As online crime has come into its own, ransomware—a particularly insidious type of cyber attack—has emerged as a favorite of cyber criminals. Not unlike holding a hostage in the real world, ransomware attacks function by holding networks, devices or data hostage, in the hope that victims will pay for their liberation.
The approach has become widespread. Nationally, it is estimated that more than 4,000 such attacks now occur daily, a 300 percent increase since 2015. What’s more, nearly 10,000 people and organizations pay extortion money to cyber criminals each month, with an average ransom of $679 in 2016, nearly doubled from a year earlier.
An example of one common type of ransomware could be seen in the Jan. 6 attack on Los Angeles Community College. Eager to mitigate the harm and disruption to students, the college elected to pay the demanded $28,000 ransom to decrypt the computer systems and files the criminals held hostage. However, unlike the vast majority of victims subject to such attacks, the college was prepared. The Los Angeles Community College District had a cyber-insurance policy to cover the cost of the ransom. Because it had insurance, the college could file a claim and move on to strengthen its defensive infrastructure.
Cyber insurance can be used to manage more than just the risk of a ransom demand. Policies primarily are used to cover the liability associated with a cyber breach, including related costs like consumer notification, credit monitoring, defense costs and fines. Some cyber policies also cover firms' risk of business interruption and data loss.
In a broader sense, cyber insurance also provides incentives through its underwriting and ratemaking processes for firms to limit their vulnerability on the front end, maintain day-to-day vigilance and foster resilience in the event of a breach. Companies that establish they have strong cyber-security protocols in place will be able to earn discounts on their cyber-insurance premiums.
Insurers are eager to write cyber coverage, but they also want to limit unnecessary exposures. The most common reason underwriters reject applications for cyber insurance is an applicant's failure to address their technical vulnerabilities adequately, including shortcomings in security-testing procedures and processes, incident-response plans and backup processes. Even in cases where a company is turned down for coverage, they will gain a detailed awareness of specific ways they must change their practices.
Because the cybersecurity environment is constantly evolving, even companies with cyber insurance must assess their preparedness on an ongoing basis and meet benchmark security requirements to guarantee their policies will be renewed. In this way, firms are encouraged to engage with cyber security in a continuous and proactive way. The same cannot be said of prescriptive government standards. When commercial interests align, what you get are better cybersecurity practices. Not unlike after a natural disaster, firms that plan to be resilient in the wake of a cyber attack often will fare better than those that don't.
Despite these benefits, the takeup rate for cyber insurance remains relatively low. A global survey of medium-sized organizations found 34 percent had cyber insurance. What’s more, coverage tends to be concentrated in certain industries, like financial services, which long have been targets of cyber attack. But the cost of not having coverage can be massive. For larger companies, the average cost of a cyberattack was more than $4 million in 2016. A full 60 percent of small companies that suffer a cyber attack go out of business altogether.
As a result of its relative novelty, the cyber insurance market remains small, although it is growing rapidly. More and more insurers are offering cyber coverage with increasingly large policy limits. As a result, risks that once were uninsurable now can be managed and products are being introduced to work for businesses of all sizes. Cyber insurance also likely would be more common if the public were more aware of the millions of cyberattacks that occur each year. Firms tend not to be fully transparent about these breaches because there is, unquestionably, a stigma associated with being breached. Cyber incidents have the potential to damage a brand irreparably.
As the threat of ransomware expands to millions of incidents each month, cyber-risk management will only grow in importance. It is crucial to our national security that policymakers not interfere in the emerging market for cyber insurance, either through government edicts or by creating programs that could displace private options. The problem of cyber security is one that only the flexibility and ingenuity of healthy private markets can solve.
Anne Hobson is a technology policy fellow with the R Street Institute. Ian Adams is a senior fellow with the R Street Institute and R Street's former Western region director.
The views expressed by contributors are their own and are not the views of The Hill.