[BreachExchange] The Case for Ransomware Insurance

[Audrey McNeil]

http://www.govtech.com/security/GT-OctoberNovember-
2017-The-Case-for-Ransomware-Insurance.html

In January 2017, Licking County, Ohio, was hit with a massive ransomware
attack, affecting more than half of the county’s servers and locking up and
encrypting data. Even the phone system was crippled, impacting the county’s
911 system. The hackers demanded 28 bitcoins, or the equivalent of $30,000,
in order for the county to access its information and resume operations. By
the time county tech workers discovered the malware, they had a choice: Pay
the ransom or use backups to recover the data and work through every system
and delete the malicious code. They opted for the latter, and while most
county operations were slowed for nearly two weeks, after the initial
recovery, most vital systems were back online.

“We thought we were pretty good,” said Licking County Commissioner Tim
Bubb. “We found out we weren’t as good as we thought.”

Bubb hopes that others can learn from their experience, and a neighboring
county is taking that message to heart, working to protect itself from
potential ransomware attacks. On July 18, Franklin County, Ohio, approved
the purchase of a $140,000 cyberinsurance policy that included
extortion-specific protections. “It just makes sense in this day and age to
expend the funds to make sure we have protections in place,” explained
Franklin County Administrator Ken Wilson. “We want to be able to be in a
situation where we aren’t reactive … but proactively protecting ourselves.”

The rise of ransomware, a type of malicious software that invades computer
networks and encrypts data until a ransom is paid, has been exponential.
The bugs often take advantage of older operating systems with security
vulnerabilities. “Every government level is going to be a target because
they have tons and tons of data,” said Erin Ayers, editor for Advisen Ltd.,
an insurance company. Ransomware is “prevalent enough of a threat that most
sophisticated cyberbuyers are not buying coverage if it does not have some
kind of recovery for ransomware.”

Cyberinsurance policies increasingly include ransomware protections that
can be used to help recover losses that otherwise result in business
disruptions or actual ransom paid. Ransomware insurance usually takes the
form of a “separate extortion endorsement that is added to a policy if you
want coverage for ransomware,” explained a representative from the National
Association of Insurance Commissioners (NAIC).

One issue for the widespread adoption of ransomware extortion riders is the
lack of standardization in cyberpolicies. Because the industry is still in
its relative infancy, there are a number of criteria buyers need to abide
by in order to ensure their policy covers cyberattacks. For any public
agency looking to purchase cyberinsurance, NAIC recommends doing your
research beforehand, understanding what you’re getting and asking lots of
questions.

While updating its cyberinsurance policy, the Indianapolis Airport
Authority recently included protections against ransomware attacks. Senior
Director of Information Technology Reid Goldsmith said the move was spurred
by a ransomware incident in nearby Madison County, Ind., in late 2016. The
county eventually paid more than $200,000 for data recovery services and
offsite backups. Goldsmith took a lesson from that, and ensured that
ransomware “was top of mind when we were discussing a cyberliability
policy.”

But no cyberstrategy, even one that includes robust protections backed up
by cyberinsance, is foolproof. “It’s like you live in a house with 1,000
doors,” Bubb said. “If one is left cracked open, that’s enough for a
break-in.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171002/26b6591c/attachment.html>