What Are You Doing About Ransomware?

Hilary Tuttle


October 1, 2021

The text

In a recent survey of IT and cybersecurity leaders worldwide, email security firm Mimecast found that ransomware impacted 61% of organizations in 2020—20% more than in 2019. These attacks are also taking historic tolls. Earlier this year, insurer CNA reportedly paid a record $40 million ransom, and everyday victims are facing higher ransom demands and total incident costs. This year’s Cost of a Data Breach Report from IBM found ransomware and destructive attacks were more expensive than any other form of breach, driven by “escalation, notification, lost business and response costs,” and that was before including any ransom that may have also been paid.

In the face of rampant ransomware attacks, risk professionals are under increased scrutiny from all sides: C-suites, boards, regulators and underwriters. Answering their questions effectively can not only help your organization navigate an attack, but may also offer a critical demonstration of risk management’s value in the face of one today’s top business threats today.

What the Board Needs to Know

“I think ransomware is on everyone’s radar now and is likely identified as a key enterprise risk for most companies,” said Kristen Peed, director of corporate risk management at CBIZ and a member of the RIMS board of directors. “Since there have been so many news stories on this over the last 12 months, it is top of mind for leadership and boards everywhere.”

At a high level, your board and your C-suite want to know: “What are our exposures?” The particulars will depend on your organization, but the overview you give should include: reputation damage, business interruption, potential impact to stakeholders ranging from consumers to business partners, regulatory risk, and resulting directors and officers liability exposure.

Cyberrisks are also hitting much closer to home for boards and members of the C-suite, as regulators, customers and shareholders increasingly hold corporate leaders personally accountable for cybersecurity failures. Peter Halprin, a partner at Pasich LLP who frequently represents cyber insurance policyholders, noted the case of title insurance company First American, which was the subject of enforcement action from both the New York State Department of Financial Services and the Securities and Exchange Commission as a result of the company’s failure to act on known vulnerabilities that eventually led to a cyber incident. Of particular note for executives and board members, shareholders followed the regulatory action and filed a derivative suit against the company and its directors and officers, alleging they personally breached their fiduciary duties by failing to implement reasonable mitigations to prevent a cyberrisk incident.

Halprin noted that increasing regulatory enforcement and shareholder derivative suits should be wake-up calls for executives. “You have to tell them that we cannot take the ostrich approach,” he said. “In a couple of enforcement actions that we’ve seen from DFS and the SEC, they’ve specifically said, ‘These were known vulnerabilities and you ignored them, and therefore we are going to go after you.’ That’s where you see the biggest problems.”

While this means increased scrutiny for risk management, it may also help get buy-in from leadership for cyberrisk education and mitigation. “I think there is enhanced appreciation at the board level for the financial consequences of a cyber incident and that is helping to kind of right the ship organizationally so that businesses are making cybersecurity a priority,” Halprin said. “Because of this increased focus at the board level, you’re seeing that permeate throughout an organization and people are really looking to build a culture of cybersecurity and resiliency for when these attacks do happen.”

“Strong executive and board level oversight of and support for the cyberrisk management program is a critical part of event preparedness,” said Kieran Norton, Deloitte Risk & Financial Advisory’s infrastructure security solution leader and principal at Deloitte & Touche. “Leaders at the highest levels need to understand the crucial role they play in prevention—by providing oversight, governance and tone from the top—as well as direct support for attack response.”

Now, boards and C-suites are turning to risk professionals to serve as key resources in governance and risk management and relying on the cyber insurance programs they have put in place to mitigate the business impact of ransomware attacks. With cyberrisk management in the spotlight, the following are some of the key questions risk professionals are hearing and the information you need to satisfy stakeholders:

“Do we have cyber insurance?”

“One of the tools in your toolbox is cyber insurance, and boards and C-suites very much want to know what role cyber insurance will play if this or that happens,” Halprin said.

