Ransomware has long been a scourge, and it’s getting worse. I recently had the chance to talk about ransomware and cyber insurance with Kimberly Horn, the Global Claims Team Leader for Cyber & Tech Claims at Beazley. Kim has significant experience in data privacy and cyber security matters, including guiding insureds through immediate and comprehensive responses to data breaches and network intrusions.
SOLOVE: What trends have you seen with the development of ransomware?
HORN: The ransomware landscape has seen a dramatic shift over the past five years, with an increase in the frequency, complexity and severity of attacks. There has been a proliferation in the number of attack groups, and the methods used by the bad actors have morphed over time. At Beazley alone, the year on year increase of ransomware attacks from calendar year 2018 to 2019 was 131%. See Beazley’s 2020 Breach Briefing report.
Back in 2015 and 2016, the malware used to launch ransomware attacks was typically introduced to a company’s network by way of automated execution, delivered through spearfishing email campaigns. End users would click on an attachment, resulting in the encryption of certain data and/or endpoint devices. These attacks were designed to cast a wide net, and there was usually no evidence that the bad actors had infiltrated areas of the network that housed sensitive data. The ransom demands were the equivalent of a few thousand dollars to fifty thousand dollars, and it was rare that the company’s back-ups were encrypted by the malware.
In 2017, the attacks became more sophisticated, with brute force attacks of open remote desktop protocol ports, attempts to harvest credentials, and manual execution of the malware. Forensic investigators began to see evidence the bad actors were attempting to move through the network, in some instances accessing sensitive data which resulted in reportable breaches. The ransom demands were still relatively low, but on occasion venturing into six figures.
Beginning in late 2017 (and continuing through present day), we began to see more targeted disruptions, with bad actors using more sophisticated forms of malware to gain greater access and do more harm. Bad actors began to more regularly use banking trojans and other forms of persistent malware to conduct network reconnaissance and move laterally through the network, launching the ransomware attack either when detected or after the host network no longer served a useful purpose. Forensic investigations after the fact reveal that once in the network, bad actors turn off anti-virus software to avoid detection, search for system administrator credentials, create domain controller accounts to gain complete access to systems, search for sensitive data that can be monetized, and search for and encrypt back-ups that are easily accessible and not segmented from the network. The ransom demands associated with such attacks are regularly in the six figures, and in the summer of 2019 began to pierce seven and eight figure sums.
More recently, ransomware groups have upped the ante further by threatening public disclosure of the attack and/or of data exfiltrated from the company’s network during the course of the ransomware attack. Some of the actors known for these tactics go so far as to split the ransom demand into a set amount for the decryptor key, and a separate amount to avoid public disclosure of the incident.
SOLOVE: How large of an overall cost is ransomware in the pie chart of other security problems? What are some of the biggest pieces of the pie?
HORN: Hacking and malware incidents represent over 54% of the data breach incidents reported to Beazley in 2019 (compared with accidental disclosures, insiders, lost and stolen portable devices, and physical loss/non-electronic records). Ransomware represents 36% of the hacking and malware incidents.
Although ransomware incidents represent just over a third of all hacking and malware incidents reported to Beazley, comparatively speaking, the costs associated with a ransomware attack are exponentially greater than a standard data breach, even one involving hacking and malware. In a standard hacking or malware incident, a cyber policy will pick up the legal and forensic costs to investigate whether the infiltration of the company’s computer system has resulted in a reportable data breach, the response costs associated with publicly reporting the incident, and the resulting third party liability, namely individual demands, class action litigation and regulatory inquiries. With a ransomware attack, a cyber policy potentially picks up all of the above, plus the cyber extortion, data recovery and business interruption costs.
In terms of the other pieces of the hacking and malware pie, business email compromise incidents are the second most prolific cause of loss at 30%, followed by banking trojans, malicious code injections on e-commerce websites, and point of sale compromises that allow bad actors to steal payment card information.
SOLOVE: If a company pays the ransom, is this covered by insurance?
HORN: Coverage for cyber extortion loss is a standard offering in most cyber insurance policies these days. Subject to the terms and conditions of the policy, including, but not limited to, whether the company obtains the insurer’s consent prior to making the payment, the payment is in response to a recognized extortion threat, and payment has not been made to persons on the Specifically Designated National and Blocked Persons List maintained by the Treasury Department, the ransom payment will be covered by a cyber insurance policy.
