The education portion of AIRROC’s Spring 2022 Membership Meeting commenced with an informative panel discussion on the evolving threat of ransomware; a topic that has dominated headlines over the past year with such high profile attacks on CNA, Colonial Pipeline and JBS Foods. Patrick Byrnes, Partner, with Locke Lord LLP moderated the discussion that featured remarks from co-panelist Dakai Pouncey, Claims Manager – Cyber & Technology, Beazley, and Matthew Murphy, Senior Counsel, also with Locke Lord LLP. Ransomware has been deployed against every industry sector, both private and public, against municipalities and other government agencies. Ransomware attacks can cripple operations, damage reputations, cost significant time and money, and present litigation and regulatory exposure. The resulting disruptions and consequences hit hard, the problem is prevalent and is not going away. The panel provided their personal experience with this insidious threat and discussed steps to reduce the risks of being hit, and recommendations to navigate an attack. A video replay of this session is available on the AIRROC On Demand platform.
Perpetrators of these ransomware attacks can include criminal organizations, groups associated with nation states or lone actors. According to the Microsoft Digital Defense Report, over half of US attacks originated from Russia. Some other interesting data points shared by the panel is that as of yearend 2021, it is estimated that 37% of active businesses have been hit or impacted by a ransomware attack. Last year, a computer was hit with an attempted ransomware attack on average, every 11 seconds.
Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption keys. Recently there has been a change in approach in ransomware attacks where threat actors routinely exfiltrate data before launching encryption malware to exert more pressure on victims to pay under threat of publication. The exfiltration tactic of threatening to publicly post confidential data, along with encryption, not only motivates the victim to pay the ransom but also has resulted in higher ransom values.
The demand amounts and the amounts of actual payments for ransomware events have skyrocketed. According to Coveware, a ransomware response firm that helps negotiate and facilitate ransom payments, in the 4th quarter of 2021, the average payment by ransomware victims was $320,000, an increase of 130% from the prior quarter. Dakai Pouncey confirmed his experience that he is seeing an increase in the amount of the initial demand from prior years.
The consequences of ransomware attacks can be far reaching and have a significant impact on an organization’s bottom line. Besides the ransom payment, other costs can include lost income, data restoration costs, hardware and software repair or replacement, crisis management costs, legal costs, notification costs, as well as litigation and regulatory exposure.
From a claims perspective, business interruption tends to be the most expensive component for claims involving the encryption of data. Recovery of data from backup is preferable over paying the ransom because purchasing the decryption keys is not the end of the process but just the beginning. Normally the decryption process takes between 20 to 30 days.
Decisions to pay a ransom demand or whether an organization has the ability to pay are business considerations. However, there are other considerations and risks associated with ransomware payments. The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) has a list of 13 gangs or threat action groups that are on a restricted sanctions list. Facilitating ransomware payments by or on behalf of a victim may violate OFAC Regulations. Having an experienced vendor to assist victim companies to settle cyber extortion events, procure decryption tools and assist victim companies navigate through the process is essential.
Due to the unprecedented increase in cyber attacks and the potential that such malicious cyber activity is increasingly intertwined with national security interest, there has been an increased interest by law enforcement to track and access the scope of the threat, including the FBI, Homeland Security and other state and local agencies. Victims and those involved with addressing ransomware attacks are urged to report the incident to the FBI’s Internet Crime Complaint Center (“IC3”). While the FBI might not help recover data, they keep metrics and statistics, and collect critical information needed to track cyber actors to hold them accountable, and prevent or disrupt future attacks.
There are also breach notification requirements that may impose legal obligations to report a ransomware attack. Breach notification rules are a briar patch that varies across all 50 states, and together with the short time frame for reporting, keeping on top of these requirements is enormously challenging. Who to notify in the event of a breach must also be taken into consideration. Many local, state and federal legislation include privacy acts and data protection laws to ensure consumers are notified if a data breach has potentially affected confidential data such as Personally Identifiable Information (“PII”) or information protected under the Health Insurance Portability and Accountability Act (“HIPAA”). A company may also have contractual notification requirements that maybe triggered with short timelines to advise counterparties of a cyber breach incident. Getting experienced privacy counsel on board as soon as possible to guide and assist in navigating the process is critical to an organization’s breach response plan.
The panel reviewed the types of insurance coverage available in the market. There are stand-alone cyber policies, which are specifically designed to address a breach and often have larger limits. Coverage responding to a cyber event may also be found in other policies such as crime policies, or in the form of a cyber endorsement to an E&O, D&O or other professional liability policy. Some polices may provide breach response services coverage, which reimburses the Insured for the costs they would incur to respond to a breach. They get you in touch with reputable vendors, who can assist in coordinating computer forensics to help investigate, contain, and advise on notification obligations that may arise from the breach. Policies may also provide first party and/or third party coverage. The first party coverages may address data restoration, cyber extortion costs (including ransom payments to hackers), business interruption loss and dependent business interruption loss. The third-party coverage may address liability stemming from class actions or regulatory investigations.
Finally, the panel discussed the incident preparedness steps to consider, such as building your team; know who is making the decisions to respond to an attack; updating your incident response and disaster recovery plan; know where your data is stored, proper curation and preservation of data; reviewing your insurance policies; segregation of backups and revisiting the security and adequacy of your backups; establishing proper cyber security protocols and awareness training of employees. Preparedness pays huge dividends in this environment of increasing and ever-evolving cyber threats.