Cybersecurity may be useless, information security officers say

Cyber insurance against ransomware and other online attacks has been rendered almost useless because too many companies make “dumb” claims, according to a peak body representing Australia’s top information security officers. 

James Turner, managing director of CISO Lens, a forum for Chief Information Security Officers in Australia’s biggest companies said that excessive claims against cyber insurance policies have forced insurance companies to ask too many invasive and intrusive questions of policyholders in an effort to keep their exposure to a minimum. This in turn has made the insurance companies into targets for hackers, as they store so much sensitive information about their clients.

Last June, Australian insurance companies endorsed a government move to outlaw insurance payouts to companies that pay the ransom in a ransomware attack, arguing such payments only create further incentives for cyber criminals.

The cryptocurrency analysis firm Chainalysis estimates that at least $600 million US dollars worth of ransomware payments were made using cryptocurrency in 2021.

This spiralling cost has forced insurers to crack down on claims, adding exclusions for nation-state attacks and for acts of war, both of which might render cyber insurance useless for any attacks arising out of Russia’s invasion of Ukraine.

Mr Turner said businesses should move to making claims only as a very last resort, and, “If your only option is to pay a ransom in a ransomware attack, you have failed your organisation.”

- CyberBeat