Every industry has its collection of shocking stories, but Britain's cyber-insurance sector can always be relied on to top the lot.
Take the unnamed British medium-sized enterprise that recently found itself staring at a ludicrous £1m ransom demand after attackers sneaked off with some very important data. This was a straight extortion stick-up (we have your files) but the fact the attackers felt able to demand a king's ransom, even half-seriously, is telling.
Most cyber attacks are impersonal, anonymous, remote, their motives a matter of guesswork, but extortion is always about the psychology of getting in people's faces from the start – give us the money or else.
What really marked this incident out wasn't simply the crazy size of the ransom demand but that somewhere along the line it ended up in the claims tray of a cyber-insurance underwriter – there was a lot of pain here and more than one company was feeling it.
The source for the tale is Graeme Newman of CFC Underwriting, whose company traces its roots back two decades and is proud to have pioneered cyber-insurance years before any of this computer extortion stuff had even been invented.
CFC says it has recently started seeing ransom demands for £100,000 and £200,000 from clients, part of an uptick in claims connected to targeted extortion as well as that other big cybersec phenomenon-du-jour, Business Email Compromise (BEC).
Exposing 145m Equifax customer deets: $240m. Legal fees: $28.9m. Insurance: PricelessREAD MORE
"This is the largest ransom demand we have seen to date in the UK and follows a current trend of increasingly targeted extortion demands, with increasingly large amounts demanded," says Newman.
"A lot of this is happening behind the scenes and is not talked about. It will be interesting to see what happens post-May 25 [GDPR day]. I think we'll see an unveiling of how much of this is really going on."
Businesses buy insurance for lots of reasons – usually because laws, regulation, and common sense dictate that they should – but cyber-insurance is being driven by real-world events, especially as WannaCry and NotPetya.
"It's just too easy for criminals right now and nobody's doing anything about it," mulls Newman.
The UK sector is modest, covered by a mere 20 underwriters and brokers and perhaps £50m of premiums per year, according to Newman.
It's growing, yes, but it still looks like peanuts beside the estimated $2.5-$3bn worth sold in the US. Granted, the US is bound to be larger, but it still accounts for around 85 per cent of all global cyber-insurance sales. For some analysts, the US is the market.
Dig deeper, and most of the US market is connected to the costs associated with a single type of risk – data breaches. The country has strict breach notification laws and tough regulations, which means that a company on the receiving end knows it will be writing big cheques should the hackers find a way through. The good news here is that the costs are predictable, chiefly for notification, credit monitoring, forensics, and restoration of reputation. It helps that breaches have become so common that pricing risk premiums against past claims these costs can be done using a few algorithms.
The great fire of London
Great for big corporates with money to chuck on the fire, but what about SMEs that might not even employ a security engineer? This is where the role of cyber-insurance, and its unintended consequences, get more complicated but interesting.
Says Newman: "A lot of SMEs have an increasing understanding that they have nowhere to turn in the event they experience a cyber attack. If you get ransomware, you can't dial 999 and hope to get some support."
For these customers, cyber-insurance is a short cut to help at a time of crisis. With a cyber-insurance provider involved, "they'll have a lawyer on hand, a forensics company, a notification provider, a PR consultancy, and an incident-response manager who can manage the whole project end to end. It's peace of mind of having somewhere to turn to."
Newman uses the analogy of London's Great Fire of 1666, when state-run fire services did not exist. The 17th century solution was companies offering private fire-fighting paid for with what today would be described as insurance premiums. The destructive agent was fire where today's calamities are more likely to be digital.
Largest advertising company in the world still wincing after NotPetya punchREAD MORE
But all this help can come with strings – regardless of whether insurance is sold as an add-on by a managed security service provider (MSSP) or direct from a cyber-insurance broker. When trouble calls, the underwriter is in control of response because it is the company paying the clean-up bill.
This goes to the heart of what cyber-insurance is evolving into. The more cyber-insurance grows in popularity, the more influence the industry has over the shape of that response in entire sectors.
Not everyone is convinced this is necessarily a good thing, agrees Corey Nachreiner, chief technology officer at security appliance maker WatchGuard. His worry is not cyber-insurance per se, but its effect on claims arising specifically from extortion and ransomware.
From the insurer's point of view, paying a ransom is the preferred option because that is cheaper than restoring systems manually, argues Nachreiner. "If an SME loses its data and it doesn't have backups but they have cyber-extortion insurance, the strategy for the insurer is to pay the ransom."
Newman is adamant his company would never force a client to pay a ransom, but that might not be the case for all underwriters. Ultimately, the insurance provider has an interest in minimising its own exposure. This is maths, not computer science.
Inevitably, "the fact that insurers are paying ransoms will have an effect on either the growth of ransomware or how the attackers target based on that information," argues Nachreiner. And "what better way to figure out who is willing to pay than finding out this person is covered for extortion so in a worst-case scenario an insurer might pay."
It's a downbeat analysis: extortion insurance might also make a company more likely to be attacked as well as feeding targeted attacks on others. There is an old-fashioned alternative, says Nachreiner: "My advice on ransomware is to never pay. It's not a black-and-white decision but I strongly believe that every time we pay we are encouraging this malicious business case. It proves that ransomware works and it's going to make it worse."
NHS could have 'fended off' WannaCry by taking 'simple steps' – reportREAD MORE
There is a lot more to buying cyber-insurance than extortion and ransomware protection, of course, which explains the sunny projections from Allied Market Research that the sector will grow into a $14bn global market by 2022.
Some of that growth looks like a certainty. With an increasing number of cyber-disruptions and regulations such as GDPR to keep anxiety levels high, there could even come a day when not having cyber-insurance is seen as a bigger story.
But many customers remain wary, not only of the costs but the power they could be handing people who make money from understanding risk. It's why, in the UK at least, there still a big selling job to do without resorting to the usual tech industry sales technique, FUD.
It the Achilles heel of insurance, says Newman: "As an industry, we are terrible at articulating the thing we're selling." ®