May 26, 2021 by Adam Malik
One cybercriminal recently mused online that hackers are incentivized to launch cyberattacks because companies have cyber insurance coverage, a theory recently debunked by cyber insurance experts.
The cybercriminal’s rationale? Since insurance exists for the victims, the hackers will be paid.
But there is a fatal flaw to that theory, cyber experts observed during a recent virtual event panel discussion. In fact, such theories are a distraction from the real issues, they add.
During the recent virtual CFC Summit 2021, Tom Bennett, incident response analyst at CFC Underwriting, said one cyber threat actor recently “boldly stated” that cyber insurance customers make the best victims because of their ability to pay up. But that statement falsely assumes that cybercriminals know a customer has a cyber insurance policy, Bennett countered. At least, they wouldn’t know before initiating an attack.
“There is no doubt that there [exists] a reality [in which] sometimes, unfortunately, people who have hacked into a network [are] rooting around for data to steal and they come across an insurance document,” Bennett said. “[The hacker] says, ‘Oh, they have cyber insurance with a company. Fantastic. I can maybe extort them for more now and they’re more likely to pay.’
“But are they going into that network knowing that’s the case? I think that’s incredibly unlikely.”
Lindsey Nelson, cyber development leader at CFC Underwriting, debunked a spin-off conspiracy theory that says insurers welcome attacks because the fear factor helps them sell more policies. “There’s no cyber market that’s interested in seeing the amount of ransomware claims that are happening right now,” Nelson said. “And certainly not the level of demands that we’re seeing right now when it comes to extortion as well.”
As for the idea that cyber insurance incentivizes nefarious characters, she called that “misguided” thinking.
“I would argue that’s quite misguided when we think about the fact that, [of all of the] businesses around the world, only 15% of them are actually buying a cyber insurance policy,” Nelson said during the session The Changing Face of Cybercrime.
All this conspiracy talk is nothing more than a distraction from what is actually driving cybercrime, she added. For example, criminals are going after businesses that are vulnerable.
“Whether businesses want to believe it or not, the ones with weak security controls provide criminals with the path of least resistance to their systems,” Nelson said during the panel discussion with other CFC cyber experts.
Insureds are more likely to pay a ransom to avoid strict penalties and fines in those jurisdictions that have strict privacy laws, Nelson pointed out. Crypto exchanges allow criminals to monetize and perpetuate their crimes.
Bennett added that hackers don’t have to look for people who have cyber insurance, since there are plenty who aren’t insured, and they make for the easiest targets.
“Enough [businesses without cyber-insurance] have these lack of security controls, [and] are the low-hanging fruit that [cybercriminals] can be going after,” Bennett said.
Feature image by iStock.com/Feodora Chiosea