Prepare Now for Ransomware

In 2017, a company was hit with ransomware every 40 seconds. Organizations in all industry sectors were subject to ransomware attacks, as these attacks often opportunistically take advantage of security shortcomings. The average ransom demand was more than $1,000.00—greater than three times the average in 2015. What’s more, one in five business that paid ransom never got its data back.

So, how do you protect your business? First, make sure you are insured. While traditional policies provide little, if any, coverage for damage to electronic data—and none for other costs associated with cyber extortion—they are covered by cyber extortion insurance. This is available under many cyber liability policies. Cyber extortion provisions typically cover ransom payments and extortion-related expenses such as costs incurred in negotiating the ransom and restoring or replacing data or software.

But insurance is just one aspect of the protection your business should have. Companies also need to prepare an Incident Response Plan (IRP), that establishes responses to ransomware attacks. An IRP should be a “living, breathing” document that is consistently updated to ensure that its information and procedures are accurate and up-to-date. Typical topics addressed by an IRP are:

  • The Incident Response Team. The IRP must identify the team in charge of responding to ransomware attacks. This team should include an executive and inside counsel, and should provide back-ups in case first-line members cannot be reached. The IRP should contain 24-7 contact information for all team members, including means of contact that do not rely on the business-provided phones or email that may be affected by the attack.

Additionally, the IRP should identify team members’ specific responsibilities, such as implementing security measures, investigating the attack, communicating with the extortionists, communicating with customers or the public, and notifying insurance carriers and law enforcement.

  • Detecting an Incident. The IRP should identify steps for employees to take if they suspect or detect a ransomware attack.
  • Approved Vendors. As you will likely need outside assistance to respond to an attack, your IRP should identify approved vendors such as outside coverage counsel, investigative and cybersecurity firms, and a PR firm to assist with external communications.
  • Reporting to Law Enforcement. The IRP should define when and how ransomware attacks must be reported to which law enforcement agencies. It should also address what evidence should be collected and preserved, and how.  Ideally, these issues should be discussed with the relevant agencies ahead of time, which also helps build a cooperative relationship with them.
  • Notifying Insurance Carriers. The IRP should identify all insurance policies that could provide coverage for a ransomware attack and detail steps to comply with each policy’s notification requirements. Outside coverage counsel can assist with both identifying relevant policies and provisions, and following notification requirements.
  • Responding to Extortionists. The IRP must identify who communicates with the extortionists and who decides whether and how to respond to their demands. This should include steps for how to make potentially required electronic currency payments.
  • Investigating the Incident. The IRP should define who is responsible for investigating a ransomware attack and include a checklist detailing specific response steps. It should also establish procedures to increase the chances of identifying the extortionists, and to detect and address security vulnerabilities.
  • Documenting the Response. The IRP should set forth steps to document both your response to and your investigation of the attack, including contacts with the extortionists, the decision-making process resulting in a response, and the technical response and investigation, including the preservation of evidence. Such documentation may be required by regulatory agencies or insurers.
  • Public Relations. To facilitate communications about the attack with customers or the public, the IRP should assign responsibility for doing so and define steps for preparing and releasing such communications.
  • User Training. End-user training of all employees, including management, is key to preventing ransomware attacks. The IRP needs to contain procedures to ensure that all employees receive such training periodically, as common threats change over time.

Appropriate insurance coverage; an IRP that is consistently updated, including through “post mortem” evaluations following attacks; and up-to-date systems security are critical to prepare your business for—and to the extent possible, protect it from—potential ransomware attacks.

Coverage, Breaches Highlighted at Advisen Cyber Conference

NEW YORK—Advisen’s Cyber Risk Insights Conference, held during Cyber Week, featured risk management professionals and more than 20 panels and sessions on Oct. 26. The keynote was delivered by former New York City Mayor Rudolph W. Giuliani, currently the chair of Greenberg Traurig LLP’s Cybersecurity, Privacy and Crisis Management practice. Giuliani used sports analogies to describe the cybersecurity industry, noting that, “the defense trails the offense by about five years.” Comparing the newest waves of protection software to a strong rookie pitcher, he said, “A new pitcher may come along and strike everybody out as he goes through the league a few times. But eventually he gets figured out and [hackers] figure it out,” he said. “It needs at least a year of being attacked for real,” to find the gaps in efficiency, and leads to the “the kind of experimentation that will yield better results.”

In the session, “SME: In A League of Their Own,” moderator John Mullen, CEO and founding partner of Mullen Coughlin, a cybersecurity and data privacy firm, discussed the growing importance of cyber insurance among small- and medium-sized companies. He asked panelists where they have seen productivity. Panelists agreed that growth among small law firms and accounting firms were strong contributors. Michael Bruemmer, vice president of Experian’s Data Breach Resolution Group, noted he is already seeing breaches of W2 tax forms, which he said is worrisome with tax season approaching. “With some of the recent, large incidents and all the information that was compromised, I think W2s are going to come roaring back again,” Bruemmer said.

As for a look into the future, Bruemmer noted that while startups show great potential for growth, they need to make cyber policy purchases while in their infancies. “Any startup needs cyber protection,” he said, adding that this is particularly crucial during the initial financing and hiring stages, as “You see too many of them go out [of business]. They’re great companies with great ideas but they don’t consider cyber.”

Andy Lea, CNA’s vice president of underwriting for E&O, cyber and media, echoed those sentiments, saying that with the thousands of businesses created each year, “there will always be new buyers and there will be opportunity for this industry to provide value.”

