As recently as a decade ago, cyber-extortionists saw themselves as modern-day Robin Hoods, who merely appropriated the surplus of bloated, negligent capitalists in an effort to ‘teach’ them a lesson.

During the pandemic, many organized criminals pledged to refrain from attacking healthcare organizations and shame any peers who lowered themselves to victimize medical services.

These days, the disturbing – but not altogether surprising – reality is that criminal hackers make no moral distinction between humanitarian organizations, refugee data, hospitals, nonprofit organizations and even schools.

As odd as it may sound, the space occupied by these low-quality opportunists is in dire need of restructuring, as we see victim after victim – regardless of cyber insurance coverage – pass on the option to protect the personal information of customers and recover their systems simply because they can’t trust the word of a faceless attacker without empathy or honor.

The current disruptions at the Toronto and British libraries are a case in point, where a criminal group known to demand up to $2.7M in ransom is rebuffed, creating outages and business interruptions whose impact has yet to be quantified. This is without even daring to mention the privacy impact of the identity theft that may soon befall their millions of victims.

One thing is for certain. Society can no longer ignore the enormous harms caused to individuals as breaches and leaks continue to commoditize access to their private data, incentivize humiliated companies to downplay the resulting risk and feed a whole ecosystem of crisis response firms whose adroit communications feign heroism as they endure catastrophic outages and strive to extinguish reputational wildfires with acrobatic PR efforts.

Is the clean-up job of introducing ethics, standards and plain old etiquette to the toxic cybercriminal supply chain a task for insurance companies, government agencies or some grey area players? Your thoughts?

(*Forbes, McAfee, Cybersecurity Ventures et al.