The answers are increasingly complicated. Ransomware continues to be a significant contributor to the hardening cyber market, with headline-making cases from 2020 and 2021 prompting sharp measures from insurers to rein in skyrocketing losses by both decreasing coverage and increasing scrutiny on any risk they may write. Coming out of July renewals, Karrieann Couture, senior vice president and E&O/cyber claims leader at Aon Cyber Solutions, said rates were up “30% to 50%, and even more so in specific business classes or certain client sizes, depending on the insurer’s experience.”

“Like most other risk managers, we had a challenging cyber renewal this year,” Peed said. “Carriers are looking for a lot more information in order to underwrite a risk and they are pulling back on capacity and coverages while increasing prices and exclusions. In the past, you might be able to build a tower of coverage with just a few carriers, but with the reduction in limits that carriers are willing to put up, you have to approach a lot more markets in order to find the capacity to fill the tower.”

Risk professionals seeking coverage need to be prepared. “Underwriters are showing increased scrutiny when it comes to evaluating ransomware exposure, with many requiring supplemental questionnaires specific to ransomware security concerns,” Couture said. “Some insurers will not offer ransomware coverage if there are negative responses and will want security measures in place before binding.”

Peed noted, “There were a lot more technical questions posed that the typical risk manager may not know the answers to, so we relied on our director of information security and others to help us navigate the questions and make sure that we were presenting the best information possible.” In the renewal process, Peed found two provisions of particular interest to underwriters. “Multi-factor authentication is key right now to getting coverage,” she said. “Most carriers are now requiring this in order to provide the best coverage, and if a company does not have this in place currently, they should be working on a plan with their IT department on how it will be deployed.”

Staff training also drew underwriters’ attention. “Training of associates is really important now as they are typically our first line of defense against ransomware attacks,” she explained. “Most companies have automated solutions that filter out many attacks, but there are always new ones and we need to ensure that our associates can identify these threats and not inadvertently open the door to the attacks.”

According to Couture, underwriters’ inquiries about specific ransomware mitigations and cyber hygiene can also include: the average number of days your organization takes to apply security patches; details on if/how your network is segmented; a formal program for managing vendor access to data; information on full and incremental, encrypted and off-site backups; tested ability to restore from those backups; and details of the content and frequency of employee training and phishing tests.

Peed advised other risk professionals to start planning early and to engage—or brace—other stakeholders for the challenges that may come with obtaining or renewing a cyber policy this year. “It is never too early to start the process and you should be speaking with your broker and carriers now about the expectations for your renewal,” she said. “That way, you can prep your own leadership team and the IT department on any changes that may need to be implemented prior to the renewal.”

Demonstrating progress is also valuable not only to internal stakeholders, but potentially to insurers as well. “Even if all the changes can’t be executed prior to the renewal date, a robust project plan that shows key dates of completion can help with the renewal process as well as pricing, terms and conditions,” Peed said.

“How will cyber insurance help if we get attacked?”

According to Halprin, there are three things to focus on when communicating upward about the value of your cyber insurance program. “One is that there are breach response tools that are available, and that should be integrated into our incident response plan,” he said. “There are vendors, for example, that are on panels that are pre-approved by the insurers who we can bring in and know that those costs will be covered in the immediate aftermath.”

Second, risk managers must understand the nuances of their cyber insurance policies and integrate considerations like notification timeframes and selected vendors directly into the incident response plan. “I sometimes have clients say, ‘We didn’t really know what to do, it took us a couple of days to dust off these policies, so in the meantime we brought in all these consultants and incurred, say, $1 million in legal and forensic costs,” Halprin said. “But the policies require pre-approval and you have to use their panel. That is something I think boards need to understand—that the integration is really important.”

Third, your board and C-suite can take some comfort in the expertise the organization can call on by virtue of having cyber insurance. “These cyber insurers are seeing thousands of claims—maybe hundreds of thousands—so they have professionals who have also seen that many claims,” he said. “Tell your board, ‘They know the players, they know what to do, we can rest assured knowing that there’s a team of experienced people that we can bring to bear and that we’re not scrambling to find resources in a very difficult time.’”

“What would we do if we are hit next?”

