Prepare Now for Ransomware

In 2017, a company was hit with ransomware every 40 seconds. Organizations in all industry sectors were subject to ransomware attacks, as these attacks often opportunistically take advantage of security shortcomings. The average ransom demand was more than $1,000.00—greater than three times the average in 2015. What’s more, one in five business that paid ransom never got its data back.

So, how do you protect your business? First, make sure you are insured. While traditional policies provide little, if any, coverage for damage to electronic data—and none for other costs associated with cyber extortion—they are covered by cyber extortion insurance. This is available under many cyber liability policies. Cyber extortion provisions typically cover ransom payments and extortion-related expenses such as costs incurred in negotiating the ransom and restoring or replacing data or software.

But insurance is just one aspect of the protection your business should have. Companies also need to prepare an Incident Response Plan (IRP), that establishes responses to ransomware attacks. An IRP should be a “living, breathing” document that is consistently updated to ensure that its information and procedures are accurate and up-to-date. Typical topics addressed by an IRP are:

  • The Incident Response Team. The IRP must identify the team in charge of responding to ransomware attacks. This team should include an executive and inside counsel, and should provide back-ups in case first-line members cannot be reached. The IRP should contain 24-7 contact information for all team members, including means of contact that do not rely on the business-provided phones or email that may be affected by the attack.

Additionally, the IRP should identify team members’ specific responsibilities, such as implementing security measures, investigating the attack, communicating with the extortionists, communicating with customers or the public, and notifying insurance carriers and law enforcement.

  • Detecting an Incident. The IRP should identify steps for employees to take if they suspect or detect a ransomware attack.
  • Approved Vendors. As you will likely need outside assistance to respond to an attack, your IRP should identify approved vendors such as outside coverage counsel, investigative and cybersecurity firms, and a PR firm to assist with external communications.
  • Reporting to Law Enforcement. The IRP should define when and how ransomware attacks must be reported to which law enforcement agencies. It should also address what evidence should be collected and preserved, and how.  Ideally, these issues should be discussed with the relevant agencies ahead of time, which also helps build a cooperative relationship with them.
  • Notifying Insurance Carriers. The IRP should identify all insurance policies that could provide coverage for a ransomware attack and detail steps to comply with each policy’s notification requirements. Outside coverage counsel can assist with both identifying relevant policies and provisions, and following notification requirements.
  • Responding to Extortionists. The IRP must identify who communicates with the extortionists and who decides whether and how to respond to their demands. This should include steps for how to make potentially required electronic currency payments.
  • Investigating the Incident. The IRP should define who is responsible for investigating a ransomware attack and include a checklist detailing specific response steps. It should also establish procedures to increase the chances of identifying the extortionists, and to detect and address security vulnerabilities.
  • Documenting the Response. The IRP should set forth steps to document both your response to and your investigation of the attack, including contacts with the extortionists, the decision-making process resulting in a response, and the technical response and investigation, including the preservation of evidence. Such documentation may be required by regulatory agencies or insurers.
  • Public Relations. To facilitate communications about the attack with customers or the public, the IRP should assign responsibility for doing so and define steps for preparing and releasing such communications.
  • User Training. End-user training of all employees, including management, is key to preventing ransomware attacks. The IRP needs to contain procedures to ensure that all employees receive such training periodically, as common threats change over time.

Appropriate insurance coverage; an IRP that is consistently updated, including through “post mortem” evaluations following attacks; and up-to-date systems security are critical to prepare your business for—and to the extent possible, protect it from—potential ransomware attacks.

Workplace Sexual Harassment: More HR Guidance Needed

From news anchors, to titans of the entertainment industry, to corporate executives, and elected officials, headlines show no one is above the fallout of sexual harassment in the workplace. Millions of dollars have been paid in settlements and the once mighty have fallen in disgrace.

Yet, a belated resignation or termination doesn’t absolve the employer from legal action—and often leaves the aggrieved and/or juries wondering how the employer might have handled the situation better.

