Companies May Be Flagging Themselves For Hackers By Buying Cybersecurity Insurance
AILSA CHANG, HOST:
Ransomware attacks have hit the U.S. food supply, the health care system, the pipelines that carry fuel up and down the East Coast. And companies are worried about being attacked. More of them are buying what's called cyber insurance, but that demand has led to higher prices and to coverage that is less comprehensive. NPR's David Gura joins us now with more. Hey, David.
DAVID GURA, BYLINE: Hey, Ailsa.
CHANG: OK, so just give us a primer first. How does cyber insurance work exactly?
GURA: Yeah. Let's take ransomware, for example. It's been in the news lately. There have been these big attacks. Colonial Pipeline is one of them. JBS, the meat processor, is another one. You know, they can cause a lot of disruption, cause a lot of damage. And the ransom demands can be sizable, as we've seen. Colonial Pipeline paid $4.4 million. Well, a company can buy an insurance policy not just to cover the ransom payment itself but also the fallout from an attack. A company may have to hire a consultant to negotiate and make a payment. There's forensics work - trying to figure out what happened, what was taken. All of that's expensive. And then there's the notification part of this, Ailsa - how much it costs a company to tell its customers, and sometimes its investors, about what damage took place.
CHANG: OK, so it sounds like cyber insurance is a good idea. But are a lot of companies actually buying it?
GURA: We have some new data on this from the federal government. In 2020, half the companies that bought insurance had cyber coverage. In 2016, four years earlier, it was just a quarter of them. So it is becoming more popular, and we're seeing the costs creep up for coverage. I think this uptick in demand for coverage says something about how normal these attacks have become. Companies are buying insurance for cyberattacks just like they buy insurance for fires and for earthquakes. That's made it become a regular part of doing business. And it's happening even as the federal government tells companies it doesn't want them to pay ransoms, that paying ransoms incentivizes more attacks.
CHANG: Well, given all these recent cyberattacks, is the thinking now that all companies should be buying cyber insurance?
GURA: Well, experts told me yes. It's becoming increasingly clear companies could benefit from this kind of insurance. But there's a catch. There's this concern that companies that buy cyber coverage could be targeted as a result. James Turgal helped run the FBI's information and technology branch. Now he's with the security company Optiv, and he consults with large companies. He told me some hackers actually scour IT systems as part of an attack to learn about the kind of insurance a company has. And then these bad actors will use that information as leverage.
JAMES TURGAL: They will actually put up a piece of that cyber insurance policy to show you that, one, they've infiltrated your system and they have exfiltrated data but also to let you know they know about the cyber insurance.
CHANG: That's scary.
GURA: Another cybersecurity consultant said she has heard of hackers figuring out what to ask for, how big a ransom to ask for based on what a policy says an insurer would cover.
CHANG: OK. Well, what about the insurance side of things? Like, how is the growing popularity of cyber insurance affecting the overall business of insurance?
GURA: Well, insurers are forcing companies to do more to improve their IT infrastructure. They're also making more of an effort to verify a company's defenses are, in fact, as good as the company says they are. And that's part of what determines the premium. Daniel Soo is a cybersecurity consultant with Deloitte, and he says this is an approach you see with other kinds of insurance, like with car insurance, for instance.
DANIEL SOO: To get different safety features on your car has an impact on your premium. It's going to be the same thing with cyber insurance.
GURA: Now, something else that's happening is insurers are denying claims if a company's systems are not as secure as it claimed. And one last point here - ransomware isn't new. It's been around for decades. But this kind of standalone cyber coverage, Ailsa, is fairly new. And because of that, policies vary. This could make it get more standardized as time passes.
CHANG: That is NPR's David Gura. Thank you, David.
GURA: Thank you.
(SOUNDBITE OF SALLY SHAPIRO SONG, "STARMAN") Transcript provided by NPR, Copyright NPR.