It is essential to have a detailed incident response plan in place, and to include the resources and contact information for internal stakeholders and external vendors so that you can call on the right people right away.

“Collect the resources available through the cyber insurance carrier and trusted panel incident response partners to be ready to respond to any incident with the correct resources,” advised Thomas Brittain, associate managing director with Kroll’s cyber risk practice. “The landscape may be ever-changing, but the steps for a successful response are well-known to these professionals. There is no need to reinvent the wheel.”

Much of the immediate response in the event of a ransomware attack will fall to either internal or external technical resources, such as your IT team, any in-house information security staff or an incident response vendor. Risk professionals have a key role to play on the company’s internal crisis response team, however, particularly at the beginning of the response process.

Frank Quinn, risk manager and interim head of Beazley Breach Response Services in the Unites States, shared some factors that determine which risk managers will be successful contributors to ransomware response. According to Quinn, “Successful risk management professionals are ones that have hard copies of insurance documentation; contact information; business continuity planning, incident response planning and communication protocols; involve the required internal stakeholders at the appropriate times; facilitate communications and cooperation between operations/management and IT; have established relationships with the internal and external stakeholders in advance of an incident; and have set expectations in advance for how a ransomware attack can impact an organization so that everyone understands this is an operational risk, not just an IT risk.”

At a broad level, it helps to know what your crisis team will do in the first 48 hours. Quinn outlined the core components of incident response immediately after you become aware of a ransomware attack:

  • When an incident happens, the first step is to ensure it is escalated to an incident response team for evaluation as soon as possible. Typically, if there is evidence of a network intrusion, that is something that you need to take very seriously very quickly. Cyber criminals may already have been in your organization’s system for some time, and you need to take immediate steps to understand where they are, what they have done, and how to get them out. As part of this process, be sure to notify your carrier—bringing in the experts as soon as you can is extremely important.
  • Simultaneously, take immediate steps to contain the damage. Kill all remote sessions and reset passwords. Disconnect your virtual private network (VPN), disconnect primary servers from the network, and configure secure remote access. For organizations where backups are not fully offline, this may be the last chance to take them offline to prevent them from being encrypted or corrupted.
  • Be careful to preserve evidence at this stage. Retain network and server logs, traffic flow, and any cloud logging. Make a copy of the malware and export so it does not get overwritten.
  • Finally, take the time to understand and respond to your organization’s business continuity needs. Identify mission-critical systems and know where your data exists.

In addition, Quinn noted risk professionals have a unique role to play in the organization’s ransomware response process. “The risk manager often serves as the voice of reason when the IT team might want to immediately wipe and rebuild,” he said. “This is quite understandable—in the aftermath of an attack, the organization’s focus is getting back in business as soon as they can. But you want to make sure you are doing that smartly, that the attackers are completely out of your system and that you’ve preserved the evidence you need for an investigation. Premature restoration can lead to re-encryption or corruption of your backups, and can inadvertently eliminate forensic evidence that could be needed later.”

“Would we pay a ransom?”

Before an attack hits, you should involve stakeholders from IT to the C-suite to weigh remediation capabilities and potential disruption and decide if and under what circumstances you would pay a ransom. Cyber insurers may cover a payment as well as fees for a negotiator, and breach counsel or your insurer can assist in retaining a vendor to handle payment. According to Couture, “These vendors typically require you to pay them the ransom, then they will pay the threat actors.” While you will need to make that initial payment, the knowledge that this may be recouped is a key selling point for many companies that obtain a cyber insurance. Many companies do successfully file claims and recoup costs—however, it is important to note that is not always certain.

Last October, the U.S. Department of Treasury’s Office of Foreign Asset Compliance (OFAC) warned companies that paying or facilitating ransomware payments to foreign Specially Designated Nationals and Blocked Persons could constitute potential sanctions violations. Whether it is to mitigate their compliance risks or to stem a source of some multimillion-dollar losses, insurers are heeding the warning. There are many instances in which insurers have not paid due to OFAC concerns, and according to Couture, this could occur “when there is minimal circumstantial evidence,” even if initial due diligence indicates otherwise at the time payment is made and information only comes to light later. Given the complexity of that due diligence and the timeframes involved in a ransom decision, this is a significant risk if you decide to pay.