How can risk managers, human resources (HR), executives and companies they serve help prevent sexual or other forms of harassment? The question becomes more pressing now with the “Ending Forced Arbitration of Sexual Harassment” bill. The proposed legislation voids forced arbitration and allows disputes to proceed in court rather than in a confidential arbitration setting. Proponents believe the prospect of making these cases public will reduce such activity in the workplace.

Smart employers aren’t waiting on legislation to make workplaces safer, however. They are planning and training now to reduce sexual harassment to mitigate risk, and therefore, potential damage claims affecting executives and employees across employer ranks. Ensuring such a workplace should result in fewer acts and reports of harassment and insurance claims. As all employers are interested in the bottom line as well as a positive work environment, a more defensible posture against future claims should be top-of-mind for every risk manager and HR Executive.

Old policies prohibiting harassment must be dusted off, reviewed, updated and publicized. These policies protect those whose accusations are proven to have merit or are brought in good faith, they create consequences for those proven to have abused others, and should clearly define expectations and ramifications.

These strategies can help risk managers, HR teams, and employers keep their organizations out of the headlines:

  • Review internal policies and procedures. When was the last time your organization reviewed the HR policies and procedures manual? Older manuals may ineffectively address the issue, including under the Equal Employment Opportunity Commission (EEOC) guidance. Once updated, make the document available to the workforce in print and online. However, a manual of policies is only the beginning.
  • Training is not a one-time event for select individuals. To paraphrase Aristotle, inclusion training in the workplace is not an act, but a habit. Hire a professional skilled in workplace diversity and inclusion training, and make courses mandatory from the rank and file to the C-suite. Refresh the training every few years, and make sure every new hire is trained as part of onboarding.
  • Create a “See something, say something” culture. Sexual harassment is avoided best in organizations with a culture of transparency and accountability. Management must welcome reports of unwanted sexual advances, and then investigate such claims. Such activity reported but not acted upon can worsen the environment, and become powerful evidence for claimants in harassment lawsuits.
  • Establish a realistic reporting procedure. If protocol urges an aggrieved employee to report harassment to a direct supervisor—and that supervisor is the alleged perpetrator—an obvious conflict arises. Encourage employees to speak directly to HR or a high level manager such as a division, general or plant manager. The reporting procedure should ensure that certain steps are taken so complaints are not swept aside.
  • Empower HR to investigate all claims. If HR receives a complaint, it has a legal obligation to investigate further. Even if the complainant fears an investigation could jeopardize the alleged harasser’s job, the law is clear that a prompt investigation occur to stop any alleged harassment from continuing. Termination or disciplinary action are not necessarily required; often, claimants just want the behavior to stop. It could be immature or otherwise benign playfulness that crossed the line—behavior a simple discussion could remedy. Follow up with the complainant to ensure the behavior has stopped and to document that follow-up occurred.

Effective policies and procedures in place and rigorously followed can help employees know the organization takes sexual, racial, and other forms of harassment seriously; insurers know you’ve established policies designed to protect both employees and the organization against incidents of harassment; and for those who might see million-dollar claims in the news and think they could be next, that you’ve set up your defenses.

Love and Cybersecurity: Q&A with eHarmony’s Ronald Sarian

Now through Feb. 14 is the busy season for the online dating and matchmaking industry. Heavier traffic can present risks to these sites, demanding added precautions. Ronald Sarian, vice president and general counsel (and default risk manager) at eHarmony spoke to Risk Management Monitor about the types of risks he faces—particularly regarding data and cybersecurity—and how he protects the “#1 trusted dating site for like-minded singles,” where “Every day, an average of 438 singles marry a match they found on eHarmony.” (For those familiar with its commercials, the song now stuck in your head can be played in a new tab here—don’t fight it.)

Risk Management Monitor: You joined eHarmony following a data breach in 2012 in which 1.5 million users’ passwords were compromised. What steps did you take to prevent a recurrence?

