Cyber insurance: The moral quandary of paying criminals who stole your data

Australia's Emergence Insurance might still be in the startup phase, but it's already helped clients pay hefty ransomware invoices to get everything back.
Written by Asha Barbaschow, Contributor

Earlier this year, a club with around 70,000 members found itself in a pickle: Pay a ransom or risk the personal information of those members being exposed.

In this scenario, the club paid the ransomware. It was decided that the financial hit of paying outstripped the reputational harm to that business. They handed over a handful of bitcoin totalling around $200,000 and the data was returned.

"They felt compelled to protect the data of their members and to do that, felt paying the ransom was the right thing to do," Emergence Insurance founder and CEO Troy Filipcevic told ZDNet.

The ransomware was attributed to Maze. The Maze gang is primarily known for its eponymous ransomware string and usually operates by breaching corporate networks, stealing sensitive files first, encrypting data second, and demanding a ransom to decrypt files.

Read more: Here's a list of all the ransomware gangs who will steal and leak your data if you don't pay

If a victim refuses to pay, the Maze gang creates an entry on a "leak website" and threatens to publish the victim's sensitive data in a second form ransom/extortion attempt. The victim is then given a few weeks to think over its decision, and if victims don't give in during this second extortion attempt, the Maze gang will publish files on its portal.

This club wasn't the only large Maze victim faced with the conundrum as another business decided not to pay.

"They were breached, 240GB of information was encrypted, they asked for a ransom, the company decided, 'nope, we're not paying'," Filipcevic said.

Instead, Filipcevic and his team helped the business determine the gravity of the situation.

Emergence helped this company contact its customers -- which included those in 14 European countries, which are governed by the General Data Protection Regulation (GDPR) -- and everything else it required to get back on track.

Both this seven-figure aftermath and the $200,000 ransom paid by the other company were covered by their respective cyber insurance. 

"Not every time will a client want to pay a ransom, sometimes the client will go, 'no, that just goes against my beliefs … I will be drawn through hot coals before I pay ransom'. Others say 'this could detrimentally impact my business, in fact, it could sink it, so I need to be up and running as quickly as possible and we need to pay a ransom and we need to pay it now'," Filipcevic explained.

"There is zero guarantee that you're going to get the data back and there is zero guarantee that they're not going to do it again."

He said, however, what he's finding is cyber criminals are acting in an almost ethical way, handing back the information if their demands are met.

See also: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Five and a half years ago, Filipcevic stood up Emergence as the only Australian cyber underwriting company that focuses solely on cyber insurance.

With a focus previously on cyber insurance for micro-SME businesses, all the way up to ASX-listed companies, Emergence has now launched a personal cyber product which provides cover to families and individuals in the event of a cyber attack.

While security vendors push their solution as a silver bullet, Filipcevic said there's a need for cyber insurance to fill a void, that is, the financial cost involved in recovery.

He said it's not just a piece of paper that says, "if you have a flood, we'll pay you out", as it also brings cybersecurity experts and other parties to the table to clean up the mess.

This could be PR, data entry specialists to help manually enter information that was lost, or in the case of consumer coverage, the likes of counselling services to help in the aftermath of something such as cyber bullying.

It also covers the cost of paying a ransom, which in Emergence Insurance's case, are for claims up to AU$1 million.


Editorial standards