pmcnamara
News Editor

They’ve got you covered

Opinion
Jul 25, 20054 mins

The bad news is that your company just wired a six-figure payment to an extortionist’s offshore bank account in exchange for a pledge from the criminal – whatever that’s worth – to spare your network from a threatened distributed denial-of-service attack.

The good news is someone at your company had the foresight to buy insurance that covers this kind of unnatural disaster.

What? You say you didn’t know that insurance policies cover cyberextortion payments? Join the club.

The details are fascinating: If you buy such coverage from Chubb Corp., for example, the actual extortion payment can be covered for up to $25 million, depending on what premium you’re prepared to pay, says Tracey Vispoli, a Chubb vice president.

And that’s just the start. Should the payment “be destroyed, disappear or be confiscated for some reason or another,” fear not, as that loss is covered, too, Vispoli says. Need to hire an independent negotiator to handle the ugliness of dealing with an extortionist? Covered. Need a public relations cleansing as a result of bad publicity? Chubb’s got your back. Even travel expenses – the criminal demands a drop at the base of the Eiffel Tower – will be reimbursed. (I neglected to ask whether you could claim hotel movie rentals.)

So here we have yet another good reason that paying off cyberextortionists should be against the law, as I’ve been arguing for a couple of months. If corporate victims literally have nothing to lose, well, paying an extortionist to go away suddenly looks more prudent than making a potentially expensive stand on principle. That such payments are bad for society as a whole seems beyond debate.

Of course, the existence of this insurance offers yet another good reason that lawmakers are unlikely to outlaw the payments. Not only would they face the wrath of corporate interests that would just as soon maintain the option of paying, they’d have to take on the notoriously powerful insurance industry, which is apparently profiting quite nicely from the status quo.

I certainly do not blame the insurance companies for selling this coverage, or corporations for buying it. Vispoli says about a quarter of companies carry some kind of cyberinsurance and that it’s within these broader policies that you’ll find specific coverage for extortion. There is an underwriting process that precedes this coverage, so at the very least a company buying it has the opportunity to test its perimeter defenses.

“We do require that the insured go through a third-party security audit that looks very much the same as the ISO-17799,” Vispoli says.

One thing for certain is that the insurance industry is having no trouble finding takers for cyberextortion coverage, because the number of victims is going nowhere but up.

“My sources would suggest that this particular type of peril is on the rise,” Vispoli says. “The problem is obtaining statistical information. There’s a suggestion that perhaps 70% of such events go unreported. They don’t want the public relations nightmare that is associated with an extortion demand.”

Which left me pleasantly surprised to learn that Chubb requires by contract that its customers report extortion demands to the authorities. I’ve argued that it should be legally mandated as well.

“We feel that with good law-enforcement involvement there is a possibility of mitigating our loss, particularly if the criminals are apprehended,” Vispoli says. “And without law-enforcement involvement there is going to be virtually no hope whatsoever of catching the crook.”

Self-serving to be sure, but it’s also common sense.

Finally, I asked Vispoli whether the insurance industry is, in essence, encouraging cyberextortion by providing a relatively painless means for corporations to pay.

“Are we creating a moral hazard?” she asks, apparently having fielded the question before. “That’s why we ask the FBI to be involved. Of course, we’re not creating a moral hazard. We are creating an ability for the insured to remedy a situation and yet be involved with law enforcement.”

Remedying the situation sounds so much more responsible than creating a moral hazard.

Care to hazard an opinion? The address is buzz@nww.com.