Ransomware attacks leave businesses and insurers exposed
News, PropertyCasualty360° – May 2017
WannaCry has insurers evaluating damage and exposures. What lines of business will be responsible for coverage? Simon Oddy and Bernard Regan discuss these issues with PropertyCasualty360°.
As appeared in PropertyCasualty360°, May 17, 2017.
By: Patricia L. Harman
Cybersecurity experts have predicted an increase in ransomware attacks since last year, and the recent WannaCry incident confirms what they and many insurers have feared — that a large-scale attack could involve entities on a global scale.
With an estimated 300,000 computers impacted in 150 countries, the attacks affected multiple business sectors, hospitals and universities. “This type of attack is like letting a virus into the wild,” explained Christina Terplan, a San Francisco-based partner with the international law firm Clyde & Co. “The attack is indiscriminate and doesn’t affect just one company or sector, different sectors and geographies are vulnerable.”
Business interruption can be significant
“Watching this story continue to unravel, has truly highlighted the need for cyber insurance,” added Bill Kelly, senior vice president, E&O underwriting of Argo Group. “Any company can experience a vulnerability no matter how prepared they think they are. While ransomware can result in a company paying small, very random amounts, business interruption can be much more significant and can potentially cost millions.”
Kevin Kalinach, global practice leader for network risk and cyber insurance for Aon Insurance concurs. At the recent RIMS conference in Philadelphia he said, “We need to break down the silos of insurance and not think of them just in terms of cyber. Coverage needs to cross over into other areas like business interruption.”
Ransomware has been around since the late 1980s, when biologist Joseph Popp distributed 20,000 floppy disks infected with malware at an AIDS conference along with information which warned recipients that the software on the disk could “adversely affect other program applications.”
“From that event, there have been a number of guises of malware,” explained London-based Bernard Regan, head of forensic technology and global director of IT for RGL Forensics, a global forensic accounting firm.
Regan says that malware is more easily available today on the Dark Web, which is why its use has grown in popularity. As far as WannaCry, Regan explained that it was created by the NSA and shadow brokers managed to access the virus and then release it on the web.
“Traditionally, malware has targeted businesses and industry,” added Regan, “but WannaCry is indiscriminate and attacks everyone.”
Part of the reason for ransomware’s growth has been the monetary value it brings to a cyber attack. While previous attacks focused on disrupting businesses, ransomware has the added benefit of garnering money for some extortionists.
“A lower ransom will be paid,” explained Regan, “a higher one will not be. Many hackers want access to machines to show off to their friends — if they get a reward too, great.”
In light of these attacks, insurers are estimating their exposure, how many policies are affected and what lines of business will be responsible for coverage. Simon Oddy, a partner with RGL Forensics in New York City, says that cyber policies, kidnap and ransom (K&R) policies, as well as business interruption and other areas of coverage may come into play for these attacks.
“When people think about a cyber breach or service interruption, the cyber policy is clearly triggered,” explained Oddy. “With ransomware that attacks the system, it’s different. The data isn’t necessarily breached or compromised, it’s still there.”
Whether or not a cyber policy covers a ransomware attack depends on the specific policy that has been purchased. Ransom coverage can be determined by a triggering event covered by the policy.
'Aggregated attack is terrifying'
For insurers, one of the issues keeping them up at night involves an attack where multiple lines are affected in one significant incident. “Insurers are trying to get comfortable with aggregation,” said Oddy, “but the worry is that a widespread event like this could hit them on multiple levels, so they are placing business cautiously. Any one individual breach is okay, but an aggregated attack is terrifying.”
Consider the number of companies who have moved their business networks and operations to the cloud. “From the insureds’ point of view, everyone is pushing them to the cloud. Insureds don’t understand the risk they are taking on with the cloud,” said Regan. “From the insurer’s point of view, if your data and backups are all in the cloud and you’re attacked, you really have nothing.” He recommends a combination of backup methods like tapes stored offsite to protect information.
“On a global scale, insurers will be evaluating companies on a per risk basis and an aggregate basis,” added Kelly. “In addition to looking at aggregation by industry or size of company, insurers may look at aggregation issues by the software being used by companies or by a company’s patching cadence. Hypothetically, insurers could offer less capacity for companies that have bad patching or updating procedures, which may result in a limit of coverage, globally. This instance should be a wake-up call for companies to re-evaluate their patching cadence and technology best practices within their organizations, including employee training awareness efforts.”
