In today’s security news, let’s look at some of the finances.
Updating on payouts – CNA Financial, which is one of the largest US insurance companies, paid $40 million to free itself from ransomware earlier this year, per a report last week from Bloomberg. The company’s fourth quarter 2020 revenue, for perspective, was $387 million.
The FBI is warning about at least 16 Conti ransomware attacks within the last year, with the gang seeking payouts as much as $25 million to decrypt systems.
AmEx has been fined ninety thousand pounds for sending 4 million spam emails to customers within a year. This from June 1 2018 to May 21 2019. And, for comparison, AmEx’s fourth quarter 2020 revenue was nine point three two billion dollars. AmEx does get a discount if they pay by June 17.
Context has released research data showing that sales for anti-spam products has increased by 524 percent so far in 2021. Context also highlights data protection is up 102% and mail security up 30%.
In recently released research from Fitch Ratings on ransomware.. premiums increased by 22% in 2020, and the direct loss ratio, which is the fraction of policy revenues paid out for claims, has risen to 73%.
The US Chamber of Commerce is calling on the federal government to do something. In a letter to the Biden administration, they ask for making the issue a higher diplomatic priority, to disrupt the payment systems used by hijackers, to enhance global law enforcement efforts, and to create a fund for victims.
Why do we care?
I’ve been thinking a lot about incentives, particularly as they apply to finances in security. $40 million sounds like a lot, but when the company’s revenues are over a billion… well, its 4%. Sizeable for sure. In AmEx’s, case, however, the fine amounts to what… 0.00025 percent of overall revenue?
Here’s the trend – AmEx will laugh off that spam violation. I don’t see a single executive worrying about that damage. Plus, there are tons of companies making money off those anti-spam products… so why change?
The insurance companies, however, are watching their margins shrink. Premiums will go up and so will restrictions on payouts. Change happens when the finances change.
I’ve said for a while that if the damage from these ransoms was physical, the calls for help would have come sooner. The Chamber sees that damage to businesses is sizeable, and so thus the calls for government action. It’s exactly the predicted list – law enforcement activities to make the dynamics change.
Now, for an IT services company, the key learning is around thinking more about the incentive structures in security. IT services companies are the intersection of this risk… and so understanding these dyamics and addressing them is going to be key.