At the 2017 NetDiligence® Cyber Risk & Privacy Liability forum in Santa Monica, CA, a panel discussed emerging issues pertaining to ransomware. The panel included:
- Winston Krone – Global Managing Director, Kivu Consulting
- David Navetta – Partner, Norton Rose Fulbright
- Jeremy Glitter – Practice Leader and head of Cyber Claims America, XL Catlin
- Timothy Burke – Director of Cyber Risk, IMA Inc
- Michael Sohn, Supervisory Special Agent, FBI
When ransomware claims were first seen, the demands were a few bitcoin and they were usually resolved quickly. Now, we are seeing the financial demands increase and the ransomware is frequently destructive and more complex. We are also seeing ransomware attacks that are not specifically targeted to a company but instead seek to infect all users of a particular software that may have have a vulnerability. This was seen in the Wanna Cry attacks.
Some of the concerns with ransomware attacks include concerns around the business interruption and disruption of the communications within the business itself. The decision on whether to shut down the impacted machines has to be made quickly. A question arose on how a business interruption policy would respond to a voluntary shut down of equipment to prevent infection from ransomware. Unfortunately, there are no clear answers around such coverage questions and they must be reviewed on a case by case basis.
It will be interesting to see how policies respond to these widespread ransomware attacks as their underwriting did not contemplate such a loss and was instead focused on targeted attacks.
From a law enforcement perspective, they are seeing carefully researched attacks that are often using remote access into a companies systems. Unfortunately the remote access portal tends to be easy to exploit. The FBI cannot respond to every ransomware attack as they are so frequent. Instead they just focus on the larger incidents. The FBI will not do the forensic evaluation of the systems, that is up to the victim and their vendors to deal with. Another area of concern for law enforcement is whether the ransomware or cyber attack was initiated by a state actor (another country’s government agency). They track attacks and look for repeat patterns and where they are originating.
One area of potential risk that is a concern for the future is liability associated with spreading malware to your clients or partners. What happens if you send something to your clients that has malware and that malware infects their systems? There are questions about whether the policy of the company accidentally sending the malware would respond or whether that would fall entirely on the company infected with the malware.
Responding to Ransomware Attack
One of the initial areas of response is to try and determine how the malware got into the machine. Was it an email someone clicked on or a website they visited? If that is the case the attack is often limited to single machines. However, attacks that go in through the remote access are much wider spread and are often part of a wider breach.
The first 72 hours of a ransomware attack are the key. You need to decide if you are simply going to pay for the description code or try to remove it from your system. You also need to determine how widespread the attack is.
It is important to work closely with your carriers in the event of a ransomware attack. Part of the benefits of a cyber insurance policy is the claims expertise that the carrier brings. If you have an incident you should contact the carrier immediately so they can make sure to deploy the appropriate expertise to assist in mitigating the damages.
Does encryption of consumer information require notification to the consumer and regulators? It depends. If the data was not actually accessed but the files were simply blocked it may not. However, some regulatory agencies have indicated that if the owner of the data is unable to access it they consider it a breach which triggers the notification requirements. This is especially true of ransomware attacks in the healthcare setting where patient records could be locked which could inhibit treatment.
When Should You Pay a Ransom?
Law enforcement never advocates paying the ransom. There is no guarantee paying will get your data back. Studies show there is only a 50% chance of getting the data back even after you pay in a ransomware attack. The other concern is repeat attacks by the same hacker once you pay as you have demonstrated a willingness to pay.
There is nothing illegal about paying a ransom. There is no way of knowing who is launching the ransomware attack. Unfortunately, it comes down to a cost/benefit analysis and some companies choose to pay to get their computers released rather than dealing with the fallout.
Some companies refuse to pay ransom and instead will rely on their cyber and business interruption policies to protect them from monetary damages associated with the attack. The question arose on how a carrier would respond if the insured choose to pay or not pay a ransom within their policy deductible. You should notify the carrier regardless of the decision because the carrier will want to do a forensic evaluation to ensure there are not additional issues with your system and data.
Having backups are the best protection against a ransomware attack. If you have full backups of your information and can restore what is encrypted, you won’t need to pay the ransom. Unfortunately, based on the panel’s experiences, more than half the time the backups are either not done or the data is outdated or inadequate. Keep in mind the ransomware attack may not just target your data. It could also impact your applications. Some companies do not keep backups of their operating systems and applications so a ransomware attack could disable your system even with your data backed up.