Fixing the private sector’s incentives is the first step. Officials in America, Britain and France want to ban insurance coverage of ransom payments, on the ground that it encourages further attacks. Better to require companies to publicly disclose attacks and their potential cost. In America, for example, the requirements are vague and involve large time lags.
With sharper and more uniform disclosure, investors, insurers and suppliers could better identify firms that are underinvesting in security. Faced with higher insurance premiums, a flagging stock price and the risk of litigation, managers might raise their game. Manufacturers would have more reason to set and abide by product standards for connected gizmos that help stem the tide of insecure iot devices.
Governments should police the boundary between the orthodox financial system and the shadowy world of digital finance. Ransoms are often paid in cryptocurrencies. It must be made harder to recycle money from these into ordinary bank accounts without proof that the money has a legitimate source. Likewise with cryptocurrency exchanges, which should face the same obligations as established financial institutions.
Join Us On LinkedIn
Join the Cybersecurity and Incident Response Group on LinkedIn