That's the phrase echoing in city hall council chambers across America. Many municipalities choose to pay and get back to business.When will the madness end in Texas? Sure deductibles are a small price to pay, but just wait until cyber insurance premiums go through the roof. Then who are you going to call?
I was actually a bit surprised that the insurers were willing to pay the ransom. It seemed like they are paying out for poor security on the part of their clients. This is actually something I've seen a few times with companies who think they can get cybersecurity insurance INSTEAD of addressing their shortcomings in security (lack of policies/procedures, lack of systems to detect/prevent issues, etc).
Would think that most cybersecurity insurances would require measures be in place. Or at least to get better rates (similar to getting better home owner insurance rates if you have alarms, etc).
I guess we'll see how this shakes out.
--- Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, GSLC, GSTRT, ISSA Fellow
Let's look at how all the parties --- organizations, insurance providers and hackers --- fit into this.
Organizations: The objective is business continuity, while maximizing profits & minimizing costs. Unless they're willing to accept cyber-security risks --- or can somehow avoid them entirely --- the options are to mitigate or transfer them. If the former requires significant investment with little / no short-term ROI, the latter would be more attractive.
Insurance providers: Essentially the same objective. The more policies they sell, the higher the profits, and the fewer claims they have to cater to, the lower the costs.
Hackers: Varying objectives, achieved by targeting organizations, and --- apparently --- taking advantage of a preference for transfer over mitigation, when treating cyber-security risks.
Referring to that article, I can understand why they opted to pay the ransom; but what surprised me is that it's not so hard to claim the insurance.
I've usually observed that while purchasing a policy is relatively easy, claiming it can often be a challenge, so I'd have assumed that organizations would only be able to avail of claims if they've met certain requirements.
To 'maintain the balance,' both hackers and insurance providers should keep their charges --- ransoms & policy costs --- reasonable, so that organizations stay in the game...