How Cyberinsurance Is Responding to Ransomware: An Interview with Ken Suh, Mark Singer, and Marcello Antonucci

28/10/2020 12:39

Ransomware has long been a scourge, and it has been growing into a pandemic with no signs of slowing down. I recently had the opportunity to discuss ransomware with several experts at Beazley. Based in Chicago, Ken Suh is the focus group leader for cyber & tech claims at Beazley. Mark Singer is a cyber & tech claims manager based in Beazley’s London office. Marcello Antonucci is based in New York and is a global cyber & tech claims team leader at Beazley.

SOLOVE: We have read a lot recently about ransomware (including my interview with Kim Horn of Beazley). I am interested to learn more about consequences of such incidents. What impact does a ransomware incident typically have on an organization’s data? 

SUH: Companies often underestimate the wide-ranging impact that a ransomware attack can have on their data. This critical misstep can have a substantial impact on an organization’s ability to make well-informed decisions.

The misconception we encounter most frequently is that paying a ransom is like flipping a switch and their data will be restored fully and quickly. This is rarely the case, if ever. The encryption process is destructive and decrypting the data does not completely restore all of the impacted data, or the relational information between data, to its pre-attack state. The decryption process can also take significantly longer than clients anticipate because of the sheer volume of the encrypted data and precautionary measures that must be followed during the decryption process.

To compound the problem, with the rise in bad actors coupling a traditional ransomware attack with a threat to dump data, organizations still have to worry about all the breach response and data privacy issues, regulatory investigations and class actions we have grappled with for the last decade too.

SOLOVE: Are there any legal implications from a privacy perspective of organizations not being able to access their own customers’ data which they are holding?

ANTONUCCI: While liability will usually be associated with the bad actor’s activities in launching a ransomware attack, a key consideration to recipients of such attacks is their responsibility to clients or individuals for whose data is being held. This can be particularly sensitive where an organization holds health or financial data on individuals. If a simple patch might have prevented a ransomware attack, fingers will be pointed at the organization which could be said to have failed to meet adequate cyber security standards. Indeed, clients may bring claims against the organization for the downstream consequences resulting from the lack of access to their data.

Healthcare organizations will have regulatory obligations under the Health Insurance Portability and Accountability (HIPAA) to their patients, and there have been class actions commenced against such providers for failure to adhere to such obligations by failing to implement appropriate processes that could have prevented or minimized the effects of such a ransomware attack. Additionally, in situations where client or individual data is corrupted or lost, we expect to see novel claims under privacy frameworks like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) for the lack of access and retention of that data.

If the attack itself wasn’t enough to cause a headache, these added, potentially very serious, complications are ones to take careful note of.

SOLOVE: How do your clients make decisions about whether to pay a ransom?

SUH: The decision whether or not to pay a ransom can be a difficult one, and Beazley supports our clients regardless of their decision.

Clients who enter into ransomware incidents with strong principled positions, like “we will never pay” or “we will always pay” often find it difficult to stick to those positions during an actual attack. Worse yet, because they anticipated not needing to revisit their decision, they tend to be the least prepared to have rigorous internal discussions about an effective response strategy.

From our experience, the best-prepared clients have a robust incident response, disaster recovery and business continuity plan that is designed to uncover and feed the most important information to the pre-identified decision makers. Our clients tell us the most important factors are:

  • The existence of a viable back up of the affected data.
  • The time to restore the affected data from a viable back up.
  • Internal and external technical expertise and constraints.
  • Whether the ransomware strain or the threat actor group is known to exfiltrate data.
  • Impact of a prolonged downtime during the attack to a client’s downstream and upstream supply chain.
  • Potential reputational harm resulting from either prolonged downtime due to the attack or from paying the demand.
  • A crisis communications strategy on how to communicate with the outside world and how to message to minimize reputational harm.
  • The time and resources required to decrypt the impacted data if a payment were to be made.
  • The time and resources necessary to rebuild the impacted data once it has been decrypted.

