Cyber criminals aren’t just stealing passwords and data. They’re stealing the spotlight.
Amid the ongoing COVID-19 pandemic that has been a global focus since government shutdowns began in March of last year, insurers and businesses all over the world are now being forced to grapple with another damaging epidemic: ransomware.
Ransomware attacks accounted for nearly one quarter of all cyber incidents globally last year, according to software company Bitdefender, and they’re on the rise. So far this year, ransomware incidents have afflicted businesses, hospitals, schools, local governments, critical infrastructure and even insurance companies’ own operations.
An explosion of attacks this year has led state regulators and federal government officials to elevate their focus on ransomware, with The White House ramping up its discussions about the issue in the wake of recent incidents, Reuters reported.
“I think the takeaway is hopefully help is on the way and that companies are not being left to simply fend for themselves because the government is going to make enforcement and pursuit of these actors a priority,” said Peter Halprin, partner at New York-based law firm Pasich in the most recent episode of the Insuring Cyber Podcast.
Centralizing the Focus
A spate of recent attacks are of particular concern among U.S. government officials, as they’ve been attributed to cybercriminals operating from Russia. There was the hack last year in which Russian military cyber criminals sabotaged computer code within a software called SolarWinds. Now, a July ransomware attack has made its way to the center of the conversation, in which the Florida information technology firm Kaseya saw its management system hacked. REvil, a Russia-linked cybercrime syndicate, took credit for the breach.
In June, REvil extorted an $11 million ransom out of meatpacker JBS after compromising its supply chain. Earlier this year, in May, an intrusion by another Russia-linked group at U.S. fuel transporter Colonial Pipeline led to the shutdown of 5,500 miles of critical infrastructure, causing panic buying and gas shortages all along the East coast.
“They’re targeting every vulnerable organization you can think of under the sun,” said Marc Wallenstein, partner at plaintiffs’ complex-litigation firm, Korein Tillery, later in the podcast episode. “…that wasn’t happening five years ago.”
It’s been reported that the U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism, with internal guidance sent to U.S. attorney’s offices across the country saying information about ransomware investigations in the field should be centrally coordinated with a recently created Ransomware and Digital Extortion Task Force in Washington.
In a press conference following the Colonial Pipeline attack, Deputy Attorney General of the United States Lisa Monaco stated that ransomware and digital extortion pose a national security and economic security threat to the United States.
Wallenstein said a centralized focus on ransomware at the federal level is an important step in the right direction toward tackling the issue.
“By centralizing information, it’s the first step to having a template approach and making sure that all the resources necessary are brought to bear quickly,” he said.
‘It’s your security against the outside world’
Wallenstein added that for businesses, it’s critically important to invest now in the infrastructure, technology, staff and training necessary to prevent ransomware attacks from happening in the first place. Halprin agreed.
“[Businesses] simply can’t hide from it,” he said. “I think they need to be proactive.”
Halprin said incident prevention is a four-fold effort. Businesses need to implement both strong password protection and a robust incident response plan in case of an attack to limit its impact. Then, they need to consistently test their response plan and take action to address any vulnerabilities.
“It’s your security against the outside world. How do you protect people from getting in? What can you do?” he said. “…there are instances where underwriters are simply saying, ‘No, you’re just too risky and we’re not going to underwrite you.’ I think those are the kinds of things that will promote companies saying, ‘Oh, wait a minute. If we’re not even worthy of being underwritten right now, there are a lot of things we need to do to improve our systems.’”
Wallenstein said insurers also need to be proactive with their clients to ensure they have the correct products and proper protocols in place to prevent a hack.
“If you have larger clients, you probably want to audit their IT infrastructure and their cybersecurity infrastructure,” he said. “If it’s not good enough, adjust your premiums accordingly, because this is a huge risk.”
Ransom Payments Still a Gray Area
One aspect of incident response that has seen much debate among businesses and insurers alike is the payment of ransoms. The U.S. Treasury Department issued a warning in October that individuals or businesses, including cyber insurers, that help facilitate ransomware payments could be violating anti-money laundering and sanctions regulations. However, the payment of ransoms is still a gray area for many businesses that could find themselves victim to an attack and cyber insurers that may reimburse clients for ransom payments.
