[BreachExchange] Ransomware and the Uncertainties of Cyberinsurance

[Audrey McNeil]

https://securityboulevard.com/2021/11/ransomware-and-the-uncertainties-of-cyberinsurance/

Ransomware attacks are ubiquitous, and the insurance markets are chaotic.
That, at least, seems to be the state of cybersecurity and risk mitigation
since the COVID-19 pandemic began. It also isn’t far from the truth:
Ransomware attacks have markedly increased, placing significant pressure on
insurance markets to provide organizations with affordable options to
minimize risk without running insurers out of business. But rather than
present new problems, the recent spate of attacks has exposed long-existing
fault lines in how organizations manage their security, how insurance
markets price the risks and how other actors in the security
space—especially governments—affect organizational response. How should you
be thinking about these risks? What practices should you consider
incorporating as you try to minimize the effect of an attack?

The Unique Challenges of Ransomware

All information security incidents are serious, but ransomware attacks are
particularly insidious. While a typical attack might, for example, lead to
the exposure or even theft of sensitive information or induce a
counterparty to reroute a wire payment to an offshore bank account, a
ransomware attack will not only allow an attacker to access and potentially
exfiltrate information but also encrypt and make information inaccessible
until the victim pays hundreds of thousands—or even millions—of dollars in
exchange for a decryption key. At best, data inaccessibility might mean
that a business needs to clean its drives or servers and pull from backup
data, assuming useable backup data exists and is unaffected by the attack.
At worst, it can mean that a hospital, for example, will be unable to
access patient data for days or weeks, placing untold numbers of
individuals at risk. And it’s those latter categories of information and
institutions where information is particularly vulnerable and lives are
literally endangered, that are being targeted by attackers. For example,
according to a June 3, 2021 report, the U.S. Department of Homeland
Security estimated that nearly 60% of notable global ransomware attacks
affected the United States health care sector.

Ransomware attacks have, over the past two years, become increasingly
severe and sophisticated, forcing extended periods of information
technology downtime and increased incidents of data exfiltration.
Particularly successful attackers employed social engineering, such as
phishing scams, to prey on people’s fears during the COVID-19 pandemic. In
other words, ransomware attacks are the worst of both worlds, stressing—if
not eviscerating—business continuity and forcing organizations to confront
regulatory, litigation and counterparty risks. Compliance risks alone can
measure in the tens of millions of dollars, taking into account recent
trends under the European Union’s General Data Protection Regulation
(GDPR).

But on top of the potentially existential threat ransomware poses to an
organization’s ability to function is the cost of the ransom itself. Ransom
payments stemming from an attack average a little under $1 million, with
the price tag reaching as high as $40 million. For organizations facing the
unique risk of having vast oceans of sensitive data inaccessible, it can be
tempting to pay. And until recently, the U.S. government, while not exactly
encouraging the practice, has not actively discouraged it. That led to a
cottage industry of providers that specialized in negotiating with
ransomware attackers to accept payment for the release of data. On the
other side of the ecosystem, as the Colonial Pipeline hack illuminated,
ransomware-as-a-service (RaaS) threat actors sprung up, offering their
ransomware technology to anyone who would pay. It is lucrative to be an
attacker, and the market has allowed such attacks to flourish.

But the U.S. government began to look at ransomware attacks differently.
Such actions include the Biden administration’s directives to federal
agencies to shore up their information security to better protect against
cybersecurity attacks (in particular, those from nation-states or those
sponsored by nation-states), and the U.S. Treasury Department’s Office of
Foreign Asset Controls (OFAC) issuing guidance cautioning against paying
ransoms. This last development is particularly important, especially in the
absence of any law or regulation outlawing ransomware payments (though such
laws have been proposed in Congress). Under OFAC regulations, individuals
or entities that pay money to those on a sanctions list may be considered
in violation of those regulations, which can lead to severe penalties. As
the most recent advisory makes clear, even if the entity making a
ransomware payment does not know that the recipient is on the OFAC
sanctions list, they can still be held liable. OFAC instead encourages
victims to develop a risk-based compliance program, take risk mitigation
steps outlined in the Cybersecurity and Infrastructure Security Agency’s
(CISA‘s) September 2020 ransomware guidance, cooperate with law enforcement
and contact any one of a number of U.S. agencies.