We encourage our clients to obtain the necessary information they need to weigh these critical factors.

SOLOVE: How do organizations generally go about the process of restoring their data and how long does that process typically take?

SINGER: Beazley has seen data restoration processes last from several hours to several weeks, regardless of whether the organization restores from a decryptor key or back-ups. No matter the size of the organization, the data recovery process starts with two simple questions (1) do backups exist; and if so (2) are the backups viable? Assuming the answers to both questions are yes, data recovery experts will begin by working with the organization to identify those data sets that are mission critical to the organizations purpose or business functions — for medical professions, this might be patient records, while an e-commerce company may want to focus on restoring its website domain or inventory lists. The overarching goal: minimize downtime and get the organization up and running as soon as possible. The timeframe for data restoration further depends on the amount of data to be restored (i.e., more data equates to longer restoration time), and where it is located; data on physical backups can be restored relatively quickly, while the timeframe for restoring from cloud backups will vary depending on server traffic, bandwidth, and internet speed. Organizations who want to engage in best practices should ensure they have a comprehensive disaster recovery plan, backup their data frequently, and test those backups regularly. Moreover, as Covid-19 has pushed many organizations to work remotely and implement tools to help them do so, in particular cloud based applications, now is a good time to consider a strategic and diverse strategy to store and back up data.

SOLOVE: Are bad actors just going after money, or are there other threats they are making?

SUH: Threat actors seem to have a range of goals, though money is a common thread. We have seen and continue to see some concerning trends from cyber extortion incidents. Data exfiltration has become more common during a ransomware incident. The threat to release exfiltrated data has been used to increase the extortion demand. We also have seen events where data is manipulated or deleted, the data was selected because of its importance or ties to external events and the extortion threat offers to help the organization find the problem before time runs out. We’ve also been tracking a recent trend of increased hacktivism, during which a primary goal is to cause disruption to a business or government entity. Of course, in all of these situations, threat actors continue to demand ransom payments.

SOLOVE: What role does cyber insurance play in getting organizations back on their feet after a ransomware attack?

SINGER: When notified of a ransomware incident, Beazley’s key objective is to ensure that the insured organization is very quickly connected with the relevant experts to help guide them through what is likely to be a stressful process. If attacked with ransomware, an organization may need the assistance of ransom negotiators, IT forensic providers, legal counsel specialising in privacy law, data restoration specialists and/or crisis communications consultants. On a parallel track, data recovery experts are mobilized to access the situation and stand ready to restore data and coverage is potentially available for that type of work.

Many organizations will not know where to turn. Our deep bench of experts, available to tend to a wide variety of incidents in many different jurisdictions around the world, ensures that the incident can be brought under control quickly. Pre-vetted experts and pre-agreed rates are an enormous saver of time when time is of the essence. Beazley is there to facilitate these introductions, help educate our insureds and reimburse costs where possible. Separately, and a little later down the line, business interruption coverage is intended to put the insured organization back into the financial position it would have been had the incident not occurred.

SOLOVE: What is the process for working out the amount an organization has lost for the purposes of assessing a business interruption claim?

SINGER: The process for adjusting a business interruption claim is a bespoke one because every claim is different. The process will likely be based on the provision of various financial documents such as monthly Profit & Loss Statements, Federal Tax Returns/ Audited Financial Statements, Periodic Payroll Ledgers and sales information. A typical (and simplified) process is to compare sales during a specific period against the same period in the previous years. For example, for a retailer which has its systems interrupted over the Christmas period, we will look to establish what income would have expected to have been generated from patterns in previous years. We would then subtract the income actually generated from the expected sum to arrive at a loss figure. We will also incorporate the operating expenses that must continue to be incurred whilst the organization tries to restore its systems. This is one method of calculation among others that might be applicable for the particular loss in question. The key to a smooth adjustment process is early communication on the information needed, a collaborative relationship with forensic accountants brought in to measure the loss and mutual understanding of how the business and coverage work.

SOLOVE: Thanks Ken, Mark, and Marcello for your informative insights!