Cyber Insurance – is it worth it
Authored by Andreas Beck, Managing Director, Kyndryl Middle East & Africa
The UAE is at the forefront of technological innovation. Thanks to the country’s leadership for having placed digital transformation at the heart of its national strategy and promoting the role of technology in reimagining society, enabling human progress, and transforming into a knowledge-based economy.
In fact, the country was ranked tenth place in the World Digital Competitiveness Ranking 2021 issued by the IMD World Competitiveness Center (WCC). The Ranking measured the capacity and readiness of 64 economies to adopt and explore digital technologies as a key driver for economic transformation in business, government, and wider society.
However, cyber security has become inseparable from digital transformation and ICT modernization. Cyber attacks – where fraudsters digitally lock the critical IT systems of companies and government in order to pressure them to pray a ransom – have become a daily occurrence. According to the Head of Cyber Security in the UAE Government, cyber attacks in the UAE increased by 400% after the coronavirus outbreak, resulting in losses that amounted to nearly $700 million within six months.
So, is buying cyber insurance the answer? The ability to pay ransom to regain access to IT systems and decrypt hostage files? Unfortunately, the payment of ransoms is an extremely serious problem and rarely works.
There’s no guarantee that the attackers will hold up their end of the bargain
While paying ransom may seem as the only way to recovery, there’s no guarantee that companies will regain access to their systems and be able decrypt all files. In some cases, companies are forced to make do with partial recovery.
According to IDC’s worldwide Future Enterprise Resiliency and Spending Survey, less than 28% of respondents were able to recover data after paying the ransom.
Unlocked systems should not be trusted
According to research by Cybereason, a cybersecurity technology company, 80% of ransomware attack victims who paid ransom were attacked a second time. Of those who experienced a repeat attack, nearly half believed it was at the hands of the same attackers which indicates that malicious codes remained in the hostage systems and files.
Cyber insurance rarely covers the full cost
While cyber insurance compensates businesses for the cost of an attack that affects their business, only few policies cover data recovery, restoring brand reputation and, in some cases, experts to facilitate ransom negotiations. Also, let’s not forget the IT systems and information can be regarded as a crime scene, and so investigations can be time-consuming.
Investing in cyber resilience is the best “insurance policy”
Cyber insurance is neither enough to protect organizations, nor intended to cover negligence for ignoring cyber risk. In today’s digital world, organizations must understand that it is no longer a question of whether cyber attackers will breach our defenses, but when they will break through and how much damage they will do. Attackers only need to be skilled (or lucky) enough to break through just once, and therefore, investing in cyber resilience is critical.
Cyber resilience means anticipating, protecting against, withstanding, and recovering from attacks on cyber enabled services. It goes beyond conventional cyber security and emphasizes continuity and recovery, because eventually, attackers will penetrate defenses.
Cyber incidents affect all of society, spreading uncertainty among the public, governments, and markets alike. Therefore, to keep attackers at bay and mitigate the damage they do, the public and private sectors should together embrace a comprehensive approach to both defending against and recovering from cyber attacks.
As technology leaders and services providers, we must make it our mission to partner with customers and governments to implement a whole-of-economy cyber resilience strategy. That includes a consistent set of cyber resilience principles that help prepare our economy and critical institutions for attacks.
