Evidence That Having Insurance Encourages Attacks
scottalanmiller last edited by
Something we've been discussing for years in IT and IT insurance circles is that by having insurance it puts a target on your company's back because attacking companies without insurance guarantees a fight, and often no pay out. But going after a company with insurance often means little fight and big payout. So knowing who has and who doesn't have insurance for whatever attack vector you might be considering is often a top priority.
In a recent article shared on ML was this quote:
“In fact, it seems hackers are specifically extorting American companies that they know have cyber insurance,” Cho continued. “After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware.”
The problem with this kind of situation is that the insurance companies win by making high profile targets vulnerable in order to show the need for more insurance. Ransomware attackers win by getting big payouts with little overhead. The insurance and ransomware vendors have a directly shared interest, not to suggest that the collaborate, but they might as well as both exist and profit because of the other in a symbiotic mechanism to milk the insured.
There is a reason that the government doesn't want ransoms to be paid, and a different reason why insurance companies encourage paying them.
In this situation, everyone wins except the insured. Uninsured companies pay out less, and are attacked less. Insurance companies make out big time. Ransomware vendors make out big time. The only true losers are those that opt for insurance. Not only do they end up paying the normal, unavoidable insurance overhead, but they have to pay it on the pool of high profile targets because it is the insurance policy itself that puts them into the high profile pool!
This reminds me of the article at Ars Technica: