Our businesses are constantly under attack — but not from physical intruders. The attacks are coming from more insidious intruders like data breaches, social engineering and, most costly of them all, ransomware. It is estimated that by 2021, a new organization will fall victim to ransomware every 11 seconds. It’s not a matter of “if” anymore, it’s a matter of “when.”
The average cost of a data breach in the U.S. is $6 million. And 60% of small companies cannot recover from such an attack, according to the National Cybersecurity Alliance. Even worse, in 2019 it took companies an average of 206 days to identify a breach.
With increasing cyber attacks, companies must prepare for the worst. One thing that companies can do to preserve their assets and plan ahead is to purchase cyber insurance.
The Basics: What Is Cyber Insurance?
A cyber insurance policy can help protect businesses from the costs involved and incurred from a cyber attack or breach. The policies are broken into two types of coverage: “First-party” covers the liability to the business itself; while “third-party” covers the losses and damage incurred to customers or clients. However, as with all insurance policies, not all are created equal – and it’s not always as great as it sounds on the surface.
Cyber insurance may cover things like:
- Costs of notifying clients
- Credit monitoring services
- Public relations campaigns
- Lost business income due to the breach
- Attorney’s fees
- Settlement or judgment against the business
- Government fines and penalties
- Defense before regulatory boards
Important: Always triple check the terms of a policy, as not everything will be covered by all policies!
How Insurance Companies Handle Ransomware Attacks
Now that we’ve covered the basics, I’m going to move on to something that isn’t often thought about when considering an insurance policy — the unintended implications cyber insurance is making on the ransomware “industry.”
Surprisingly, it’s not all bad for cyber criminals! Back in 2017, Brian Krebs (Krebs on Security) reported on “Philadelphia,” a ransomware-as-a-service kit. This point-and-click ransomware package could be purchased for around $400, making it easy for anyone to run their own ransomware campaign.
Basic economics can show us why a malicious actor would want to run a ransomware campaign. They can purchase the back-end software for a low, one-time cost, which will allow them to run as many campaigns as they wish. If they are successful in even a small number of their attempts, they can make a good profit from very little investment. We’ve seen ransoms from the Philadelphia kit be anywhere from 0.15 BTC up to 15 BTC. At today’s rate, that works out to roughly $1,000 to $120,000! But what does this have to do with cyber insurance?
Most people and businesses wouldn’t pay this ransom — especially a business with a good business continuity/disaster recovery (BCDR) plan in place. However, when cyber insurance comes in to play, the ransom actually ends up being paid. This is because, in most cases, all the insurance company cares about is getting a resolution at the lowest cost possible.
The insurance company will look at how much it will cost to perform a forensic recovery, versus how much it will cost to just pay the ransom. If the ransom amount is lower, that is the option they will often pressure the business to take.
This is where it starts to get interesting. Malicious actors have begun to target businesses with more sophistication. They will do their reconnaissance and potentially sit on the network for months gathering information. If they find out the company has cyber insurance, they will work out the cost to forensically recover from a ransomware attack. Once they have this, they will deploy the ransomware, and set the ransom amount to slightly below the cost the recovery would be. This makes it a lot more likely that the ransom will be paid out, rather than a recovery attempted.
Why Not Pay the Ransom?
When cyber criminals get paid, it encourages them to keep attacking. If a ransomware attack wasn’t lucrative, it wouldn’t be anywhere near as prevalent as it is today. Even if you pay the ransom, there is no guarantee that you will get your files back — remember, these are criminals we are talking about. They can just as easily run off with your money and move onto their next target. The proceeds from these attacks are often used to develop further cyber attacks and help fund organized crime.
It’s not all bad news though. In the three years since its inception, the No More Ransom project has kept at least $108 million out of the hands of cyber criminals. The website, put together by Europol and several other agencies and organizations, hosts decryption tools to unlock the files of those infected with various ransomware variants. To date, there are decryption tools on the site for 122 different ransomware variants.
The advice from me and most industry professionals is this: never pay the ransom! Have a solid and tested BCDR solution implemented with cyber security controls in place at the network and endpoint level to prevent an infection. If you are one of the unlucky ones to get attacked with ransomware, check to see if there is a decryption tool available and restore your disconnected backups. And finally, even if your insurance company is pressuring you to pay the ransomware, don’t do it!
Contact Arrow Today… Before It’s Too Late!
Whether you are just starting out on your journey to becoming more “cyber-resilient,” or you are looking to build out or test your existing deployments, Arrow has both the solutions and know-how to help — from architecting a BCDR solution or full security stack, to implementing and testing their abilities.
Last modified: January 13, 2020