In other words, as ransomware attacks increase and become more
sophisticated, the dangers to businesses have also increased and deepened
the incentive to pay. At the same time, governments have started to
consider taking a harder line against paying attackers and forced
organizations to improve their information security.

Insurance Market Chaos

Insurance providers are critically important actors when organizations plan
for or respond to ransomware attacks. When an attack occurs, organizations
will either make claims on their existing cyberinsurance policies or seek
cybersinsurance to mitigate future risk. The cyberinsurance market has thus
been forced to respond to the prevalence of attacks and the government’s
current posture, and the results have been predictable, although also
deeply problematic for those seeking coverage.

One predictable outcome: Rates have gone up and coverage has gone down.
Average rate increases in 2021 approached or exceeded 40% per month. At the
same time, carriers either dropped ransomware coverage altogether or
conditioned such coverage on organizations’ implementation of specific
security controls. It’s no surprise this would be the case; insurers
contended with severely decreased profitability stemming from not only the
ransomware payments themselves but also from the regulatory, litigation and
business continuity risks that these attacks bring. On top of these risks
are the limitations that come from coverage in light of increased scrutiny
by OFAC and the reluctance of law enforcement agencies to assist in paying
attackers.

The insurance market has not yet settled to a point where pricing is
standard or predictable; not even the terms of coverage are standardized.
But volatility in the markets is leading to a greater focus on cyberhygiene
as a way to help control the risk of ransomware attacks. The list of such
practices should be familiar to privacy and security practitioners: Use
multifactor authentication, create strict and stratified access controls,
create secure, offline backup systems, create a protocol to incorporate
critical security patches into information technology systems, create
detection and response systems for all endpoints and so on. As risks
increase and the insurance market contracts, organizations seeking coverage
will need to comply with the need to demonstrate rigorous controls.

But seeking insurance may be necessary for organizations, especially
heavily regulated ones, to demonstrate their own compliance and diligence
to regulators in the event the worst happens. For example, the Securities
and Exchange Commission requires public disclosure on the costs of known or
potential incidents; reporting such costs in the absence of cyberinsurance
can send a worrying signal that an organization is unprepared for the
fallout from an attack.

And even having such insurance will not guarantee coverage when the time
comes. A growing body of case law stemming from cyberinsurance litigation
leaves some doubt as to whether an attack that encrypts information has
created the kind of harm contemplated by a policy. In other words, there
are important questions for potential insureds about whether they can
effectively mitigate risk—or if they can at all.

Navigating Competing Forces

In many ways, none of the challenges posed by ransomware are new:
Organizations must always adequately plan for the risk of a catastrophic
attack to their information structures and to the data they maintain;
governments must step in to stem the tide of systemic actions that threaten
the economy and critical infrastructure and insurance carriers must
constantly grapple with the unique risk-pricing challenge that comes from
information security. But ransomware attacks, and their significant
increase and prevalence in sensitive areas of the U.S. economy, have
exacerbated all of these problems. Already, the government has reacted by
discouraging payment while insurance markets have reacted by trying to
force certain mitigating behaviors. In all likelihood, the severity and
ubiquity of attacks is likely to lead to heightened information security
becoming more commonly shared among organizations and to legal changes
meant to curtail the behavior. Following best and evolving practices in
information security is the best course for organizations seeking to obtain
coverage and prevent an attack. Having outside counsel and a line to law
enforcement are other crucial steps. Given the chaos, organizations are
left with the need to plan carefully for the coming crisis.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211104/c0e78769/attachment.html>