Putting Municipal Ransomware Attacks— and Cyber Insurance —in Context
The ransomware attacks on public entities in Texas, Florida, Maryland, Georgia and elsewhere this year have raised questions not only about paying ransoms but also about the role of insurance in helping these targets get back to serving the public.
Whether to pay a ransom is a difficult decision and the negotiating skills that insurers bring to such situations represent just some of the expertise that cyber insurance can provide public entities faced with a ransomware incident, according to Tim Francis, enterprise cyber lead at Travelers.
In a wide-ranging interview with Insurance Journal that took place before the August ransomware attack on 22 Texas cities, Francis discussed cyber insurance, ransomware and the circumstances facing municipalities.
Ransomware attacks against municipalities, and their costs, are of increasing concern.
Research by Recorded Future’s security expert Allan Liska found that while there was a small jump in all ransomware attacks in 2018, the jump was bigger against state and local governments than against other entities, and that trend appears to be continuing into 2019.
At cybersecurity firm Barracuda, Fleming Shi, chief technology officer, reported that there have been 55 ransomware attacks on state, local and county governments this year, which he estimates is about 60 percent of all ransomware attacks for this period. His analysis was done before the attack on 22 Texas cities and towns although he has since added them to bring the total to more than 70.
The FBI says organizations should never pay ransom and, for the most part, local and state governments hit by ransomware attacks this year appear to have adhered to that policy. According to Barracuda, only three of the 55 government entities attacked this year paid ransoms.
Various media have reported that the Florida town of Lake City authorized its insurer to pay $460,000 (42 Bitcoin), and the town of Riviera Beach, also in Florida, had insurance pay about $600,000 (65 Bitcoin), after they could not recover their data. Also, La Porte County in Indiana paid its attackers $130,000 to recover its data.
Barracuda found that none of the cities attacked in 2019 thus far have paid a ransom. Baltimore and Atlanta have been among the major cities refusing to pay ransom. Each has spent an estimated $17-18 million on recovery.
Recorded Future’s Liska also found that 17.1 percent of U.S. state and local government entities hit through April of this year paid ransom. While that’s a higher percentage than Barracuda found, that percentage of attacked entities paying ransom is well below the 45 percent for all organizations, according to a global 2019 report from CyberEdge. Of those that paid, about 60 percent got their data back and about 19 percent refused to pay and lost their data, according to CyberEdge.
Coveware, a company that specializes in responding to ransomware attacks, tracks the rising response costs including ransom payments. In the second quarter of this year, the average ransom payment for all enterprises was $36,295, up considerably from $12,762 in Q1 of 2019. However, Coveware says, public sector victims paid an average ransom of $338,700, or almost 10 times the global enterprise average.
Attention Getting
While governments have been less or no more likely to be attacked or pay ransoms than other entities, their cases tend to attract more attention than events in the private sector, according to experts.
Coveware says that ransomware incidents involving public sector organizations seem to “garner 100% of media attention.”
The “outsized media coverage” may create a “perception among attackers that these are potentially profitable targets,” notes Recorded Future’s Linska in his report. Linska also says municipal targets “may raise the profile of the attacker” because they call in law enforcement and the FBI to investigate.
Travelers cyber leader Francis points out that the increase in both the number and cost of these claims is hitting all sectors. He agrees that municipalities face some different circumstances, including added media scrutiny.
“What’s perhaps unique, or maybe more acute, with municipalities is that when they happen, it does get written about in the media,” Francis said. The coverage can be widespread, he added.
That’s not the case with the private sector. Francis thinks it may be because many ransomware events don’t have the true hallmarks of a “traditional data breach” that have to be reported. Francis said a private company may not report a ransomware event that does not involve personally identifiable data. “I think there’s a little bit of that at work,” he said.
According to the National Association of Insurance Commissioners, although many state data breach laws require entities to notify consumers if their data has been accessed or stolen, it’s unclear whether such disclosure applies to ransomware attacks. This means many, if not most, ransomware attacks go unreported.
Francis notes that municipalities face other challenges. More so than private firms, municipalities are more likely to be constrained by tight budgets for cybersecurity. Most municipalities are also dealing with legacy systems. “I don’t know that there’s any start‑up municipalities around,” he added.
What Hackers Want
While municipalities do have sensitive data that they do not want exposed, today’s hackers are less interested in trying to resell it on the black market than they used to be. According to Francis, “the perniciousness” of the approach of today’s hackers goes deeper than that. “They are more interested in holding the government hostage by shutting down its operations. It’s more about corrupting the system than exploiting the data,” he said.
The approach may have changed but the motive is the same as always— “it’s bad guys trying to make money,” the Travelers executive said.
Francis said today’s hackers are more sophisticated in several ways. First, they’re harder to prevent getting into systems. They are harder to detect once they get in. They are more widespread than just a few years ago. Also, they are operating in a different environment than a few years ago when the easy remedy for a city would be to resort to a backup of its data.
But a backup is not usually a fix for what hackers are doing today.
“Mostly with newer claims that we’re seeing around ransomware, it’s less of the old‑fashioned data breach and more, ‘We’re gonna’ take your systems down,'” Francis explained. He said the advanced software the attackers use lets them take down systems, leaving the municipality unable to deliver basic services or collect revenues, and this threat allows them to demand more money.