Insurers will also assess whether paying a ransom was truly “reasonable and necessary,” underscoring the importance of strengthening your mitigation measures, and thoroughly documenting response efforts and the business impact of the attack. “Factors insurers may consider in their evaluation include: length of time of negotiations; evidence of exfiltrated data and type of data; viability of backups; estimated time to restore backups; interruption of business and potential costs associated with that interruption; as well as other relevant factors that impacted the decision to pay the amount paid,” Couture said.

“What can we do right now?”

To some extent, ransomware is becoming an increasingly inevitable threat for organizations. However, there are specific actions companies can take to lower the risk of falling victim, reduce the damage in the event of an attack, and set the organization up for a smoother response and recovery process.

Halprin noted that cyber insurers are paying out on policies, but the frequent issue of contention is quantification of costs. “We’re fighting less about whether or not something is covered and more about how much coverage there is,” he said. Much of this revolves around calculating the value of business interruption, so it is critical to provide the most up-to-date and detailed accounting possible to successfully tell the story of an attack’s impact and recoup losses.

You can get started on this in advance. Particularly given the pandemic, make sure you have updated data that reflects the current state of your business and offers detailed loss impact estimates for different interruption scenarios. This can be helpful in answering board or C-suite questions about the potential impact of a future attack, and can help ensure you maximize recovery under insurance policies if ransomware interrupts business.

You should also ensure you have an updated, detailed and tested crisis response plan to serve as a framework to guide you through response. Given the current threat landscape, make sure you and any other crisis response team members have specifically considered ransomware scenarios and incorporated them into this framework and in any exercises to practice your response. This is a major weakness for many companies—while 64.8% of executives in a recent Deloitte poll said ransomware is a cyber threat posing major concern to their organizations over the next 12 months, only 33.3% say that their organizations have simulated ransomware attacks to specifically prepare.

Tabletop exercises are essential to practice and refine these plans, and Brittain recommended involving different levels of the organization, from IT to the C-suite. “Securing attention from senior executives to execute a well-orchestrated simulation or tabletop exercise can be difficult, but it’s tremendously important to hone that process ahead of time,” he said. “Organizations that bring all stakeholders to such simulations can respond much faster and efficiently, limiting the exposure.”

He added, “On the technical side, consider running technical breach attack simulations to get in-house security staff exposed to what a real attack would look like. Such frontline experience is hard to acquire and may surprise even experienced security staff.”

Incident response plan testing should also include actually restoring from backups, Quinn said. This extra step is essential to be confident that your data is fully accessible in the event of a breach and systems function as expected. Insurance carriers may have workshops or other services that can help guide you through the testing process.

Quinn also emphasized five areas to focus on, in conjunction with IT, to boost ransomware readiness in the near-term: backups, patching, authentication, securing remote access and training users. As he explained: 

  1. Backups are one of the most important things to help organizations recover from ransomware attacks. Implement a 3-2-1 backup strategy, keeping three copies of your data in two locations, one of which is offsite, and make sure they are separately credentialed. Test your recovery process as well—you need to know you will be able to actually use the data if recovery is necessary. A backup of the latest state of your active directory is essential to help you rebuild and restore.
  2. Ensure you have a robust patch management program, especially to address critical vulnerabilities, including those for non-Windows resources, such as remote access hardware.
  3. Multi-factor authentication (MFA) is a must today. Take advantage of security tools built into your platform for authentication, as well as for increased logging and monitoring, and configuration of cloud resources.
  4. Use MFA in combination with a VPN solution to provide secure, encrypted access to internal systems from remote external locations. Do not expose remote desktop protocol directly to the internet.
  5. Finally, you cannot overlook training users. Particularly with so many organizations still working remotely, every member of your team plays an essential role in keeping your organization secure.

Hilary Tuttle is managing editor of Risk Management.