In mitigating cyber risk, work with an experienced insurance carrier that uses ethical vendors.
A recent piece by Pro Publica on the shenanigans of some data recovery firms should have gotten risk managers wondering whether the data recovery firms they use are on the up and up.
The piece detailed how some data recovery firms are selling themselves as forensic data companies, but when it comes to dealing with cyber thieves and ransomware demands, they’re just paying the ransom and not telling the client.
It’s a shady business practice and one that cyber specialists in the commercial insurance space decry.
“If you’re hiring them for a service, I don’t think it should be a secret in terms of what exactly is happening,” said Jeremy Gittler, practice leader and head of cyber claims Americas for AXA XL.
“Certainly if they are going to pay the ransom that is something that the victim should be aware of,” he added. “Because the decision that the victim has to make is ‘do you want to pay the ransom or not?’ ”
Insurers Work to Find the Right Firms
Commercial insurers that write stand-alone cyber coverage, Beazley being one, will have a stable of data recovery firms that they have spent quite a bit of time vetting to make sure they are capable of delivering on their promises and that function ethically.
Brett Anderson, a manager for Beazley Breach Response Services, said his company uses “under 10 firms that are comfortable enough to play in the sandbox of dealing with extortions.”
“There are plenty of firms that we work with that do not do that sort of thing,” Anderson added.
Anderson said before Beazley brings a data recovery firm into the fold, that firm will undergo extensive vetting.
“It often takes between six to eighteen months before we will introduce a new type of vendor to our policy holders,” said Anderson.
Read more here: https://riskandinsurance.com/data-recovery-firms-and-ransomware/