Printed from

Ransomware threatening national security: Webinar

Posted On: Jul. 30, 2021 10:45 AM CST


Sanctions risk is a growing concern for policyholders and insurers as they face a rising tide of ransomware events and claims, a panel of experts said.

Michael Phillips, chief claims officer at Resilience Cyber Insurance Solutions, said ransomware is no longer just a criminal nuisance for an individual enterprise, but something that is threatening national security.

Events like the attack on Colonial Pipeline or the JBS food processing facilities have concentrated the minds of business leaders and the public at large, but ransomware actors are increasingly sophisticated, Mr. Phillips said.

“They have developed a ransomware as a service business model where they are corporatizing and specializing in discrete aspects whether it’s money laundering, development of the malware, finding the potential vulnerabilities of the victims,” Mr. Phillips said.

He was speaking Thursday during a webinar on cybersecurity and ransomware hosted by Business Insurance and sponsored by Resilience Cyber Insurance.

Sanctions risk – the potential for a ransomware actor to be identified on a sanctions list or part of a terrorist group – is a growing concern, panelists said. If a ransomware actor is on a sanctions list, companies are prohibited from making ransom payments.

Scott Godes, partner, co-chair – insurance recovery and counseling practice, at Barnes & Thornburg LLP, said insurers are taking a very stringent approach in terms of whether a sanctioned entity is involved or not, making the claims process more challenging for policyholders.

“As a regulated industry, insurers are concerned that they don’t want to indemnify a policyholder for an amount paid to someone on the do-not-fly list,” Mr. Godes said.

However, “if there’s even a suggestion of someone being a sanctioned entity, whether it’s credible or not, or the suggestion is withdrawn, carriers are still saying they will not back off their position and they will refuse to indemnify,” he said.

This is putting policyholders in a challenging position of how to prove a negative, Mr. Godes said.

Thomas Reagan, cyber risk practice leader at Marsh, said that part of the challenge is that the underlying situations themselves are very complicated.

The question of sanctions payments is immediately tangible in insurance, but it exists for all parties, he said. “Your lawyer can’t give you advice to pay sanctions, your bank can’t wire the funds, the post office can’t sell you a stamp in violation of sanctions around payment to foreign actors,” Mr. Reagan said.

More expertise will be deployed in this area going forward, Mr. Phillips said. “For victims, attribution is one more complexity they have to figure out as they are trying to get their business back operating as quickly as possible,” he said.

It’s critical that organizations pivot away from simply prevention towards resilience, Mr. Reagan said. “Organizations need to be resilient, and that doesn’t mean impenetrable or unbreakable, it means flexible and adaptable and able to bounce back,” he said.

Ransomware, to some extent, is the inevitable downside to all the advantages and benefits of digitization, Mr. Reagan said. “As we come out of the pandemic, as much human tragedy as we suffered, it would have been worse without the technology. The path forward will be a digital one. The downside is organizations are increasingly exposed to cyber risk,” he said.

Mr. Phillips noted that ransomware has been the top driver of frequency losses and of severe business interruption losses in recent years.

From 2019 to 2020, there was a “stratospheric rise in the average ransom demand into the hundreds of thousands for enterprises of all sizes, with multimillion-dollar demands becoming a frequent sight,” he said. More recently, there has been a slight decrease in average ransoms and a decline in frequency, reflecting “perhaps some optimism on the horizon,” he said.

A recording of BI’s ransomware webinar is available here.