Evolution of Ransomware Pushes Companies to Examine Their Business Interruption Coverage
As cyber crime continues to evolve, ransomware attacks in particular have ramped up and are leading more companies to recognize their need for the right business interruption coverage, explained panelists at the Professional Liability Underwriting Society (PLUS) Cyber Symposium, held in New York City in February.
“I think without insurance, we’ve seen countless companies that would just have to close their doors,” said Nathan Little, vice president of Digital Forensics and Incident Response at Tetra Defense, a digital forensics, incident response and cyber risk management firm. “They wouldn’t be able to function, because they can’t pay the million or two million or whatever it may be to get their data back.”
Ransomware is a type of malware that is designed to deny access to a victim’s computer system or data until they pay the attacker a ransom. These attacks have grown in number recently, with the New York Times reporting that 2019 saw a 41 percent increase in attacks from the year before, according to information provided by Emsisoft, a security firm that helps companies hit by ransomware.
“It seems these days, almost every call we get is ransomware because it’s so rampant,” Little said.
Ransomware attacks are not only growing in frequency, but in severity, leading to longer periods of restoration as backup systems are hit as well, Little said.
Miscommunication between IT and the financial sector – not being on the same page – that brings a lot of confusion.
“Ransomware attacks used to always be the low-hanging fruit — people with severe security issues that got hit — and that’s not always the case anymore,” he said. “The trend we’re seeing is more and more advanced attacks where people lay dormant in systems for months or even years and know every detail about the IT department.”
Little pointed to another trend in ransomware attacks: double extortion. This means that if a victim doesn’t pay a ransom within a certain time frame, the attacker will publish their private data and screenshots of the systems that have been compromised on public websites.
“Those types of attacks are causing exponential growth in ransomware because they’re very profitable,” he said.
Business Interruption
While the good news is that this growth in ransomware is leading more companies to prioritize securing the right business interruption insurance policies, Little and fellow panelist Cheryl Warner, of technical advisory firm MOXFIVE, agreed the insurance industry has work to do on educating clients about how policies are written and how incident response works.
“I think there’s a lot to be learned in how policies can be written and how we can respond to incidents to really give that white glove treatment for the insured and make them feel like they’re getting the most bang for their buck out of the policy,” Little said.
Warner added that insureds often have a misunderstanding of how long the incident response process can be, as there can be a lag of time in between understanding what has happened during an attack and beginning restoration.
“On the insurance side, it’s an educational process,” she said. “I think with what the insured purchases, they expect instant gratification and that doesn’t necessarily always happen.”
Little said he believes this misunderstanding could be because these attacks, while more widespread than in the past, are still new to clients. That said, even if a client has the right backups in place to restore quickly, he said it’s important to take time to investigate and understand the attack completely or else a client could be showing an attacker that is still in their network how to strike the system again.
“It’s the time to restoration, and it’s the time to investigate,” he said. “It’s really a delicate dance bringing people back online, and it’s a challenge.”
Indeed, Warner said a common misunderstanding regarding cyber incidents is how long organizations can be down, which can be anywhere from a few hours to a few months or longer, even when companies bring in the right experts and have the right insurance policy.
“Even if you have insurance, being down for three weeks is still a dramatic experience for your company and hard to recover from regardless of how much cover you have,” Little added.
With this in mind, insurers need to understand that each client’s environment is different and work with insureds to assess how long recovery might take, Warner said. It’s also important for insurers to communicate with insureds’ IT departments to determine response plans and identify critical assets, she added.
“Miscommunication between IT and the financial sector – not being on the same page – that brings a lot of confusion,” she said.
IT Targets
Speaking of IT departments, Little and Warner both stated IT providers are becoming a major target for attacks as ransomware evolves.
“Typically, they weren’t targeted, but now they are because it gives access to all of their clients and customers,” Warner said. “You hit one, and it gives you access to hundreds of other clients.”
Ransomware attacks used to always be the low-hanging fruit – people with severe security issues that got hit – and that’s not always the case anymore.
Manufacturing is another industry that’s been hit hard by ransomware attacks recently, Little said. Previously, the sector hasn’t been a target for these attacks as it didn’t much valuable data. “Now, manufacturing is one of the largest targets for ransomware because taking down the operation is taking down the money,” he said.
As cyber attacks continue growing, types of attacks are expected to evolve too, keeping insurers and insureds alike on their toes, Warner said. “Right now, it’s ransomware that has been rampant for the past couple of years,” she said. “Pretty soon, it will be something else that follows ransomware and will probably be a lot worse.”