The business pages have been full in recent months with tales of cyber extortion and ransomware. In an effort to try to explain these developments, some commentators have suggested that the availability of ransomware coverage under cyber insurance is a cause of the problem. In the following guest post, Paul Ferrillo takes on the question of the role of cyber insurance availability in the proliferation of ransomware incidents. Paul is a partner in the securities litigation group at the Seyfarth Shaw law firm. I would like to thank Paul for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
There, I said it and I will say it again: “cybersecurity insurance did NOT cause the ransomware plague.” For nearly a year, the mantra has been, “if those darn carriers did not pay the ransom, we wouldn’t be in this mess.” See e.g., What is cyber insurance? Everything you need to know about what it covers and how it works | ZDNet (“The insurance company looks at what the potential incident response and forensic bill might be and that’s going to be bigger in many cases as organizations aren’t prepared, so they’d actually rather pay. It’s very frustrating,”).
The argument that the carriers are responsible is incorrectly framed. Following this line, the argument posits that it is the carriers who are responsible for the cybersecurity risk posture of the insured. They are not. The insureds are responsible for planning their own defense and getting it in place. Indeed, the European subsidiary of one global insurer recently decided to stop reimbursing insureds for ransomware payments, see Cyber Insurance Firms Start Tapping Out as Ransomware Continues to Rise, available at Dark Reading | Security | Protect The Business).
Others have a role to play too: governments, advisors, and yes, even the government. Indeed, cybersecurity is probably the most important team sport of our generation. It is something the vitality and national security of our country depends on, therefore pinning responsibility on one group is both inaccurate and disingenuous. We are all in together.
To get a better understanding of what the “responsibility borders” of cybersecurity insurance carriers are, let us look at their lanes in closer depth, along with the other participants in the cyber ecosystem.
What does standalone cybersecurity insurance cover?
Standalone cybersecurity insurance is a broad form policy that generally covers cyber breaches and attacks, including ransomware attacks, along with privacy and cybersecurity litigation and investigations. It has two components, first party coverage (to “investigate,” “remediate,” and “clean up the breach” and get you up and running), and third party coverage for the investigations and litigations that unfortunately go along with a large cybersecurity breach. Costs could involve both legal costs, and forensic consulting costs for a provider brought in to deal with a breach. There is business interruption coverage for network downtime. There is reimbursement coverage if you suffer a ransomware attack and need to pay the ransom to get “out of jail.” These coverage parts all work together, and often one big breach can invoke multiple coverage parts. Most cybersecurity insurance provides reputational and crisis management coverage that can help large and mid-sized businesses to deal with the fallout from cyber-attacks from customers, clients and investors, especially if it is ransomware related. The Basics and Essentials of Purchasing Cybersecurity Insurance | The D&O Diary (dandodiary.com)
When it comes to coverage for ransomware attacks, here is how one expert publication described the coverage for ransomware:
Coverage for losses associated with ransomware is available within cyber and privacy insurance policies under an insuring agreement most often termed “cyber-extortion coverage.” The items it covers include (1) monies to pay ransom demands, (2) the cost of hiring experts to negotiate with hackers, and (3) the cost of computer forensics experts who can determine how hackers gained access to the insured’s computer system and then make recommendations on how to prevent future incursions. Ransomware | Insurance Glossary Definition | IRMI.com (emphasis supplied).
Point 1 is where the rubber meets the road. “Monies to pay the ransom demands…” can mean a whole lot of things to a whole lot of people. To many carriers, this phrase means “reimbursing” the insured for monies paid to attackers in exchange for the decryption keys. That is generally what standalone cybersecurity insurance provides for. And that is how and when and why the losses related to ransomware are paid.
