If a company can’t be bothered to protect its IT, why should insurers pay out when the cybercrooks come calling?

By: Enrique Dans

Mario Greco, CEO of one of Europe’s largest insurers, Zurich, has warned in an article in the Financial Times that risks arising from cyberattacks on companies are increasingly uninsurable, and pose a far greater risk to the industry than natural catastrophes.

Greco’s warning makes a lot of sense. Natural catastrophes, in an era when the insistence of many on doing nothing to alleviate the climate emergency is making them more frequent and intense, have cost more than $100 billion for the second year in a row, but the real danger facing the industry comes from cyber-attacks that target particularly sensitive parts of infrastructure, what Greco considers nothing less than “attacks on civilization.”

Cyberattacks that shut down hospitals, against electrical distribution infrastructure that cause blackouts, against oil pipelines or against entire government departments, can result in damage that is impossible to cover. And the worst thing, moreover, is that we are talking about destruction that, in most cases is relatively simple to prevent, or at least to hinder. It is basically like trying to insure a monkey when you give him a loaded gun with the safety catch off: you know perfectly well that sooner or later he is going to cause mayhem.

The cost of insurance policies against cyber-attacks has been rising over the last few years due to the increasing number of attacks such as ransomware, which often have a major impact on the ability of companies or institutions to continue to function normally. Some insurers are beginning to consider the use of bonds, traditionally used for natural catastrophe prevention, to prevent potential liabilities arising from cyber-attacks. Others are trying to introduce exemptions in their contracts when it can be proven that the cyberattack originated from a government, although such clauses are often weak due to the frequent difficulties in attributing their origin.

How to act in the face of a growing threat, when we know that it is largely the victims’ own behavior that makes it possible? The increase in ransomware attacks is due to a very simple problem: a large number of companies prefer, in many cases, to pay the ransom to the criminals, even when they know that they are, in fact, dealing with criminals and that, therefore, there is no guarantee their systems will work again after payment, nor that this payment will be the only one.

See more: The ‘metaverse winter’ in 2023 will not dampen its future potential, predicts GlobalData

Cyberattacks can also be the result of negligence: employees using extremely weak or simple passwords such as “password” or “12345678”, or outright stupid corporate policies such as the obligation to change passwords every three months and to set one that is impossible to remember, which ends up either with passwords that are once again too simple, or with sticky notes stuck behind the screen.

What should insurers do? Fundamentally, make cybersecurity a shared responsibility. If a company prefers to save the cost of a password manager and martyr its employees instead, or to set no policy at all, it should lose its right to claim damages in the event of a cyberattack. If the company decides not to implement two-step authentication systems because it finds them cumbersome, the same. In short, if you don’t update your software on a timely basis and, by not doing so, you open the door to attacks of all kinds, sorry, we’re not here to make sure you don’t get robbed when you leave your key under the mat.

The most basic cybersecurity measures are those three, and they should be deployed in every company that has a modicum of common sense: first, use a password manager, something that makes passwords much more robust, and make sure employees understand how to use them, and set a master password with appropriate levels of security. Even now, after the major attack on LastPass, one of the most popular password managers, it continues to be shown that using a password manager, even when it is attacked, is still much more secure than not using one.

Secondly, use a two-step verification system, and not via email or SMS, but a secure one: a verification app. It is easy to install, easy to use, and generates codes every few seconds that the user simply has to type in.

And third, update software regularly. A large number of attacks respond to vulnerabilities that are already published, already known and already fixed, but which many companies do not bother to update. Yes, it is boring… but it is necessary and fundamental in cybersecurity. I’m sorry, but if your company continues to use an outdated Windows XP (or anything prior to Windows 8), it deserves to be attached , and no insurer should have to pay for it.

If you’re lax about cybersecurity, the liability should be yours, and you shouldn’t be able to offload it onto an insurer. In turn, this would allow insurers to offer better coverage to those who do their homework and take care to try to reduce their exposure to these kinds of attacks. Cybersecurity used to be the realm of specialists, but for some time now, its basic rules have been increasingly clear. If you refuse to put them into practice, the problem is yours.