So just how bad is ransomware and cyber security in general? To get an impression, lets look at the past week. Just over the past 7 days, there have been over a dozen major ransomware attacks, though a few have not been well reported in the news media. The fact is, we have fallen for a kind of creeping normality. It’s not normal and it should not be considered a routine thing to see this happen.
Because the artificial risk of cyber-attacks Is So controllable, Cyber Insurance can be a reliable cash cow, but it we must rethink what cyber risk is and what role cyber insurance plays. Doing so unlocks the door to billions of dollars in potential profits. Currently, nobody in the entire insurance sector knows how to do this and nobody does it properly.
The term for what we are living through is moral crisis.
Last year, the world lost hundreds of billions of dollars to cyber attacks and trillions were lost to the total economic impact of these attacks. The biggest problem is ransomware, but business email compromise, leading to fund transfer fraud and other types of account interception and social engineering fraud are also costing the economy billions. Every week, we hear about more police forces, hospitals, schools and critical institutions being attacked. Ransom is frequently paid. Lives have even been lost. It’s no longer possible to rely on your doctor, lawyer, police force or fire department to be there for you and not leak your private information.
And then we have cyber insurance, which keeps paying ransom and racking up losses, insisting that “cyber is just inherently high loss” or “cyber incidents are like earthquakes: unpredictable and unstoppable.” We see top ranking executives, even the likes of Warren Buffet saying that it is expected that cyber insurance will lose money. It will because cyber risks are just big risks and we don’t know how to control them. Also, we don’t have enough data, and perhaps in a few years we will be able to figure out how to price it.
As an expert in cyber security, ransomware especially, with an education in cyber security and over 20 years of experience, I cannot stress this enough: THIS IS INSANE!
Cybercrimes are just that: crimes. Like all crimes, they are human created and can be stopped. Cyber security is not some oddball unfigured-out kind of thing. It’s just bad guys breaking into our systems because we do not institute strong enough controls. The idea that cyber criminals are so much smarter than our best engineers is absurd. It’s the year 2024 and the US has the best technology in the world. None of this needs to happen. We could shut this down in a day, if there were proper experts involved.
There has been a massive misunderstanding of the nature of cyber risk by the insurance sector, and in doing so we have entrenches a monster which is sapping hundreds of billions of dollars out of the legitimate economy and is funding terrorism. The history of cyber insurance is a comedy of errors. There’s a reason no legitimate cyber risk experts should not have been consulted from day one, but there was a belief that cyber was simply a shiny object that could be monetized to appeal to the digital age. Insurers have been trying to sell cyber insurance without investing a dime in understanding it. They’ve simply broken something they don’t understand and now consider it a lost cause. This is absurd.
The truth is simple: If not for the fact that cyber insurance has come along and decided to encourage bad behavior, while funding crime, we would not have the ransomware problem we do. Our hospitals would be safe. Our schools would be safe. Our emergency services would not be targeted. The problem cannot currently be solved, because insurance companies stubbornly insist that they don’t want to, but are fine paying out ransoms.
The unfortunate thing is that how Berkshire Hathaway decides it wants to handle the issue of cyber risk ends up impacting far more than Berkshire Hathaway. Buffet is so admired and Berkshire Hathaway such a giant player in risk and insurance, that his words impact everyone’s security.
Warren Buffet may be old, but he continues to be held in the highest of esteem by investors. He certainly has a great track record. Buffet is also admired because of his openness and candid discussion of his methods and stock picks. He’s always sworn by a long term investing strategy, which values not only growth but stability. His disciplined approach has been the key to great success.
For this reason, when he speaks, the investing and business world listen. He’s been called the Oracle Of Ohama. When his Berkshire Hathaway group holds its annual shareholders meeting, some investing companies take the day off and gather to watch the whole thing with the enthusiasm and fanfare of the Superbowl.
When Warren Buffet speaks, the financial world listens. The insurance world also listens, because Berkshire Hathaway has become one of the biggest players in insurance. The group recently purchased a large portion of Chubb, one of the largest providers of cyber risk coverage.
This is a problem, because when someone so influential speaks about something so important, they had better be correct, and in this case, he is dead wrong. I do not mean to criticize Mr. Buffet personally, of course, but it’s important to bring attention to this. As an expert in this area, I find his comments to be absolutely terrifying.
The reason it’s so terrifying is the impact that these comments, and others like it, from other business leaders, has caused to national security and the global economy. Insurance vital to how a capitalist economy self regulates and how risk is properly priced. Insurance is the bedrock of how risks are treated in the economy.
The unfortunate thing is that this very ignorance is at the root of the stagnation of cyber defenses, the layoffs of so many in the sector, the divestment of resources and the acceptance of such dire levels of loss. It’s terrible to think that anyone so followed could be actively telling people that cyber security is a mystery nobody has figured out. If that were the case, it would be pointless to spend on it and hire experts.
Shortly after this meeting, a large number of cyber security professionals were laid off.