Reasonable people can now disagree on what is going on now, namely that the insured might never have paid the ransom had it not had reimbursement coverage for such payment. But there are several counter arguments to this point:
- the cybersecurity insurance coverage was underwritten and bargained for this way by the insured and the cybersecurity insurance carrier;
- the insured had to pay the ransom to keep its business alive given that its back up media was destroyed in the ransomware attack (an increasingly growing problem given new variants of ransomware search for and destroy back up media left on the network and even more of a problem for the small to medium size businesses that are often ill-prepared for a very large ransom request), and
- stating the obvious: it’s the cybercriminals causing the problem, not the insureds or the cybersecurity insurance carriers. See It’s Not Just a Pipeline. Ransomware Attacks are Proliferating Across the Country. – Mother Jones; Are Cybercriminals Evil or Greedy? – Security Boulevard
Stopping Ransomware is a Shared Responsibility
Although cyber criminality is the driver of the ransomware problem, it is not the sole reason for the increase in attacks or any perceived increase in the number of successful attacks. As noted above, it is surmised that many of the cyber criminals that have participated in the recent wide-ranging ransomware activities in the United States could not have operated without the principal or tacit endorsement of certain nation-state governments like Russia or China. Neither insureds nor cybersecurity insurers can do much about the root cause of this type of nation-state hostility towards the United States, which is why there is an imperative for our government, of all levels, to support industry and the public.
It is therefore important that both insurers and insureds do not contribute to these factors they cannot control. One way to do that is by prompt and effective action by potential targets in setting up defenses. Insureds can quickly develop an aggressive and forward-thinking cybersecurity posture by educating their board members to fund the solutions necessary to end ransomware attacks as we know them (more about that below). Similarly, sticking to the basics, such as backing up networks on a daily or weekly basis can also help put them in a better position to respond to a ransomware disaster.
Additionally, cybersecurity insurance carriers can more thoroughly underwrite cybersecurity insurance to better understand the precautions that insureds taking to fend off ransomware attacks and back up their networks. If cyber insurance customers are taking these steps, chances are they will be able to get cybersecurity insurance coverage with full cyber-extortion coverage, as noted above. If the insured are found to not be diligent in their defensive posture, maybe they won’t be able to get their cybersecurity insurance coverage at a reasonable premium, or at all for that matter.
What to do about the ransomware plague?
We would not be doing our job without leaving you with some actionable advice about how to stop ransomware attacks from ruining your day, week, or even month sometimes depending upon the pervasiveness of the attack. This is a not an exhaustive list and some things on it you probably have already employed in some manner. But nevertheless they are worth repeating. Furthermore, many of these protective measures do not cost that much. Most of them should leave you in a better place the next time on of your employees decides to “click on the link or attachment”:
- Do quarterly phishing and spearphishing to test your employees on proper and safe email procedure. It’s muscle memory training. Don’t click on any link or attachment where you don’t know either the subject matter or the sender.
- Change passwords quarterly. And don’t use the same password on multiple sites. Once stolen, you don’t get a do-over. They can be used unknowingly to attack your network. Password spraying is a tactic that attackers use. At least make the effort of making their life somewhat difficult.
- Always use multi-factor or two-factor authentication.
- Always back up your network in a segmented, off-line way so that a ransomware attack cannot, under any circumstances, reach your back up media. One idea: Back up your network weekly onto a separate server. Then unplug the server from the network and the internet and store it under your desk until next week. That way you ALWAYS are prepared and can get back on line hopefully within a day or two after the ransomware attack occurs. If one week sounds like too much or too little, understand your business needs and figure out the sweet spot for you.
- Again, since many successful ransomware attack start and end with a phishing attack, consider employing an endpoint detection and response solution to monitor your employee work stations or laptops.
The best ransomware solution is to NOT HAVE AN ATTACK in the first instance. Cybersecurity insurance can help provide solutions and resources when it comes to paying to alleviate a ransomware attack, but that should only be used as the final resort save your business from disaster. Use our actionable list of items to ward off an attack in the first place. You won’t regret missing the harm, pain and suffering (including a potential business failure) that a successful ransomware attack could cause.
Editor’s Note: Paul Ferrillo will be one of the panel moderator at the June 23, 2021 webinar entitled “Big Game Hunting and Big Stakes Results — What Directors, Officers and IT really need to know about Cybersecurity Insurance,” which is co-sponsored by the Seyfarth law firm and NY Metro InfraGard. The webinar speakers will include FBI Supervisory Special Agent Brad Carpenter, as well as Tracie Grella of AIG, and Rob Yellen and Perry Tsao of Willis Towers Watson. The hour-long webinar will begin at 1 pm EDT. For further information, including registration instructions, please refer here.