I have a friend whose NDA forbids him to tell anyone which company he works for. Because he is insured by company, and they don't want to attract kidnappers.
Kidnap and ransom insurance usually has stipulations that only very senior management on a need to know basis are told in a company.
Telling regular staff members that you have it in place can often mean the insurance company won't pay out for many reasons:
- adversaries might learn you will pay out and target your org/country specifically
-staff may act more recklessly knowing it's in place
-if you have to make payouts your premiums may go sky high or you won't get it in future
- staff may make a deal for a cut of the ransom by setting up something with a dodgy actor
- when/how K&R is paid is very very complicated. For example a ransom is never paid by insurance directly, the company must have cash to pay the ransom (which often catches them out) and they are compensated for loss of XYZ etc.
Also many people find only when they need to use it that K&R has strict rules depending on what country you get it from. Some insurance companies won't pay if the ransom is to be paid to AQ, ISIS or other sanctioned organisations. Also how the whole situation is dealt with and the ransom negotiated is important and effects the K&R payout. If the company doesn't have good corporate security etc to manage it, things can get very messy on the K&R side of things. A lot of people (esp US companies for some reason - perhaps the idealism that "sending in the SEALS" people see on TV) think somehow their government is going to be a knight in shining armour in such situations and believe me, very often they make a situation a lot lot worse.
So I'd agree, nothing new from FB here