Ransomware – the new reality
Ransomware events always result in large insurance claims because they trigger so many unavoidable issues. If you have a Ransomware event where a threat actor gains network access and encrypts it to block access, the first thing they do is demand a ransom. The policy’s network insuring agreement would pay for that ransom. But in addition to that, it would pay for consultants to manage the crisis. These individuals can be ex-FBI, ex-Special Ops, ex-State Police, e.g. – professionals with a particular expertise who can negotiate reductions in the ransom amount and secure the return of your usable data.
You’re typically incurring business income losses while you’re dealing with a Ransomware attack. The average downtime post-ransom is 21 days. If you have 21 days where you can’t operate, you can lose significant business income. You’ll also incur extra expenses to get your network back up and running. Plus your data might not be usable. If any of your everyday data has been stolen, lost or corrupted – email, inventory, logistics, accounts payable – you’ll have to incur those first-party expenses to restore, recollect, or even recreate that data.
In addition to Ransomware, we see a lot of claims involving business e-mail compromise. This type of “social engineering” attack is when you have threat actors who pose as the CEO and send an e-mail to someone in the organization with a high level of urgency, saying something like, “We won’t get our next shipment if we don’t pay this immediately. Here are your wiring instructions; make sure it’s paid.” The threat actors are sophisticated enough to say something like, “Hey Charlie, how’s your wife doing? How are your two dogs? Can you make sure this gets paid?” – prompting the employee to ignore the fact that this request ignores typical invoice payment procedures.
Data backups and the controls
Right now, the best practice in backups is utilizing the 3-2-1 method: 3 copies of backups, 2 different media formats, and 1 should be stored off-site. Unfortunately, many backups don’t restore properly. So, if you try to restore your only set of backups and they fail to do so, you’re left paying a ransom or you’re left to rebuild that data, which takes time. For healthcare organizations, they have patient records that go back 20, 30, 40 years – how could they possibly rebuild those records in time to make a diagnosis for a surgery? They can’t, so they generally must pay the ransom. Insurance companies will often recommend paying the ransom because it is the swiftest way to get an insured back up and running, which avoids lengthy and costly business interruptions.
The typical cyber insurance policy provides coverage for loss of intangible assets – usually a data loss or a breach to your network. So, if you’re looking to insure the property that’s been affected, you would look to your personal or commercial property policy.
You need a stand-alone cyber insurance policy
“It’s not the right coverage, and it’s not enough.” That’s what we tell many businesses after reviewing their cyber coverage. The loss of 25,000 personally identifiable records translates immediately to a $250,000 impact to your balance sheet – and that’s just to deal with privacy compliance. You have to hire privacy attorneys, forensics experts, PR advisors, and issue notifications to impacted clients while monitoring for ongoing hacking. These early-stage activities don’t even include a possible regulatory investigation and/or penalty, nor does it include a privacy liability lawsuit. If it was a Ransomware event, you’ll possibly have to pay the ransom, deal with the business interruption, and manage the data restoration.
A typical GL policy might provide some level of privacy liability – usually $25,000. That’s not going to remotely cover your costs. If it’s on a property package policy, you’re going to see some level of business interruption or maybe privacy compliance costs. It’s unlikely to be anything more than $100,000. And carriers are all rolling back their coverage grants.
Don’t rely on independent adjusters
To make this complex issue harder for businesses, insurance carriers often give these cybercrime claims to independent adjusters who usually handle property losses and don’t really know how to handle cyber claims. These independent adjusters can be totally out of their depth – including not even knowing how to read the cyber grants within the policy. One insurance carrier, for example, included cyber grants in one of their package policies. When the claim came in, it was a Ransomware event. There was some coverage on the property portion of the policy, and some coverage on the GL portion. The carrier didn’t have a hotline or privacy attorney on panel, so nobody could advise the client on how to handle the event. The property adjusters didn’t know what to do, so they were just calling and leaving messages for the CFO of the company.
What they needed to do, of course, was get forensics out there right away. The client was losing money – which will cost the carrier. The worst result is a business that’s knee-deep in the biggest crisis ever and receives zero help from his insurance company. Thankfully, more carriers are now becoming far more aware of the cyber coverage they are including and are more prepared for it. Cyber risk losses are growing more mature all the time.
Guarding against hackers
To protect your business from hackers, you absolutely must have multifactor authentication in place for remote access to the network. This includes SaaS accounts like Office 365, privileged access management, and Backups. Without that, you’re basically inviting the bad guys to come in. It’s like you’ve left for vacation, locked your front and back doors, but left all the windows open.
You should also be training your employees several times a year on general cyber security, phishing, and business email spoofing. You can have all the best security and prevention measures in place, but if you have someone who likes to click on those links, you’re going to let in a threat actor. So, make sure that that training is ongoing.
Don’t wait to buy the policy until you’re more secure and have all your ducks in a row, because the reality is that while you’re getting organized, you’re probably going to have an event. For businesses in that small to midsize range, they can’t afford not to, simply because they need to keep their doors open. If you have an event, you’ll be using all of your balance sheet money just to clean up the mess – not to move forward, just to clean up. If you think you can’t afford the premium, know that you can’t afford the event.