BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.
To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.
To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.
Companies have faced a surge in ransomware attacks during the COVID-19 pandemic, but despite the onslaught they can dramatically reduce if not eliminate the threat of ransomware, experts say.
Steps to take should include a companywide focus on security, an incident response plan and a separate backup system for data.
Experts say the huge increase in attacks during the pandemic relates to much higher numbers of employees working from home, often on less-than-secure systems.
Compounding the issue is many hackers work from eastern European countries, where authorities have shown little interest in pursuing them, or on behalf of sponsoring nation states.
In addition to demanding higher payments stemming from their system invasion, more criminals are also threatening to release personal information they have exfiltrated from company systems.
And although hackers are generally reliable in returning keys that decrypt companies’ documents, releasing data held hostage during an attack, businesses may still not be totally successful in restoring their data.
Negotiating with cyber criminals can be a complex exercise (see related story).
Meanwhile, insurers are responding to the heightened threat with lower limits, increased rates, higher retentions, coinsurance and ransomware sublimits, observers say (see related story).
Ransomware attacks usually involve a criminal hacker inserting malware into an organization’s system and blocking access to its data, or threatening to release the data, unless a ransom is paid. Cyber liability and other policies often cover ransomware payments.
“It’s become a big problem because it works,” said Aaron Aanenson, senior managing director, cyber security, S-RM Intelligence and Risk Consulting 2021, a cybersecurity company in New York.
“There are criminal networks that are greatly profiting off vulnerabilities that continue to exist, so they continue to exploit those vulnerabilities, and it’s been fueled by an anonymous payment system,” he said, referring to the cryptocurrencies that are generally demanded as payment, in which the payee remains unidentified.
For a long time, companies focused on privacy exposures and those that didn’t hold sensitive data felt they faced little risk of a cyberattack, said Sean Curran, senior director of Chicago-based West Monroe Partners LLC, a cybersecurity firm.
While ransomware was already a problem prior to the COVID-19 pandemic, “the work from home over the last year has only made the situation worse,” said Elissa Doroff, managing director and cyber technical leader at NFP Corp. in New York.
Working outside of the controlled environment of an office, employees may be using their computers in insecure locations, said Jerry Ray, Singapore-based chief operating officer of Secureage Technology Pte Ltd.
Ransomware’s threat is more significant now because it was easier to detect when people were working together in the office, said Scott T. Lashway, Boston-based co-leader of Manatt, Phelps & Phillip LLP’s privacy and cybersecurity practice group.
Further complicating the situation, the U.S. Department of the Treasury’s Office of Foreign Assets Control has issued an advisory warning that companies that facilitate ransomware payments with those on its “Designated Nationals and Blocked Persons List” or those covered by comprehensive country or region embargoes, such as Cuba, the Crimea region of Ukraine, Iran, North Korea and Syria, face sanctions, thus putting insurers working with policyholders in a difficult situation.
“We provide advice to the client as to what we think they should do, but legally, as an insurance company, we’re not allowed to pay in that situation,” said Kristen Dauphinais, head of cyber and technology for Beazley PLC in Dallas.
The FBI and New York Department of Financial Services recommend against paying ransomware, but companies that have become increasingly reliant on data and digital assets often feel that with their survival at stake, they have no choice but to pay.
“I never make recommendations on ransomware payments,” said Samantha Levine, Denver-based senior vice president, professional and cyber solutions, at CAC Specialty, an affiliate of brokerage Cobbs Allen.
It is up to CAC’s clients to decide their course of action based on the continued viability of the business if they do not pay, she said.
Experts say that to protect their own reputations, criminals often reliably return the encryption key, but errors may emerge during the process of attempting to restore the data.
In addition, the growing practice of following up ransomware demands with threats to release exfiltrated data provides criminals with revenue from companies that have adequate data backup and may otherwise be unwilling to pay a ransom, experts say.
Release of personal information could make companies liable for damages under various state privacy laws and regulations, said Emily E. Garrison, a partner with Honigman LLP in Chicago.
While smaller businesses are often the target of ransomware attacks, larger sophisticated companies are also targets, as the March attack on CNA Financial Corp. illustrates.
CNA, a significant cyber liability insurer, disconnected its systems after it was attacked by a hacker group known as Phoenix. Its systems, email and website remained down for more than a week. The insurer declined to comment on whether it paid a ransom.
Mr. Aanenson said, “There’s a trend towards ‘big game hunting,’” where large companies are targeted “because there’s generally a bigger payout available to them,” although it requires more time and effort by the hackers.
Experts say ransomware threats must be viewed as a companywide issue and as something that requires the attention of top management, and legal and compliance at a minimum, along with insurers, said Alan Brill, senior managing director with the cyber risk practice of Kroll LLC, an affiliate of Duff & Phelps LLC, in Secaucus, New Jersey.
Companies “need to transition to a more cybersecurity-minded culture in order to be better protected against these things and need better technology to prevent these types of attacks,” Mr. Aanenson said.
“Frankly, a lot of ransomware attacks that we see today could be prevented with basic security measures. The vast majority are not sophisticated. They’re just targeting highly vulnerable organizations,” he said.
Ms. Doroff said she believes some 90% of ransomware attacks could be prevented if policyholders closed open remote desktop protocol ports, which permit connections to remote systems, and introduce multifactor authentication.
“The reality is that a lot of compromises are being conducted through relatively simple loopholes” and through open remote access ports, which can be simply and cheaply secured, said Graeme
Newman, London-based chief innovation officer for CFC Underwriting Ltd. Open ports are “like leaving the front door open,” he said.
Many companies still don’t take basic security measures such as testing systems, running tabletop exercises and developing an incident response plan, said James Holtzclaw, Washington-based senior vice president, cybersecurity consulting and advisory services, for Marsh LLC.
Establishing backups that are impervious to criminal hackers because they are on a separate system or offline is also critical, experts say. Criminals will usually attack backups first “because they know that’s (companies’) fallback,” Mr. Aanenson said.
Furthermore, legacy systems without patches and updates remain common and it can be complex to disconnect them from a network without disrupting operations, Ms. Dauphinais said.
In many organizations, chief information technology officers are responsible for cybersecurity, in addition to their other duties, experts say.
“There needs to be dedicated security folks who are closely watching the activities that are going on in your network,” Scott Hellberg, Stevens Point, Wisconsin-based director information security-governance, risk, compliance, for Sentry Insurance.
More broadly, there is a need to address the issue of cryptocurrency’s anonymity, which has helped fuel ransomware’s growth, experts say.
“We need to have a greater understanding” of cryptocurrency’s ecosystem so that financial institutions and law enforcement can go after cyber criminals, said Michael Phillips, New York-based chief claims officer of cyber program manager Resilience and co-chair of the San Francisco-based Institute for Security and Technology’s Ransomware Task Force.
Ransomware incidents can require delicate skills.