Insurance Role
The aim of cyber insurance, expressed most simply, is to get the organization up-and-running with its data. But cyber insurance is not only about paying the cost of recovery but also about offering expertise and unique services as well as knowledge about what to do in uncommon situations.
As enterprise cyber lead at Travelers, Francis is responsible for U.S. and international product development and underwriting strategy, as well as some of the pre‑ and post‑breach services.
To explain how the expertise is deployed, Francis cited an example where an employee unknowingly clicks on a ransomware and the city get a message that its systems are encrypted. Cyber insurance supplies the experts — some of them internal and others outside specialists— to deal with this type of event.
“They will determine, first of all, are the bad guys really in the system?” begins Francis.
Next they try to determine the type of software the hackers are using and whether the systems can be rebooted from backups. “They’re going to try those methods first,” he said.
If it does come down to a ransom payment, the insurance experts are there to help work out a response, negotiate the amount and terms, and deliver the payment that is typically requested in bitcoin.
But it is never simple.
“They’re not going to just deliver a million dollars,” Francis said.
They test the system to see that the attackers have the ability to actually return the data and access to the system.
They negotiate to pay a lesser amount of money than is being asked.
He said there have been events where the “bad guys” have asked for a lot of money but then are either unwilling or incapable of bringing the system back online. A city or business might pay the ransom and still be left with a system that is kaput.
This entire process is far from the situation where an insurer simply pays the costs associated with the loss. “We’re giving them access to experts that they might have not otherwise had access to if they didn’t have insurance,” Francis adds.
Francis said it is important that the experts brought in to help are independent from the employees of the insured to avoid conflict with an existing IT team that may feel such situations are within its domain and something it can handle.
“It’s really, in most cases, a different skill set,” he noted. Trying to figure out how the attackers got in, what system they’re using, and whether and how to pay the ransom take a different expertise than most IT teams have for what they do every day.
The process requires a collaboration. “We’re certainly not, in any way, going to push an IT department aside. Our vendors would not do that. They’re going to have to work together,” he stressed.
Travelers also offers post-event assistance, after the bad guys are out, the ransom has been paid, and the system is back up and running. Travelers calls this “betterment.”
“We’re not just leaving you with your system as it was ‑‑ because as it was, it was vulnerable enough to allow this event to take place in the first place,” he said. This betterment benefit provides funds for system improvement so that the same type of event doesn’t happen again.
Paying a Ransom
Francis stressed that it’s never an easy decision to pay a ransom, no matter the circumstances.
“We’re always trying to find other ways to fix the issue and not pay ransom. Sometimes we’re able to do that, sometimes we’re not. Sometimes, paying the ransom is the financially prudent course of action. No two events are alike. Deciding what action to take really is a case-by-case basis,” Francis said.
Every ransomware situation is unique and every municipality is in a different position and likely to react differently.
“It’s ultimately their decision. What we’re doing is providing the experts that can really do a thorough and objective assessment, not an emotional assessment. These are very emotional events,” he said.
In one situation the experts may tell the insured that if they want to bring their systems back online, “as distasteful as it might seem” they’d be better off paying the ransom.
Then there are other times when they’re going to offer a different assessment and recommendation such as, “Don’t pay because even if you do pay it, you’re not going get your systems back.”
Armed with that consultation, the insured is the one ultimately making the decision.
According to Francis, the expertise an insurer can bring stems from having people who, unfortunately, deal with these situations every day and who are able to recognize patterns, software elements, writing styles and even the organizations and players on the other end of the demand.
“They’ll know from their experience, ‘Yes, we’ve dealt with this actor before,'” he said.
They will know whether the attackers might be willing to negotiate and how much and if they can be trusted to restore access if a ransom is paid.
“It’s not a cordial negotiation, necessarily, but it does become oddly businesslike, unfortunately,” he said.
Buying Insurance
When it comes to insurance, the budget obviously can influence what a municipality may buy. In addition, every municipality has a different threat level. Plus, how a municipality views insurance overall and any individual insurance product will also affect the purchasing decision.
“Each municipality, like each private sector firm, is going to weigh their own assessment of, ‘How much insurance should we buy?'” says Francis.
He said agents and brokers can be great resources for municipal risk managers in part by advising what other municipalities of the same size have tended to buy for insurance and helping them do a proper assessment. “That goes a long way with a risk manager at a municipality who might not have thought about some of these issues or is thinking about it for the first time,” Francis said.
Francis was asked whether municipalities are learning any lessons from the rise in publicity around ransomware.
“Ransomware attacks can cripple a municipality’s computer system, which could negatively impact a community in numerous ways for an indefinite period of time. Hopefully the lessons learned from these recent attacks on municipalities point to the seriousness of the threat and how costly – not just from a financial standpoint – a cyber event can be,” Francis said.
As for best practices, Francis said municipalities should educate their employees about cyber risks: what they are and how incidents can occur. They should also have proper safeguards in place to prevent an attack from happening in the first place, and in the event something does happen, they should implement an incident response plan that includes a cyber insurance policy.