The ransom payment may also trigger coverage under a kidnap and ransom policy, so cyber insurers typically inquire about the existence of such policies so that companies can maximize all available insurance coverage. This is especially true in situations where the overall losses anticipated in connection with the event are in excess of the cyber insurance policy limit. As noted above, costs associated with a ransomware attack do not stop accruing after the ransom is paid.
SOLOVE: If a company doesn’t pay the ransom and loses the data, which is a greater cost than paying the ransom, is this still covered?
HORN: One of the biggest myths is that paying the ransom and restoring from the decryptor key is the fastest and most cost efficient means to restore data. Not only does the ransom negotiation process take time, but restoring data from a decryptor typically involves considerable time and third party vendor resources. In addition, data restored from the decryptor key may be corrupted, especially when dealing with less sophisticated attack groups. A company’s decision to not pay the ransom, either because it has viable back-ups or another alternative means from which to restore its data and/or conduct its business, will not jeopardize coverage for data recovery costs and business interruption costs. Cyber insurers will pay data restoration and business interruption costs regardless of whether a company pays the ransom or restores through another means.
Fortunately, it’s still the case that most ransom demands are not paid. Rather, our experience shows that companies explore every alternative to get their businesses back up and running before making the difficult decision to pay a ransom.
SOLOVE: Does the insurer have any say in the decision about whether or not to pay the ransom?
HORN: While I can only speak on behalf of Beazley, the answer is no, the insurer does not get involved in the company’s business decision to pay or not pay a ransom. Our claims team does not make recommendations to policyholders about whether they should pay or not pay, and Beazley does not make the ransom payment for the company. Typically, the company alone makes the decision to pay or not to pay after considering whether they have any alternatives, such a viable back-ups or other means of restoration. Whether companies make their decision with input from other third party providers they retain is up to the individual company.
Beazley advises companies that should they elect to make a ransom payment, the cyber extortion coverage is on an indemnity basis only, and any reimbursement is subject to (i) satisfaction of the applicable policy retention; (ii) acquiring proof prior to payment that the bad actor possesses an effective decryptor that successfully decrypts sample files; and (iii) confirmation that the payment has not been made to persons on the Specifically Designated National and Blocked Persons List, which is maintained by the Treasury Department’s Office of Foreign Asset Control.
At the end of the day, the role of the cyber insurance carrier is to act as facilitator, reimburser and educator, offering services and risk management tools to help companies prevent and mitigate the impact of these attacks.
SOLOVE: Are cybercriminals raising ransoms because they are being paid? Does the fact that a victim might have insurance coverage lead to higher ransoms being charged?
HORN: I cannot speak directly to the motives behind rising ransom demands, but there are likely several contributing factors: (1) the bad actors behind the vast majority of these attacks operate without impunity, and have become emboldened by their success; (2) the attacks carried out by some of the attack groups have become more sophisticated, and take a bigger investment of resources; and (3) the attacks are more targeted, giving bad actors better sight into the crippling impact their actions have on a business. For example, when bad actors know they have successfully encrypted a company’s back-ups, logic dictates that a company may be more willing to pay a larger ransom because they may not have any alternative means of restoration.
Cyber extortion is a crime of opportunity, and the vast majority of victims tend to be low-hanging fruit with insufficient cyber security defenses. Until recently, we had seen no evidence to suggest that ransom demands had any correlation to a company’s cyber insurance coverage.
SOLOVE: If a company isn’t keeping regular backups of its data, does this affect whether the loss will be covered? What factors, if any, would be things that could affect whether a ransomware incident would be covered?
HORN: Companies which do not have procedures in place for regularly backing up data or do not have back-ups disconnected from the network will likely be deemed less favorable risks during the underwriting process. The issue that emerges with back-ups in the wake of a ransomware incident is not whether they exist, but whether they present a viable means of data recovery. Many times, back-ups are not properly segmented from the network, leaving them vulnerable to encryption. Even when back-ups are viable, we have seen situations where the amount of data encrypted is so significant that a full restoration of critical systems from a back-up data center would take a month or more; rendering the back-ups worthless.
In assessing coverage for a ransomware incident, insurers look at whether the terms and conditions of the policy are triggered. The core consideration is whether there is a recognized extortion threat directed at the insured organization.
SOLOVE: Thanks, Kim, for your insightful perspective. For more information, be sure to check out Beazley’s 2020 Breach Briefing report.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.