How To Resolve Ransomware Attack
Hit by a ransomware attack? Here's what to do
The list of high-profile ransomware attacks continues to grow longer and more concerning with each passing week, affecting everything from gas pipelines and meat supplies to ferries. Businesses and government agencies that are attacked must scramble to secure their systems and make a difficult decision about whether to pay hackers to remove the disruption.
When confronted with such a situation, affected businesses may rush to contact their IT departments, police, crisis PR, lawyers, and law enforcement. However, one of the first calls they frequently make is to their insurance provider.
Businesses frequently purchase specialized cyber insurance policies to help safeguard their systems and cover any losses incurred as a result of a cyberattack. And ransomware, which enables hackers to seize control of computer systems (or even physical infrastructure) and demand millions of dollars in fees to unlock them, has only increased demand for that insurance.
However, this lifeline may become more difficult to access for businesses as costs rise, insurers impose stricter requirements, and the government conducts increased scrutiny when foreign hackers are involved.
Increasing demand
Between 2018 and 2020, AIG, one of the world's largest insurers, reports a 150 percent increase in ransom and extortion claims. According to the company, ransom demands now account for one in every five cyber insurance claims.
"Data-intensive businesses were the first to purchase cyber insurance," Tracie Grella, AIG's global head of cyber insurance, told CNN Business. "I believe it is abundantly clear at this point that all industries are impacted and must manage cyber risk."
Depending on the size of the business and what needs to be covered — from security teams and lawyers to potential lawsuits and reimbursement for business losses or even ransom payments — plans can range in price from "a couple hundred dollars" to "multimillion-dollar programs," Grella said, adding that roughly 50% of AIG's clients make ransom payments.
The FBI and other cyber security experts advise against paying ransoms, claiming that doing so encourages cyber criminals to intensify their targeting of businesses and critical infrastructure.
According to Mark Friedlander of the New York-based Insurance Information Institute, the average cost of a cyber insurance policy in 2019 was $1,500 per year for $1 million in coverage with a $10,000 deductible.
It's getting harder and more expensive
As the frequency and breadth of ransomware attacks increases, so does the cost. According to an April report from Fitch Ratings, total cyber insurance premiums reached $2.7 billion in 2020, a 22% increase over the previous year, and are expected to rise further in 2021.
Additionally, businesses seeking cyber insurance are now subjected to a much stricter examination of their existing cyber security measures prior to being approved for a plan.
AIG provides prospective clients with a list of 25 questions about their ransomware protections, which include information about how frequently they test employees for email phishing attacks and how long it takes to deploy critical security patches (ranging from "within 24 hours" to "more than 7 days").
"Ransomware is more prevalent right now, and as a result, we have a more in-depth, more targeted underwriting strategy for ransomware," Grella explained. "If certain controls are not met, we will almost certainly continue to provide coverage... but at a reduced level of coverage."
Additionally, some cyber security experts caution against using insurance as a one-size-fits-all solution, particularly during periods of increased demand.
"In some instances, organizations are overly eager to transfer this type of risk via insurance. They believe that this is a truly healthy backstop and that they can avoid making some of the more painful security investments "Mike Hamilton, chief information security officer at cyber security firm Critical Insight, echoed this sentiment.
And with the US government announcing this week that it will use similar protocols to deal with ransomware attacks as it does with terrorism, particularly those linked to nation-states, Hamilton believes insurance providers may have a way to avoid paying out cyber insurance claims. Terrorism insurance is frequently sold separately to businesses and rarely covers events classified as acts of war.
"If insurance companies can classify anything as a nation-state act or an act of terrorism, they will be able to avoid paying out on their policies, which will create problems," he added.
Who else to contact
Whether or not they have a cyber insurance policy, the majority of businesses' first line of defense against cyberattacks remains their internal information technology department. Contracts with external cyber security firms that can deploy incident response teams and cyber ransom negotiators are not uncommon.
However, experts assert that early involvement of law enforcement and government agencies is critical. The FBI is the primary agency responsible for investigating cyber attacks, and it maintains resources such as the Internet Crime Complaint Center and the National Cyber Investigative Joint Task Force, which allow businesses to report incidents.
Additionally, the Department of Homeland Security's National Cybersecurity and Communications Integration Center and the US Computer Emergency Readiness Team handle cyberattacks. The majority of these agencies have online reporting portals, and many also include phone numbers.
"The first step a business should take is to contact the federal government," according to Andrew Rubin, founder and CEO of cyber security firm Illumio.
"When businesses operate in isolation, things spiral out of control," he added. "It is critical for the private and public sectors to share information."
Courses and Certification
Information Security and Cyber Law Course and Certificate
Internet/Cyber Security Course and Certificate
Computer Security Course and Certificate
Internet Technologies Course and Certificate
Wireless Security Course and Certificate
