> Where would you prefer to be? On the receiving end of the demands? With the Cyber-insurance
> Or with the Privacy Commissioner of the host country?
Wow John, those are loaded questions: I am not sure I want to be on any of those teams.
On the receiving end, could mean an end to my career. I say this as management still look for the innocent in some companies/organization.
With the insurance company, not really as all I could do is sit idly by and watch someone pay the ransom. IMHOO, I think the insurance company needs to educate their clients prior to an event happening......I know that is easy to say but my home and car insurance firms do it all the time.......they are constantly coming up with literature to make my house safer or offering me discounts on my car insurance if I do X, Y or Z. Additionally any time I have tabled Cyber Insurance with Management, I have been told they prefer to self insure (of course that attitude is changing as some of the larger Ransomware attacks are starting to be public).
And I think only with the Privacy Commissioner, if the criminal is caught and I can impose sanctions.
So having said all of this, I think I would prefer to be on the receiving end if I had to pick one.
Hopefully, you are in an organization that is forward thinking and believes in data driven resolutions. Cybersecurity insurance should spell out extortion in great detail and should not exclude ransomware casualties that disrupt business operations. Executives need to understand the importance of thorough investigation before engaging in paying a ransom as well. Demand for excellent backup procedures and technically sound people has never been so high. Allowing the internal technical team to exercise judgement could be critical in making the right decision.