Halprin advised against the payment of ransoms, saying the risks are too high. Wallenstein went on to say that if ransom payments are prohibited, he believes the attacks would stop.
“But it is a very difficult line to draw,” he said. “It makes sense that the government is taking an incremental approach, because you’re essentially punishing the victim. If you have some poor business that’s hacked out of its systems and pays the ransom, it’s hard not to feel a lot of sympathy for them. And I think we all do.”
While no business or individual has yet been prosecuted for paying a ransom, Wallenstein said businesses and governments should collaborate to ensure the right infrastructure is in place to stop ransomware payments. He added the reimbursement of ransom payments by insurers could be seen as a green light for clients to pay ransoms, which could in turn lead to more attacks.
“If I were an in-house attorney to an insurance company, I would absolutely cease the reimbursement of ransomware payments immediately,” he said.
While global insurance company AXA announced in May it will stop writing cyber insurance coverage in France that reimburses customers for making payments to ransomware criminals, some in the insurance industry are responding differently.
The nation’s largest property/casualty insurance organization is defending ransom payment reimbursements by insurers in a new set of principles stressing that the insurance industry wants to partner with government and business to improve cybersecurity, Insurance Journal previously reported.
The insurers say they “must be permitted to provide reimbursement coverage for the policyholder’s payment of ransom for cyber extortion,” subject to applicable sanction and other laws.
“This principle is consistent with the long-standing approach to the parallel issue of crime or kidnap & ransom coverages, which are allowed by regulators so long as those payments do not violate sanctions laws,” the American Property Casualty Insurance Association (APCIA) said in releasing its Cyber Extortion/Ransomware Guiding Principles.
APCIA said it is worried that prohibitions on the reimbursement of ransom payments present “potential unintended consequences” such as eliminating a meaningful risk management resource.
R.J. Lehmann, senior fellow at the think tank International Center for Law & Economics, said he believes a ban could have the opposite intended effect and encourage more attacks on high-value targets.
“…a ban on ransom payments would be likely to shift hackers focus to the highest value targets where an interruption would do the most damage to society,” Lehmann previously told Insurance Journal.
Indeed, the insurance industry appears to be conflicted on this issue, as a recent Insurance Journal poll asking whether insurers should provide ransom reimbursement coverage within cyber policies brought mixed results.
Nearly half of respondents – 47% – said insurers should provide this coverage as it’s an important risk management source, especially for businesses that have no option but to meet ransom demands if attacked. However, just less than that – 42% – said insurers should not provide this coverage as it carries too many risks and will encourage payment of ransoms, which could lead to more attacks. A handful of respondents were not sure as ransomware continues to evolve. The data was collected at time of publication.
Wallenstein said that while insurance companies reimbursing clients for ransom payments aren’t in any danger of repercussions right now, he sees that as a possibility in the future.
“If some creative prosecutor or regulator decides to make a name for themselves enforcing existing laws, then all of a sudden the field changes,” he said. “That happens all the time.”
Despite growing risks around ransomware, Wallenstein said he believes things are moving in the right direction in terms of response and awareness.
“Hopefully, over time, everyone will figure out how to get us to a place where people can stop paying the ransom without the devastating consequences of, for example, a pipeline being turned off or a hospital being shut down.”
Halprin pointed to ‘a gray rhino event’ to demonstrate how far things have come since the early days of ransomware. He described a gray rhino event as a threat that is highly probable and highly impactful, yet neglected.
“I think that’s how we could think of ransomware pre-Colonial Pipeline,” he said. “And I think now…people are seeing the threat for what it is, and I think that they can no longer put their heads in the sand anymore. So it’s really important for everyone to think about these things, to stay on guard and to steel themselves and protect themselves so that they are not the ones who are on the front page of the paper or we’re discussing in podcasts.”
Check out the rest of the most recent Insuring Cyber Podcast episode to see what else Marc and Peter have to say, and be sure to check back for new episodes publishing every other Wednesday along with the Insuring Cyber newsletter.
Was this article valuable?
Thank you! Please tell us what we can do to improve this article.
Thank you! % of people found this article valuable. Please tell us what you liked about it.
Here are more articles you may enjoy.