Ian Smith reports:
The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn. But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch.
Read more at FT.
The question of “what would happen if…” has been a frequent topic of concern and debate. While the FT article mentions insurers trying to limit their payouts by excluding attacks by “state actors” or “warlike acts,” there’s also the issue whether eliminating cyberinsurance would actually reduce the number of attacks. Would groups only attack those who have insurance to pay ransom, or wouldn’t it make a difference?
From what this blogger has seen, lack of insurance does not reduce the likelihood of an entity becoming a victim in the k-12 education sector. How many school districts have we seen that were hit and did not have any cyberinsurance to pay any ransom demands or just refused to pay ransom? Vice Society even told this blogger that the absence of cyberinsurance is not a factor for them or deterrent, and when asked about one of their recent attacks on a k-12 district, a Hive spokesperson told this blogger that they had no idea whether the victim had cyberinsurance to pay as they hadn’t checked. So maybe that approach is not likely to be as effective as some might hope.
Will prohibiting ransom payments make a difference? From what Vice Society and Hive have said, it is unlikely to reduce attacks on k-12 entities. And what it might do is result in a situation where highly sensitive student records just get dumped on the internet. Do we really want to tell districts that they cannot pay to try to prevent that?
Making ransomware attacks uninsurable may save insurers some profits, but how would it help improve security in the k-12 or secondary education sector?