Between a rock and a hard(ening) place: Cyber insurance in the ransomware era. Issue 128 (May 2023)
- Record Type:
- Journal Article
- Title:
- Between a rock and a hard(ening) place: Cyber insurance in the ransomware era. Issue 128 (May 2023)
- Main Title:
- Between a rock and a hard(ening) place: Cyber insurance in the ransomware era
- Authors:
- Mott, Gareth
Turner, Sarah
Nurse, Jason R.C.
MacColl, Jamie
Sullivan, James
Cartwright, Anna
Cartwright, Edward - Abstract:
- Highlights: A study of the extent to which cyber insurance can mitigate the ransomware threat. Ransomware has hardened the market, raising barriers for entry for insureds. Cyber insurance offers policyholders significant support in the event of an attack. Study participants disagreed whether insureds would be more likely to pay ransoms. Low take-up of insurance means only partial mitigation against ransomware at best. Abstract: Cyber insurance and ransomware are two of the most studied areas within security research and practice to date, and their interplay continues to raise concerns in industry and government. This article offers substantial new insights and analysis into the complex question of whether cyber insurance can help organisations in mitigating the threat of ransomware, particularly its impacts. Having conducted an interview or workshop with 96 industry professionals spanning the cyber insurance, cyber security, ransomware negotiations, policy, and law enforcement sectors, we identify that ransomware has been a key cause of the 'hardening' of the cyber insurance market, which is exhibited at almost all levels of the market. Such hardening has been beneficial in raising the security standards required prior to purchase, but has also created a situation where some organisations may not be able to acquire viable cyber insurance at all. In presenting the outcomes of our thematic analysis of the interview and workshop outputs, the paper provides significant newHighlights: A study of the extent to which cyber insurance can mitigate the ransomware threat. Ransomware has hardened the market, raising barriers for entry for insureds. Cyber insurance offers policyholders significant support in the event of an attack. Study participants disagreed whether insureds would be more likely to pay ransoms. Low take-up of insurance means only partial mitigation against ransomware at best. Abstract: Cyber insurance and ransomware are two of the most studied areas within security research and practice to date, and their interplay continues to raise concerns in industry and government. This article offers substantial new insights and analysis into the complex question of whether cyber insurance can help organisations in mitigating the threat of ransomware, particularly its impacts. Having conducted an interview or workshop with 96 industry professionals spanning the cyber insurance, cyber security, ransomware negotiations, policy, and law enforcement sectors, we identify that ransomware has been a key cause of the 'hardening' of the cyber insurance market, which is exhibited at almost all levels of the market. Such hardening has been beneficial in raising the security standards required prior to purchase, but has also created a situation where some organisations may not be able to acquire viable cyber insurance at all. In presenting the outcomes of our thematic analysis of the interview and workshop outputs, the paper provides significant new empirical evidence to support the theory that cyber insurance can act as a form of governance for improving cyber security amongst organisations. Nonetheless, the hardening market does nothing to increase the penetration of cyber insurance. Questions were also raised as to the likelihood of unintended unethical – and potentially illegal – outcomes given the professionalisation of a remediation process that has to determine the most cost-effective solution to an organisation being held ransom. We conclude that insurance, at best, can help to mitigate the ransomware threat for those that can access it, as part of a wider basket of actions that must also come from different stakeholders. … (more)
- Is Part Of:
- Computers & security. Issue 128(2023)
- Journal:
- Computers & security
- Issue:
- Issue 128(2023)
- Issue Display:
- Volume 128, Issue 128 (2023)
- Year:
- 2023
- Volume:
- 128
- Issue:
- 128
- Issue Sort Value:
- 2023-0128-0128-0000
- Page Start:
- Page End:
- Publication Date:
- 2023-05
- Subjects:
- Cyber security -- Ransomware -- Cyber insurance -- Security incidents -- Harms -- Cyber policy -- Resilience -- Critical national infrastructure -- Malware
Computer security -- Periodicals
Electronic data processing departments -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/science/journal/01674048 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.cose.2023.103162 ↗
- Languages:
- English
- ISSNs:
- 0167-4048
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.781000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 26876.xml