Ultán Anderson: Ransomware payments – an insurance perspective
Ultán Anderson, litigation solicitor at Leman Solicitors, explains how “cyber insurance” can help protect businesses from ransomware attacks.
Unless you have been living under a rock for the past two weeks, you will have heard of the cyber attack on the HSE. A Russian gang known as ‘Wizard Spider’ attacked the HSE systems, deploying ransomware and demanding a ransom that is reported to be in the region of $20m. Stephen Donnelly, Minister for Health, has made it very clear that the HSE will not be paying.
My colleague Stephen O’Connor discussed the implications around paying a ransom in his article here. In summary, if the costs of the ransom are lower than the costs that your business will incur in restoring files and systems, it is worth considering. You should, however, be aware of the implications of paying a ransom. Paying criminals will facilitate more criminality and lead to more sophisticated ransomware attacks.
There is also the risk that paying the ransom will not resolve matters. According to a report by Kaspersky, a cyber security solutions provider, over half of ransomware victims pay the ransom, but only a quarter see their full data returned. Only 29 per cent of victims contacted for the survey were able to restore all their encrypted or blocked files following an attack.
The HSE is in a different position than other businesses. The adverse PR of a governmental organisation paying a ransom is a lot worse than any other organisation paying a ransom. A government organisation is held to a higher level of moral standards than a business. If it was paid, is this tacit acceptance that it is in order? Further, it may (is very likely to) make other government agencies a target for future attacks.
The main asset of many companies is now its data. If someone denies your company access to this data, it can be paralysed. If you called the HSE on Monday inquiring about an appointment you had in a hospital and you didn’t know what doctor your appointment was with and what time it was at, the HSE had no way of directing you to the right place. Now the HSE are saying that their payroll may be affected.
Who is being targeted?
Schools, professionals and SMEs have been significant targets over the past number of years for cyber attacks. Generally, you need a large budget in order to insulate risk. Sophisticated companies usually have viable backups and incidence response plans. They shut off old systems and migrate to new systems and there is no need to engage with threat actors. However, no one is immune to a cyber attack. The more sophisticated cyber security becomes, the more sophisticated cyber attacks become.
Threat actors will explore all means possible to monetise the cyber attack threat actors are exfiltrating data with the aim to either hold it to ransom or sell data on the dark web. Reports suggest that some of the HSE data is being sold on the dark web.
You will need experts to deal with a cyber attack. It isn’t as simple as in paying the ransom, the threat actors leave you alone and your files are restored. Experts will be able to advise you on the positives and negatives of paying the ransom and whether they believe it is right for your business. You will need to consider the alternatives and strategies.
If you and your team have performed your costs benefit analysis and the decision has been made to pay the ransom, how do you do this? Reports suggest that the HSE ransom was to be paid in Bitcoin as most ransomware payments are. Most companies will not have access to Bitcoin. Cyber professional teams will know how best to deal with the payment process if the decision is to pay the ransom.
Payment of the ransom could be linked to other strategies such as injunctions or Garda investigations.
Cyber insurance policy
There is considerable information available online about how to plan and implement policies that will protect you from cyber attacks. Software and technology reviews should be carried out. All organisations should review their policies and procedures and ensure they are prepared. Consider the documentation and personal data you hold, assess what is critical and assess your back up procedures.
None of this prevents a cyber attack but rather puts you in a better position if and when one occurs. Most organisations are never going to have the IT budget to facilitate large scale system upgrade overhaul. How do you insulate the risk: cyber insurance.
A good cyber insurance policy should cover you for comprehensive support during the critical 48- to 72-hour period of a cyber attack. It will likely include the following:
- Security and Privacy Liability
- Multimedia and Intellectual property liability
- Technology Services
- Business Interruption and recovery
- Legal fees
- Privacy regulatory defence and penalties
- Reputational Damage
- Forensic investigation and data restoration
All policies are different so you will need to liaise with your broker with respect to what you need. Cyber policies are not and should not be add-ons to your other policies. The days of cyber cover being an afterthought are and should be behind us.
Depending on the circumstances, the temptation will of course be there to pay a threat actor. If you have a good cyber insurance policy in place, your insurer should engage a comprehensive crisis management team that will deal with the cyber attack in a professional manner and potentially avoid any need to pay a threat actor. Your insurer should deal with the cyber attack with haste and instruct the right people at the right time.
If you don’t have a good cyber insurance policy in place you may need to instruct a team of experts yourself. Although this may be costly, it will more than likely save you money in the long run by avoiding GDPR fines and by regaining control of your data which is vital to your business. These experts, in addition to everything else, should be able to advise you of the positives and negatives of paying a ransom and if the decision is ultimately made to pay it, how to make the payment.