Ronald Sarian: Following that breach, we put everything we did under a microscope and brought in Stroz Friedberg to aid our investigation and help improve our processes. We ultimately decided to migrate all credit card data off-site to CyberSource, a third-party vendor. When we need to charge a credit card we get the key from the vendor and then return it when we’re done. We wrote transmission gateways out of all of our internal apps so things aren’t communicating with each other so easily. This way, if there is an attack, it will be “quarantined.” We also employed extensive layering for the same purpose. We put a much more sophisticated logging system in place, hired a full-time security engineer, and started performing more firewall audits and regular white hat hacks to try to detect vulnerabilities. And we improved our on-boarding and off-boarding for employees.

RMM: What are the prevalent risks you face leading up to Valentine’s Day and how do you mitigate them?

RS: We face risks all year long, but this time of year there are just more of them. There are always fraud issues we deal with and people try to launch bot attacks to take down our systems and cause us grief. We believe we utilize industry best practices for all these issues. For example, to try to prevent fraudsters from getting into the system we have sophisticated business rules that look at keywords or phrases used when filling out the intake questionnaire—certain words or phrases indicate the probability of a fraudster. Misuse of the English language can sometimes signal a problem. These raise red flags in our system.

Our questionnaire is quite elaborate and evaluates psychological factors in order to determine personality traits. We have essentially 29 different dimensions of compatibility we look at and try to glean all these dimensions so we can match you with someone who is typically 80% or higher in each. If you answer the questions in a certain manner for most of the questionnaire and we see a major inconsistency toward the end, for example, that can indicate something is fishy.

We also look at suspicious IP addresses. We utilize these practices all year round but scrutiny is heightened at this time of year and especially when we have free communication weekends. We’re pretty good at sorting these people out before they can communicate. Our system has been developed over 17 years and is constantly being improved as threats change and fraudsters become more sophisticated.

RMM: How else is risk management used in eHarmony’s strategies and operations?

RS: A goal of mine is to adapt the ISO 27001 ERM framework for eHarmony. I believe we have the best practices in place to achieve that when the time and finances are right. It’s quite a bit of work to get the certification and I don’t know if that would happen this year but it’s something I want to do because I think it would be great for us. It basically requires a holistic, top-down look at your entire operation. This is not only from a tech standpoint but from a personnel standpoint as well.

Many breaches start internally, most of the time unintentionally, so people should, for example, know not to click on a link in an email from an unknown source. You also need to assure your vendors are utilizing the appropriate safeguards and you must have a security incident management plan in place. There are many other requirements, of course. I believe we essentially have the information security management system (ISMS) envisioned by ISO 27001 in operation right now. We just need to make it official.

62% of Impacted Companies Lacked Hurricane Prep in 2017

A majority of senior executives of large U.S. companies with operations in Texas, Florida or Puerto Rico admit to being unprepared for last year’s hurricanes that devastated their communities, according to a survey by FM Global. While 64% of respondents said the hurricanes had an adverse impact on their operations, a full 62% said they were not fully prepared.

“These candid admissions drive home a fundamental truth about catastrophe,” Louis Gritzo, vice president and manager of research at FM Global said in a statement. “People routinely fail to understand or acknowledge the magnitude of risk until they’ve experienced a fateful event.”

One reason for a lack of natural-hazard preparation is imprecise terminology, he said. Being located in a “100-year flood” zone, for example, “does not mean you have 99 years to plan—but that there is a 1% chance of such a flood every year.” Another reason for insufficient preparation is over-reliance on insurance, which cannot restore the market share, brand equity and shareholder value lost to competitors.

The study found that as a result of hurricanes Harvey, Irma and Maria:

  • 57% of all respondents said they will put in place or enhance their business continuity or disaster recovery plans.
  • 40% plan to invest more in risk management, property loss prevention, and/or reassess their supply chain risk management strategy.
  • 25% will reassess their insurance coverages or their insurers.

FM Global commissioned market research firm ORC International to survey 101 senior financial executives at Fortune 1000-size organizations by phone in October through November 2017.