Cyber Insurance and Ransomware
What is Ransomware?
Ransomware is a form of a cyber-attack usually launched through an email phishing scheme where an employee or user on your network clicks a link or opens a file that contains a malicious code that attacks or seizes that user’s computer and then worms its way through your network seizing all the computers and other devices attached to your network. This may include point of sale terminals, printers, industrial machinery, building or facility service management systems, and anything made part of your corporate network.
Once the malware spreads and locks down all your devices, the hacker demands a ransom to release your data.
Here’s the scary part— Ransom settlements averaged $29,000 in the SME market in 2019. In 2020 that number jumped to $320,000!
This is all because more firms purchased insurance and the hackers knew that most insurance policies would pay the ransom.
The good news is that if you have cyber insurance, you’re likely covered for ransomware attacks.
The bad news is that if you purchased a $1M policy limit you now may not have enough coverage. When almost half of your limit goes to just paying off the ransom, there’s not a lot left to pay other costs that usually follow a ransomware attack. Things like forensics, PR and crisis management, IT security reviews, combing through your data to find timebombs left behind by hackers, reputational damage, and potential notification costs, and third-party liability. This is one of the tricky issues around cyber insurance and ransomware.
The solution? Consider purchasing more cyber insurance limits on your next renewal.
The next complication from ransomware is interesting. Many firms have taken the proactive step of mirroring their data and “air-gapping” it from their network so if they are attacked by ransomware, they have most of their data safe and able to be restored.
Unfortunately, this isn’t a bulletproof strategy because now hackers who face a victim that says: “Look, I’m not paying your ransom because I can just restore all my data by flipping a switch” respond with the threat that if you don’t pay the ransom they will release your private data to the public realm.
Two major complications in risk of releasing private data.
First, what was private data is now public data which can have serious consequences. Just imagine all of your business’s confidential information on the dark web available for sale.
This has tremendous financial implications for you.
The second is that when private data is released, you may have an obligation under federal and 50 different state laws to notify all the record holders of that release and provide credit monitoring services to them. Once you notify all your record holders that their private data could now be on the dark web, expect lawsuits to fly and eventually form into a class action.
Very expensive. Very painful.
Again, this points to the need for higher limits of cyber protection.
Another interesting statistic from the website KnowBe4:
- 54% of organizations are unable to stop a ransomware attack once initiated before data is encrypted and operations are impacted, the increasing cost of ransomware remediation is troubling. To put it bluntly, you can’t afford to be hit by ransomware.
- Local governments, utilities, and healthcare industries had the least ability to stop an attack.
- Only 65% of data was restored after paying a ransom.
- The average remediation cost of a ransomware attack is around $1.85M which includes lost time, lost productivity, hardware costs lost opportunities, and the ransom paid.
What’s the solution?
Defensive training is probably the strongest solution to stop phishing attacks in their tracks. Many cyber insurance policies come with training modules. If you’re a larger organization, ask your IT department or your MSP for suggestions on training. An online search for Security Awareness Training will yield multiple options which you can purchase as well. Depending on the size of your organization and the scope of those training modules.
Secondarily – if you have cyber insurance, consider purchasing higher limits as I mentioned. A $1M policy is insufficient in today’s world.
Have other questions? Want to learn more about cyber risk and cyber insurance? Want to get a quote on cyber and don’t know who to ask? Give me a call or drop me an email and let’s start a conversation. My goal is to make cyber insurance understandable and affordable for you and your organization.