During an afternoon panel, Erica Davis, Zurich North America’s senior vice president, specialty products and E&O, highlighted results from the newly-released annual  Advisen Information Security and Cyber Risk Management Survey, which found that risk professionals view cyber-related business continuity risk less seriously than data integrity risk. This was surprising, she said, as business interruption costs have risen and high-profile business interruption attacks have taken center stage.

The survey also found that just 10% of respondents identified business interruption as the primary reason for purchasing cyber insurance and that purchase growth has gone stagnant after a steady six-year increase from 35% to 65%. Davis noted that the survey ended before the Equifax breach announcement in September.

“These findings may indicate that businesses are not up to speed on the magnitude of the impact that business interruption losses are beginning to have,” she said. “Annually, the survey results are critical for understanding how businesses are thinking about cyber risk and what we need to do to help them protect themselves as we watch this issue continue to evolve.”

The study found that corporate concerns about cyber may be waning, even as the nature of cyberattacks has evolved to include ransomware and malware

According to the study:

  • For the first time in the seven years of the survey, there has been a decline in how seriously C-Suite executives view cyber risk.

  • 60% of the risk professionals surveyed said executive management view cyber risk as a significant threat to their organization—down significantly from 85% in 2016.

  • Only 53% of respondents knew of any changes to their companies’ cyber security systems in response to the high-profile attacks that took place in early 2017.

RIMS Survey Reveals Continued Confidence in Cyber Insurance

Cyber insurance is still a priority for risk professionals and stand-alone policies continue to gain international prominence, according to the 2017 RIMS Cyber Survey.

The survey’s 288 respondents represented industries ranging from financial services, government and non-profit and manufacturing to retail, health care and more.

Based on survey insights it is clear that cyber exposure is a primary concern, with nearly half of respondents confirming they are spending more now than they did last year to protect against it. The most alarming elements of risk continue to include business interruption and its consequent expenses, reputational harm, and notification and response costs. In light of recent ransomware attacks, 72% indicated that cyber extortion is also an important and growing first-party exposure their organizations are facing—a 9% increase from 2016.
Key findings from this year’s RIMS Cyber Survey include:

  • Organizations with a stand-alone cyber insurance policy increased 3% (to 83%) from 2016.
  • Of the organizations without a stand-alone cyber policy, 84% indicated that other insurance policies include cyber liability coverage.
  • Nearly three-quarters (72%) of respondents transfer cyber exposures to a third-party (up 3% from 2016).
  • Only 34% of respondents thought that the government should mandate cybersecurity standards.

With 61% of respondents considering purchasing cyber coverage in the next two years, it is likely the industry will continue to see slow-but-steady growth. But with 83% of respondents reporting that their companies have stand-alone cyber insurance policies, up 3% from 2016, the survey suggests that the market for these policies may be nearing maturity.

“At any given moment, cyber predators can unleash a new hack to infiltrate an organization’s system, steal or lock critical data and cause significant business interruption damages,” said RIMS President Nowell Seaman. “RIMS Cyber Survey shows that risk professionals continue to invest in cyber insurance products and must work in tandem with their insurers and IT professionals to help develop innovative and adaptable solutions for the next generation of cyber threats.”

Marsh Tracks Top Captive Trends

The number of captive insurers continues to increase globally, from 5,000 in 2006 to more than 7,000 in 2016. Once formed primarily by large companies, the captive market has opened up to mid-size and small businesses. The industry is also seeing a trend in companies forming more than one captive, using them for cyber, political risk and other exposures, according to a recent Marsh report, Captives at the Core: The Foundation of a Risk Financing Strategy.

Organizations are seeing disruptions in a number of areas and are relying more on their existing captives, Marsh said. Because of their flexibility, captives are also being used to respond to market cycles and organizational changes such as mergers and acquisitions.

While North America and Europe still dominate in numbers of captives, other regions have shown more interest in the past three years. In Latin America, captive formation increased 11% in 2016, the study found.

Within the United States, there is more competition among domiciles and some of the newer domiciles are experiencing growth. The top-growing U.S. domiciles in 2016 were Texas, Connecticut, Nevada, New Jersey, Tennessee, and New York. Domiciles outside the U.S. seeing the most growth include Sweden, Guernsey, Singapore, Malta, and the Cayman Islands.
As organizations’ exposures increase in number, complexity and severity, shareholder funds generated by captives are becoming more important. According to Marsh:

For many clients, captives are at the core of their risk management strategy, going beyond the financing of traditional property/casualty risks.

Specifically, we are seeing an increase in parent companies using captive shareholder funds to underwrite an influx of new and non-traditional risks, including cyber, supply chain, employee benefits, and terrorism, as well as to develop analytics associated with these risks and fund other risk management initiatives.

Risk management projects funded by captive shareholder funds in 2016 included initiatives to determine capital efficiency and optimal risk retention levels in the form of risk-finance optimization; quantify cyber business-interruption exposures; accelerate the closure of legacy claims; and improve workforce and fleet safety/loss control policies.

For example, Marsh-managed captives used to address cyber liability increased by 19% from 2015 to 2016. Since 2012, in fact, cyber liability programs in captives have skyrocketed 210%.
“We expect to see a continued increase, driven in part by companies that are already strong captive users and by those that may have difficulty insuring their professional liability risks,” Marsh said.