Managing the risk
Cyber exposures and coverage is constantly evolving. Some companies are using models to help predict where and what exposures could arise from an event. “You can do the models,” said Oddy, “but the event can be unlike anything you’ve anticipated.”
Kalinach said that companies are becoming more aware of their exposures and business interruption is becoming a much greater loss for them with a cyber event. “Cyber explosions are dynamic and fluid. They’re not worse, they’re just changing,” he said. “Cyber changes just like any other business.”
“For the insurance industry, this type of incident will likely result claims activity and loss payments; however, not on a large scale,” said Kelly. “If anything, this incident has reminded insurers to incorporate the findings of the past five days into their underwriting practices. While cyber incidents are not ideal for businesses, the evolving nature of cyber exposures will continue to help guide insurance underwriting procedures and refine the coverages being offered in “cyber” policies.”
Quantification modeling recommended
While all companies can improve how they manage their risk, Kalinach advises that companies can “do quantification modeling to see where your 80 percent bell curve is and to buy for that; then buy additional coverage to cover your exposures.”
A recent study published by the Ponemon Institute and Aon looked at cyber risk transfer and the insurance protections for tangible versus intangible assets. “This was the first time that valuation came out in a study,” said Kalinach, “and entities are realizing that our intangible assets are worth more than our tangible assets.”
One of the challenges of valuing risks involves the interconnectivity of companies and their networks. “How do you value that?” asked Kalinach. “The average time to find someone in your system is 200-300 days. It’s another 70 days before you stop them after you discover them in your system. Notifications happen in 72 hours for federal requirements (i.e., banks and healthcare entities), but that still doesn’t mean the intruders are out of your system.”
To pay or not to pay
If a company decides to pay the ransom that still doesn’t mean everything will be back to normal. Terplan says a company can choose to purchase the decryption key, but should take additional steps. “You need an outside provider to test the decryption key to make sure it isn’t malware itself. They can test data sets to make sure it works. After the key has been checked, the company can run it in their environment.”
Terplan said it's important to remember that data restoration is a process. “You may still be fixing data even after you’ve decrypted everything. The business may not be operating at capacity and there may be extra expenses to the restoration of the data.”
“The ransom is typically handled by lawyers,” explained Regan, “because you don’t know what will happen when you pay. People have paid and not gotten a key, and some have. Would you trust a system that has been compromised? You will have to restore your system and evaluate it. The biggest con is you don’t know what was done and what was taken.”
After the breach
If a company suffers a breach or ransomware attack, it's important to have a robust incident response plan. Oddy and Regan say the immediate questions to be answered include:
- Can the business continue operating in the short term without the files or systems?
- How will customers respond knowing that a supplier has been impacted — are there any reputational issues?
- What data and files have been encrypted?
- Are the back-ups available, have they been impacted and how long will it take to re-install?
- If the files and systems can’t be accessed, what impact will this have on business?
- Will the sales be lost, or can they be caught up?
- Decryption key malware — will it create a more severe problem and even a blatant data loss?
- What are the triggers for data restoration cover?
- What are the cost issues related to first responders?
Oddy said for large breaches it can be nine to 12 months before an insured delivers their view of the loss to their carrier. Involving the forensic accountant earlier in the process can help mitigate some surprises later and gives the insurer better control of the claim and its expenses.
“We are fact finding and trying to understand the incident itself,” explained Regan. “We want to know why they client spent XYZ and make sure it isn’t too braggadocios. We’re trying to recreate the crime scene. The longer we aren’t there, the harder it is.” He says there is some information that needs to be gathered immediately before it is lost such as system logs for the day of the event.
Best way to mitigate damage
Not all risks can be managed, however. “There will always be a vulnerability that can’t be controlled and from an insurance standpoint, this is validation for the industry,” added Kelly. “In addition to having companies properly train their employees and ensure that they are up to speed on the importance of updating software patches in a consistent routine and have backup plans in place, it pays to have cyber insurance.”
Kelly concluded, “Cybersecurity breaches are a reality every business must think about and having a whole team dedicated to helping you when something like this happens — from breach coaches and responders to forensic investigators — it's the best way to mitigate damages. We're continuing to learn from attacks like these by researching and working with industry experts to better understand the best ways to mitigate losses for our clients.”