live - February 16th, 2024 [February 16th, 2024]
- Ring Is Raising Rates on Some Plans by 25% in March - PCMag Middle East - February 16th, 2024 [February 16th, 2024]
- The 12 Best Home Security Cameras of 2023 - Security.org - December 11th, 2023 [December 11th, 2023]
- Traveling for the holidays? Keep an eye on your home with the Blink Mini security camera, now just $20 - Gwinnettdailypost.com - December 11th, 2023 [December 11th, 2023]
- Gangs from South America use security jammers to break in to expensive homes across country: police - WLS-TV - December 11th, 2023 [December 11th, 2023]
- Best Home Security Companies Of 2023 Forbes Home - Forbes - December 11th, 2023 [December 11th, 2023]
- Best Wireless Security Cameras Of December 2023 Forbes Home - Forbes - December 11th, 2023 [December 11th, 2023]
- Best Outdoor Security Lights With Cameras Of 2023 - Forbes - December 11th, 2023 [December 11th, 2023]
- Wireless CCTV camera for home security? Here are top 10 options to choose from | Mint - Mint - December 11th, 2023 [December 11th, 2023]
- Cougar struck and killed near Minneapolis likely the one seen in home security video, expert says - Drgnews - December 11th, 2023 [December 11th, 2023]
- Cougar living in Lowry Hill neighborhood of Minneapolis, city, DNR warn - Star Tribune - December 11th, 2023 [December 11th, 2023]
- FAIR Applauds Senate Republicans for Holding Firm and Demanding that National Security Starts at Home - StreetInsider.com - December 11th, 2023 [December 11th, 2023]
- Prevent Burglaries With ADT's Tips For Property Security | Security News - SecurityInformed - December 11th, 2023 [December 11th, 2023]
- Prince Harry Says His Security Removal Had One Glaring Error - Newsweek - December 11th, 2023 [December 11th, 2023]
- Save $50 on the Ring Alarm home security system from Amazon - SFGATE - September 13th, 2022 [September 13th, 2022]
- An Indian Security System That Is Being Transformed By Technology - Inventiva - September 13th, 2022 [September 13th, 2022]
- Home Security Systems Market | expected to reach $96.5 billion | growth of 9.1% CAGR | 200 pages report - Taiwan News - September 13th, 2022 [September 13th, 2022]
- VP Harris wishes lawmakers treated domestic threats as 'Americans' - Business Insider - September 13th, 2022 [September 13th, 2022]
- Axis Communications Unveils Latest Solutions for Integrating Sight, Sound, Analytics and More at the 2022 Global Security Exchange - Business Wire - September 13th, 2022 [September 13th, 2022]
- Tomorrow.io Delivers First Radar for Weather Satellite Constellation Backed by U.S. Air Force - Benzinga - September 13th, 2022 [September 13th, 2022]
- The 2 Stocks Everyone's Talking About Tuesday - The Motley Fool - September 13th, 2022 [September 13th, 2022]
- What To Do With Old Smartphones? 15 Genius Reuse Ideas - TechPP - September 13th, 2022 [September 13th, 2022]
- Broken Arrow Man Arrested, Accused Of Hiding Cameras To Record Minors - News On 6 - September 13th, 2022 [September 13th, 2022]
- Massacre in Pike County Suspect is escorted by security as they enter court on the first day of the trial. - TDPel Media - September 13th, 2022 [September 13th, 2022]
- Department of Homeland Security PAL-Home - November 4th, 2021 [November 4th, 2021]
- Native Sun Home Accents, Inc. - Arizona Security Doors ... - November 4th, 2021 [November 4th, 2021]
- Ring Alarm Pro review: A giant leap for home security - CNET - November 4th, 2021 [November 4th, 2021]
- The Top Reasons You Should Not Ignore Installing a Home Security System - Southeast Missourian - November 4th, 2021 [November 4th, 2021]
- Where is the best place to install my home security cameras? - TechRadar - November 4th, 2021 [November 4th, 2021]
- Wyze announces new camera features and a new Wyze Smart Switch and Smart Bulb - The Verge - November 4th, 2021 [November 4th, 2021]
- Connected Home Security Market 2021: Global Analysis, Share, Trends, Application Analysis and Forecast To 2027 Bolivar Commercial - Bolivar... - November 4th, 2021 [November 4th, 2021]
- Amazon Black Friday deal takes $250 off the Arlo Pro 3 Spotlight 4 camera system - T3 - November 4th, 2021 [November 4th, 2021]
- Frontpoint Security Expands Executive Team with the Announcement of its First Chief Commercial Officer - PRNewswire - November 4th, 2021 [November 4th, 2021]
- Xiaomi Smart Door Lock Xhome security with face recognition and a sleek design - Gadget Flow - November 4th, 2021 [November 4th, 2021]
- US Blacklists Israeli Spyware Companies Over Threat to National Security - The Daily Beast - November 4th, 2021 [November 4th, 2021]
- Remote Work Security: Handling Setbacks in the Time of COVID-19 - Security Intelligence - November 4th, 2021 [November 4th, 2021]
- World Series 2021 - The inside story of where Jorge Soler's home run went once it left Minute Maid Park - ESPN - November 4th, 2021 [November 4th, 2021]
- Ask a Broker: The importance of smart-home technology - Aspen Daily News - November 4th, 2021 [November 4th, 2021]
- Apple's Craig Federighi defends App Store in face of looming regulation - Mashable - November 4th, 2021 [November 4th, 2021]
- The eufy Floodlight Video Camera II provides 360 degrees of security coverage without breaking the bank - TechHive - November 4th, 2021 [November 4th, 2021]
- Worldwide Automotive Software Industry to 2026 - Safety and Security Software is Expected to Witness Faster Growth Rate - ResearchAndMarkets.com -... - November 4th, 2021 [November 4th, 2021]
- She would never just leave: Investigators look into if Mid-City moms disappearance related to financial investigation - KTLA Los Angeles - November 4th, 2021 [November 4th, 2021]
- Bring Alexa support to your home security with 54% off wansviews 1080p outdoor cam from $18 - 9to5Toys - July 2nd, 2021 [July 2nd, 2021]
- Members of Congress Are Spending More Than Ever on Security Mother Jones - Mother Jones - July 2nd, 2021 [July 2nd, 2021]
- Google Nest to Strengthen Its Commitment to Security by Testing Devices Against the ioXt Alliance's Global Security Standards - Business Wire - July 2nd, 2021 [July 2nd, 2021]
- Summer Wells investigators receive more than 700 tips about missing Tennessee girl - Fox News - July 2nd, 2021 [July 2nd, 2021]
- DIY Home Security Solutions Market Analytical Overview, Growth Factors, Demand and Trends Forecast to 2027 The Courier - The Courier - July 2nd, 2021 [July 2nd, 2021]