Companies May Be Flagging Themselves For Hackers By Buying Cybersecurity Insurance : NPR

Source link

An uptick in ransomware attacks has led more companies to buy cybersecurity insurance. But some bad actors actually target companies with this coverage, figuring they’ll be more likely to pay ransoms.


Ransomware attacks have hit the U.S. food supply, the health care system, the pipelines that carry fuel up and down the East Coast. And companies are worried about being attacked. More of them are buying what’s called cyber insurance, but that demand has led to higher prices and to coverage that is less comprehensive. NPR’s David Gura joins us now with more. Hey, David.


CHANG: OK, so just give us a primer first. How does cyber insurance work exactly?

GURA: Yeah. Let’s take ransomware, for example. It’s been in the news lately. There have been these big attacks. Colonial Pipeline is one of them. JBS, the meat processor, is another one. You know, they can cause a lot of disruption, cause a lot of damage. And the ransom demands can be sizable, as we’ve seen. Colonial Pipeline paid $4.4 million. Well, a company can buy an insurance policy not just to cover the ransom payment itself but also the fallout from an attack. A company may have to hire a consultant to negotiate and make a payment. There’s forensics work – trying to figure out what happened, what was taken. All of that’s expensive. And then there’s the notification part of this, Ailsa – how much it costs a company to tell its customers, and sometimes its investors, about what damage took place.

CHANG: OK, so it sounds like cyber insurance is a good idea. But are a lot of companies actually buying it?

GURA: We have some new data on this from the federal government. In 2020, half the companies that bought insurance had cyber coverage. In 2016, four years earlier, it was just a quarter of them. So it is becoming more popular, and we’re seeing the costs creep up for coverage. I think this uptick in demand for coverage says something about how normal these attacks have become. Companies are buying insurance for cyberattacks just like they buy insurance for fires and for earthquakes. That’s made it become a regular part of doing business. And it’s happening even as the federal government tells companies it doesn’t want them to pay ransoms, that paying ransoms incentivizes more attacks.

CHANG: Well, given all these recent cyberattacks, is the thinking now that all companies should be buying cyber insurance?

GURA: Well, experts told me yes. It’s becoming increasingly clear companies could benefit from this kind of insurance. But there’s a catch. There’s this concern that companies that buy cyber coverage could be targeted as a result. James Turgal helped run the FBI’s information and technology branch. Now he’s with the security company Optiv, and he consults with large companies. He told me some hackers actually scour IT systems as part of an attack to learn about the kind of insurance a company has. And then these bad actors will use that information as leverage.

JAMES TURGAL: They will actually put up a piece of that cyber insurance policy to show you that, one, they’ve infiltrated your system and they have exfiltrated data but also to let you know they know about the cyber insurance.

CHANG: That’s scary.

GURA: Another cybersecurity consultant said she has heard of hackers figuring out what to ask for, how big a ransom to ask for based on what a policy says an insurer would cover.

CHANG: OK. Well, what about the insurance side of things? Like, how is the growing popularity of cyber insurance affecting the overall business of insurance?

GURA: Well, insurers are forcing companies to do more to improve their IT infrastructure. They’re also making more of an effort to verify a company’s defenses are, in fact, as good as the company says they are. And that’s part of what determines the premium. Daniel Soo is a cybersecurity consultant with Deloitte, and he says this is an approach you see with other kinds of insurance, like with car insurance, for instance.

DANIEL SOO: To get different safety features on your car has an impact on your premium. It’s going to be the same thing with cyber insurance.

GURA: Now, something else that’s happening is insurers are denying claims if a company’s systems are not as secure as it claimed. And one last point here – ransomware isn’t new. It’s been around for decades. But this kind of standalone cyber coverage, Ailsa, is fairly new. And because of that, policies vary. This could make it get more standardized as time passes.

CHANG: That is NPR’s David Gura. Thank you, David.

GURA: Thank you.


Copyright © 2021 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Leave a Reply

Your email address will not be published. Required fields are marked *