Picture a business lunch involving the owners of small and mid-size SMEs. During lunch, if a conversation about cyber insurance came up, all in the room would likely agree that policies are too expensive and they probably don’t need the cover anyway.
Data from the Insurance Council of Australia (ICA) shows that despite the high number of cyberattacks, only about 20% of SMEs have cyber insurance. Brokers are generally struggling to sell cyber policies to these sorts of firms. Ben Dulieu (pictured above) gave Insurance Business an insightful explanation as to why.
“It’s almost like survivors’ bias,” said the chief information security officer (CISO) for Duck Creek Technologies, a global firm specializing in digital insurance technology.
US-based Dulieu said the SMEs that need cyber covers, probably don’t have it, then get hit by an attack and go out of business.
“It’s easy to look around the room and say, ‘Hey, among us 10 people, no-one’s needed it, right?’ Well, that’s because the companies that did get hit are no longer in the room with us,” he said.
However, Dulieu said the expense of policies is probably a bigger industry challenge than educating stakeholders about cyber threats.
“Small companies are innovating technologically and they’re putting a ton of their budget into technical innovation,” he said. “Cybersecurity, in a lot of ways, is seen as a massive cost centre.”
He doesn’t see that changing anytime soon.
For those SMEs and other businesses that do have cyber coverage, one major issue is what to do about a ransomware attack.
According to The State of Ransomware 2023 by cyber security tech firm Sophos, 66% of firms surveyed globally reported ransomware attacks in the last year. Roughly the same number reported attacks in 2022.
“Overall, 46% of organizations surveyed that had their data encrypted paid the ransom and got data back,” said the report. “Larger organizations were far more likely to pay with more than half of businesses with revenue of $500 million or more admitting that they paid the ransom.
So should firms pay cyber ransoms?
The Australian government has stated that it is against paying ransoms but is currently considering industry views on the issue as part of its 2023-2030 Australian Cyber Security Strategy. One of the drivers of this strategy is the Minister for Home Affairs, Clare O’Neil.
In a recent speech at a cyber summit, the Minister said her consultations with stakeholders have involved lots of “lively conversation” on this topic.
“I think there’s more recognition that we cannot continue indefinitely to be a country where it is a part of business to be funnelling money into cyber criminal gangs,” said O’Neil. “But we also heard that we do not have the proper supports in place today to be able to implement an outright ban on ransomware payments.”
Dulieu said every law enforcement agency in the US recommends against paying a ransom.
“There are a couple of reasons,” he said. “One is, just because you pay it doesn’t mean you’ll get your stuff back.”
The second reason, said Dulieu, is just because you pay one ransom doesn’t mean you don’t get what’s called the double ransom.
“This is a recent trend,” he said. “The cyberattackers say, ‘Hey, you just gave us $100,000. Well, now you owe me another $50,000.’”
However, Dulieu said these criminals realise that they can’t all demand multiple ransom payments and not return the data because cybercrime is a business.
“They’re delivering you your product and your data is the product,” he said. “So if all of the cyber criminals in the world stop giving data back, why would you ever pay a ransom?”
Dulieu said the industry faces a balancing act between paying and not paying a cyber ransom.
“There are some crazy statistics out there that show that most companies say they wouldn’t pay a ransom, if they had the capability to restore services within about a day,” he said. “But statistically, when you look at companies at the end of the first week after a cyberattack, it goes up to about 90% of companies paying the ransom because if you’re offline for a week, your business is really in jeopardy.”
As a businessman, Dulieu said he understands the needs of business but he also has a government background as a former US marine.
“So I understand that we don’t want to give these cyber criminals a reason to continue to do this stuff,” he said. “There’s not a black and white answer.”
The Australian government expects to reveal more details about its Cyber Security Strategy later this year.
Would you pay a cyber ransom? Please tell us what you think below.
