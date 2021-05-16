Companies and other public and private institutions have many factors to juggle when hackers shake them down for money, of course. The Institute for Security and Technology, a private cybersecurity consortium, said in a recent report on ransomware that chief concerns include whether companies have cyber insurance policies and high-quality data backups. They also worry about the anticipated expense of paying for a prolonged system shutdown.

One obvious conclusion from that observation: All institutions in the digital era should have appropriate backups in place. That’s not a complex fix. Also, companies should think about the expense associated with a shutdown the same way Atlanta and Baltimore did — proactively rather than reactively.

As for cyber insurance, well, that feels a lot like the disaster insurance that companies keep giving to homeowners who rebuild in flood and hurricane zones. Sure, it insulates against disaster, but it also encourages risk-taking. If an insurer is going to foot the bill for your ransomware payment, maybe you just find it easier to pay up rather than making your networks more resilient? That’s certainly not lost on insurers. At least one top insurer, AXA S.A., is reportedly planning to stop underwriting new policies for that reason.

Companies and other institutions can avoid all of this by practicing good cyber hygiene in the first place, and they should bear that in mind when they demand that the federal government do a better job of protecting them from hackers. But once they’ve been burglarized, the last thing they should consider doing is paying off the burglars.

Timothy L. O'Brien is a senior columnist for Bloomberg Opinion. This was distributed by Tribune Content Agency, LLC.

