A common piece of conventional wisdom is that insurance is enough to protect your business from a ransomware attack. You might get attacked and have to pay a ransom, but the insurer will pay that, and you’ll be back up and running. A headache, but not a game changer. This is not true. The reality is that insurance does not cover all of the costs of a ransomware attack – and in some cases, it may barely cover any.
The big cost of ransomware is not actually the ransom itself (although these can be in the millions of dollars). The bigger cost is actually in your down time, loss of IP and loss of goodwill.
A ransomware attack often means all of the critical IT systems are not useable for a sustained period of time. This means that your people need to start doing work by hand – think, paper and pen, clipboards and those old-fashioned triplicate forms. Working this way is possible, but it is a lot slower than doing things electronically.
This means that you simply will not get through as much work as you otherwise would have. And if you can’t do the work, you can’t get paid for that work. This has an effect on your bottom line.
The other consequence of this is that you can’t take on as much work as you otherwise would have been able to. If a big order comes in when you’re in the middle of a ransomware attack, you may have to simply pass the order on to another business. This is a lost opportunity.
Loss of IP
This is a situation that doesn’t get very much coverage – but it certainly happens. Ransomware attackers usually spend weeks or months in your system before they make their move. While they’re in there, they will find anything of value, and sell it.
If they find valuable IP, they’ll take it. Over the next few years, you’ll start to see competitors crop up with products and services hauntingly similar to yours. This means more competition from businesses that did not have to spend the time and money building that IP. This in turn means lost opportunity. It can’t be seen or quantified, so insurers won’t cover it.
Under Australian law, you have to report data breaches to the Privacy Commissioner and the people affected. A ransomware attack will almost always fall under this law, which means you need to tell your customers that their information has been compromised.
This can be a significant hit to your reputation. Some customers may choose to stop doing business with you, and in the future, potential customers may steer clear. This can create a headwind for your business in the future that can slow you down for years to come. Again: hard to quantify, so hard to get insurers to pay.
Those are just the beginning
Those are just a few reasons not to rely on insurance payouts. To learn some more, as well as learn about three other ransomware myths, download our guide: Four ransomware myths that you need to stop believing. It’s a great way to challenge some of the assumptions you might be making in your business – and to find out how you can protect yourself.