[BreachExchange] Ransomware and Cyber-Insurance: What It Means for You and Your Company

Fri Mar 3 16:29:12 EST 2017

https://www.infosecurity-magazine.com/opinions/ransomware-cyberinsurance-
means/

“YOUR COMPUTER HAS BEEN LOCKED! All your files and documents have been
encrypted. But do not worry, I have not deleted them, yet. You have 24
hours to pay me $500 in Bitcoins to the address shown at left to get the
decryption key. This amount will double every 24 hours and one random file
will be deleted until payment is received.”

This kind of alarming message has become all too familiar to businesses and
other organizations these days. At this moment, someone is probably
clicking on a seemingly benign link in a spam email and inadvertently
infecting his or her computer and the entire network with malware,
rendering files and data inaccessible until the organization pays a ransom
to unlock them.

Ransomware attacks are rising dramatically, with the U.S. Justice
Department estimating that their number tripled last year to 4,000 every
day. Every industry is seeing an increasing threat, with the education and
health sectors particularly hard hit.

Academic institutions are especially vulnerable due to their generally
smaller IT teams, tight budgets and a high rate of file sharing activity on
their networks. Healthcare providers, especially hospitals, make ripe
targets because their patient data is critical in life-or-death situations,
which could make them more likely to pay the ransom.

If you’re one of the approximately one third of U.S. companies that
purchase cyber-insurance to mitigate the costs of a security breach, you
may be covered for a ransomware attack. But policies can vary greatly, and
it’s important that companies understand the specifics.

Many carriers insure against ransomware attacks as part of “extortion
coverage” often included in comprehensive cyber-insurance policies. The
payouts generally encompass not only the ransom amount, should the
victimized company decide to pay it, but also potential related costs such
as a negotiator and experts to stop the intrusion and block future attacks.

Not all policies have extortion coverage, however, so you need to check.
For example, if you’re getting cyber-insurance as part of other coverage
such as E&O (Errors and Omissions, which protects against liability for
problems in performance of professional duties), extortion may or may not
be included. Sometimes, you have to request and pay extra for protection
against ransomware.

It’s essential to be aware of policy exclusions. If the extortionist is
believed to have a connection to the organization – such as a disgruntled
former employee or a vendor who wasn’t paid – insurance won’t cover. It has
to be a credible, external threat. And, of course, the attack must occur
during the policy’s effective period – if it’s detected before or after,
you won’t be covered.

It’s also important to know that sublimits – ceilings on the amount of
coverage available to cover a specific type of loss – could be lower than
the amount of overall coverage. Say you have a $1 million policy: find out
what the sublimit is for extortion and determine whether it would be enough
to cover not only the ransom (again, if the organization decides to hand it
over), but a host of other possible expenses such as forensic
investigation, business interruption costs and legal fees. The higher the
coverage, the higher the sublimit to cover potentially mushrooming costs.

The first step after being attacked should be to notify the underwriter. In
almost all cases, insurers will decline claims they didn’t know about
first. But beyond meeting policy requirements, it’s smart to immediately
contact the carrier because they deploy breach coaches and other experts to
walk you through the process and help make the best decisions on next
steps. Understand that if, after consulting with the carrier, you decide to
pay the ransom, it will first come out of the organization’s pocket and
then be reimbursed.

Recognize that insurance may not cover all costs. For example, a ransomware
attack may wreak such severe havoc on a company’s network that it has to
replace computer equipment. The company may be on its own for such expenses
– anything beyond the ransom itself and associated professional services
for responding to the incident.

While cyber-insurance can protect against the damage from ransomware, as
with any type of insurance, the best offense is a good defense – in this
case, preventing attackers from getting a foothold in the first place.

Since most ransomware attacks start with someone getting tricked into
installing malware through a Trojan disguised as a legitimate file,
organizations that regularly train employees to be aware of this threat are
more likely to be successful in guarding against it.

Given the sharp rise in ransomware attacks, it almost seems inevitable that
an organization will be targeted at some point. With the right preventive
program and cyber-insurance policy, your company can be protected.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170303/91e582c9/attachment.html>