Ransomware and cyber insurance: What are the risks?
High-profile ransomware events, such as the Colonial Pipeline and Kaseya attacks, continue to create eye-popping headlines about how easily a cybercriminal group can cripple key infrastructure, hospitals, and schools. And with ransomware attacks growing by more than 150% in 2020, there are no signs that things will improve in 2021.
For these and other reasons, organizations are increasingly opting for cyber insurance coverage and paying higher premiums year after year. According to the U.S. Government Accountability Office, the number of companies opting for cybersecurity coverage grew from 26% in 2016 to 47% in 2020, and most saw breach insurance premiums increase by up to 30%.
Given the clear financial stakes, it is time security leaders understand the risks before adding cyber insurance to their strategy for ransomware prevention and recovery.
Successful breaches breed more attacks
Ransomware typically enters a company via a phishing attack or a compromise of a vulnerable system deployed on a network’s perimeter. From there, the infection proliferates via exploits or open shares, encrypting important data as it jumps from machine to machine, after which cyber criminals withhold the encryption key and threaten to publish sensitive data unless a ransom is paid.
The attackers, many of whom are part of sophisticated and organized groups, often provide a step-by-step guide for the targeted company to transfer ransoms in cryptocurrency, sometimes in the hundreds of thousands or millions of dollars. Sadly, when faced with costly downtime and/or the downstream effects of having sensitive data made public, many companies end up complying with the attackers’ demands. Paying the ransom, in turn, incentivizes more attacks, perpetuating the cycle of crime.
It’s important to note that cybersecurity insurance is also incentivizing attacks rather than serving as protection for the rarest of breaches. While U.S. law enforcement has typically urged companies not to pay the ransom, it has yet to decide to ban such payments altogether (though the US Department of the Treasury’s Office of Foreign Assets Control regulations prohibit U.S. companies from paying up if they suspect the attackers of being under its cyber-related sanctions program).
Bring in the experts—with caution
Most organizations are not equipped to handle a ransomware attack appropriately without expert help, so they should call reputable, experienced security consultants immediately for their extensive experience with ransomware remediation. These experts can often find flaws in the ransomware itself or recover the keys to decrypt data without having to pay the ransom.
This requires specific knowledge and experience from experts who specialize in malware reverse engineering and breach analysis. These experts, both internal and external, should be identified in the company policy, along with the steps that team will take once a breach is identified.
In addition to calling in cybersecurity experts, organizations with cyber insurance policies must hold those providers to a very high standard. To understand their clients’ risk profile, cyber insurance providers require them to fill out very detailed third-party risk management documents that catalog all their security controls and how often these controls are tested.
In turn, client organizations need to do a similar level of vetting of the provider. This is because risk management documents, if not locked down properly, serve as a treasure map on how to find vulnerabilities and weaknesses within an organization’s security controls. These third-party risk management documents should be treated as extremely sensitive intellectual property, and organizations need to keep in mind that their potential insurer can be another threat vector.
Hackers and ransomware groups have been known to target cyber insurance companies to obtain insured client documentation and then target those organizations because there is a higher likelihood they will pay the ransom.
Take, for instance, French Insurer AXA, which made news when they pledged to stop reimbursing customers in France who decided to pay ransom after they had been hit by ransomware attacks. The decision was made after AXA was pressured from French regulators, who were concerned that the insurance payouts were incentivizing higher ransom payments for the criminals involved, creating a vicious cycle. A few days later, ransomware group Avaddon announced it had attacked a part of AXA Group in Asia. While it is unclear if AXA was targeted because it pledged to stop reimbursing customers, most experts think that AXA’s move will set a precedent.
Hold cyber insurance companies accountable
Organizations should ask cyber insurance companies the exact same third-party risk management questions they are asked to make sure that the insurer and any sensitive information about their network is secure. Insurance providers should answer detailed questions on their own cybersecurity posture as well as how client data is protected. Additionally, cyber insurers should provide clear documentation for breach notifications and explain in detail how they can adequately detect a sophisticated breach.
Before choosing a policy, organizations should ask the provider if they are knowledgeable about their specific industry and the threats to the business, how they stay current to meet ever-evolving threats, how exactly they secure internal risk assessment documents, and how quickly they respond to threats. Detailed answers to these questions will help companies decide on the best policy as well as accurately set internal expectations.
Prevention and mitigation
Fortunately, there are many practical things a company can implement to avoid or mitigate a ransomware attack in the first place:
1. Train all employees on how to identify and report phishing and weaknesses in security controls.
2. Implement real-time visibility for every connected device in the organization to understand risks and be alerted if an unknown device or attacker is on the network.
3. Establish and continually update the baselines of normal behavior of devices, including their communications flow.
4. Automate policies on existing security and networking infrastructure to quickly address an infected device or a device communicating to a ransomware C2 server via quarantine, port shutdown, or session termination policies.
5. Deploy secured backup tools that can prevent or soften the harm of an attack.
The most important thing an organization can do to prevent ransomware attacks is to take proactive risk mitigation actions. When a potentially multi-million-dollar ransom is on the line—not to mention a company’s reputation—it is crucial that the most experienced security experts are working on the problem as quickly as possible and following a comprehensive recovery plan and backup strategy.