The Norsk Hydro cyberattack is a real-time case study of what an international company goes through when a ransomware attack is successful. Over the last week, we’ve witnessed a global manufacturing giant being brought to its knees by an orchestrated cyberattack. Hydro was forced to switch its operations to manual in multiple countries and was operating at 50% of normal capacity.
When companies become victims of a ransomware event, it may be tempting for them to simply pay the ransom and move on. But for organizations who hold a cyber insurance policy, other factors must be analyzed to determine what comes next. Cyber insurance firms look at all angles of the situation to understand which option is more affordable: paying the ransomware or paying the insured costs of switching to manual operations and backup data.
The analysis and response is based on what is specifically covered under the targeted company’s insurance policy. Assuming that the company holds a policy covering ransomware incidents, the cyber risk insurance firm runs a cost analysis for each option.
Option 1: Pay the ransom
Ransomware attackers are quite intelligent when it comes to determining how much ransom to ask. If it is too high, cyber insurance will not cover it. Too low, and the attack is not worth the effort. The amount of ransom often factors in the harm that the company could face because of business interruption or working at limited capacity with manual operations. The cost of business interruption is usually covered by cyber insurance, and the clock starts ticking at the same moment when ransomware encrypts the data.
Some important questions the targeted organization and cyber insurance company will explore before reaching their decision:
- Will paying the ransom result in saving the data? Attackers know that if they do not provide a decryption algorithm in time after the ransom payment, they may not receive any ransom next time they attack a company. So, they usually follow through.
- Is the targeted company at a greater risk of having the stolen data exposed? Generally, ransomware attackers do not expose the stolen data on the dark web, but it’s always possible. After an attack, cyber insurance companies often work with computer forensic teams to determine if any data is lost or left the system to shed some light on this possibility. If there is any PII data decrypted, then the insured company must notify the authorities under certain regulations (e.g., GDPR). They may also be required to inform the individuals who own the PII about the attack. Targeted companies may be subject to data privacy regulatory fines, and there will also be some costs associated with sending notifications to anyone whose data was exposed. Both of these costs may be covered by an insurance policy.
- Does paying the ransom encourage the attacker to strike again? Unfortunately, ransomware attackers are difficult to catch. They are good at covering their tracks and use crypto-coins to hide any money trail. Paying the ransom gives some adversaries the boldness to orchestrate more attacks – possibly even a repeat attack on you.
Option 2: Refuse to pay and switch to backup data
Determining the cost of switching to backup data involves many factors. If the insured company backs up its data on a daily basis, then the cost and interruption may be negligible. But if the data difference is too much to cover certain day-to-day operations, then the business loss and productivity disruption may be significant. Another issue is the time required to switch to the backup data. Operational loss becomes a top deciding factor for the cyber insurance company.
There is also a possibility that the targeted company could be attacked again if they refuse to pay the ransom. The reality is, this is a possibility in either scenario. When the original data and systems are encrypted, it’s difficult to do a complete forensic investigation to understand how the attackers infiltrated your system. Even if the victim upgrades and tightens their cyber security measures when switching to backup data, it is possible that attackers who have already successfully infiltrated the targeted company’s system can find another way in.
In many cases, attackers will conduct reconnaissance research, determining multiple ways to compromise the company. They may focus on any third-party vulnerabilities they can exploit to re-enter the targeted company’s systems.
As much as we hate to see bad actors win, paying the ransom might be the cheapest and quickest way back to normal operations. To reduce risk, it’s important for companies that operate on the scale of Norsk Hydro to invest in cyber security and risk assessment measures in the first place. Gaining a clearer understanding, in real time, of what hackers already know about your organization is a start. Viewing your potential cyber risk posture from a hacker’s perspective can be an eye-opening experience – and it’s a point of view that many cyber insurance companies take when analyzing their clients.
Cyber insurance firms not only measure the cyber hygiene of their clients, but also any risks associated with their third-party vendors and partners. They’ll often perform a post-attack analysis of the targeted company’s cyber risk posture to see what vulnerabilities could have contributed to the attack and make recommendations on what needs to be improved.
The best way to be prepared for a ransomware scenario is to understand what the financial impact would be in the event of an attack on your organization.