Think carefully about cyber insurance, says NCSC. But don't worry about buying off ransomware crooks
Should your policy cover that? Well that's up to you
The National Cyber Security Centre has urged British businesses to think carefully when picking a cyber insurance policy – but won’t say whether insurance that covers ransomware payoffs is a bad thing or not.
Taking the form of seven questions for businesses published on the NCSC website, the latest guidance urges companies to ponder security-specific things when deciding what insurance policy to take out.
“Most cover responds to the immediate effects on the organisation by working to quickly restore network systems and data, while seeking to minimise losses from business interruption,” said the GCHQ-sponsored agency. “For data breaches, there may be legal action from customers or other affected parties.”
Yet NCSC was rather coy when The Register asked what its position was on cyber insurance products that pay ransom demands made by criminals. Such insurance appears to have been a feature of a number of notable ransomware payoffs in recent weeks, where criminals profited handsomely from their crimes.
The agency would only say it was a matter for individual companies whether or not they pay a ransom to regain control of forcibly encrypted files.
Such advice fuels the insouciance of firms such as cloud CRM provider Blackbaud, which got its insurer to buy off ransomware crooks who compromised customer data. Those crooks "promised" not to misuse the data they had taken and Blackbaud took them at their word. Similarly, Carlson Wagonlit Travel (aka CWT) paid a $4.5m ransom at the end of July to get its corporate networks decrypted.
NCSC advice on cyber insurance in general is aimed at non-techies and managers. It advises higher-ups that they should consult with the people who “manage and run your IT and security systems” before signing a contract. Techies are, unsurprisingly, the best people to decipher the “cyber security jargon” that Reg readers know and love.
The guidance also warns that insurance policies bundled with the IASME Consortium’s Cyber Essentials certification “won’t be suitable for all organisations”. The consortium is the sole issuer of the NCSC-approved award.
Earlier this year EU insurance companies lamented that industry found their cyber products too complex to understand and opaque because there was little certainty about whether insurers would pay out on a genuine claim or pull the age-old trick of trying to squeeze out of their obligations. As Christophe Madec, client director at French insurance broker Besse told France’s FIC conference in February: “In liability insurance damages, we know the price of a liability [for] car insurance. For cyber, it's a little bit more vague.”
Last year Zurich made headlines after refusing a claim over a Notpetya infection, claiming a “war exclusion” clause applied to ransomware cases. ®