9 October 2019Analysis

Cyber insurance does not incentivise cyber extortion: Marsh

Marsh has dismissed the accusation “that cyber insurance has served as an incentive for cyber extortion attacks” and that the insurance industry benefits from such attacks.

Marsh said such assertions have been made in the media and elsewhere, but insisted “cyber insurance can be a valuable tool in the fight against ransomware and other cyber threats.”

The insurance industry is certainly selling coverage related to cyber crime. Close to 50 percent of respondents to Marsh and Microsoft’s 2019 Global Cyber Risk Perception Survey said they have cyber insurance, up from 34 percent in 2017.

But it is also true that insurance companies pay out on these policies: US carriers paid cyber claims totaling an estimated $394 million in 2018, according to Marsh.

While nobody wants to support cyber criminals, Marsh noted, organisations routinely weigh the cost of what is usually a five figure ransom against the risk of operational disruptions that could last weeks or months, potentially costing far more.

“After the City of Baltimore refused to pay a ransom demand of around $76,000, it incurred prolonged outages and racked up nearly $20 million in losses,” said Marsh. “Small and midsize businesses may not be able to absorb the same pain from a lengthy disruption. And if your company does not have cyber insurance to absorb those losses, you have even more incentive to pay.”

Ultimately, the decision about whether to pay a ransom is always taken by the insured, Marsh added. “The unfortunate truth is that — for many organisations — paying a ransom demand is the cheaper and more effective option,” it said.

Even if cyber insurance absorbs the cost of a disruption, that cannot fully compensate for the impact of business interruption, or inconvenience for customers and reputational damage.

The insurance underwriting process also raises awareness of cyber threats, identifying how companies should be responding and educating insureds about how to protect themselves, Marsh said. It can also help in the aftermath of an attack, it added, “convening the right team of experts, including legal counsel and computer forensic analysts, to assess the incident and recommend a response in a timely fashion.”