Slowly but surely, the world appears to be gaining control over COVID-19. Yet businesses and individuals alike are far from breathing a sigh of relief; the globe continues to be plagued by a “digital pandemic”. With ransomware now one of the most pressing cyber concerns for businesses and an approximate 300% increase in ransomware payouts in 2021, cyber insurance professionals are increasingly faced with the tedious task of predicting the true cost of a ransomware attack to business – both their own and their customers. Indeed, the ransom itself is never the only price to pay and cyber liability insurance has become a vital cost and protection for organizations worldwide.
This article provides a complete account of damages following a ransomware attack, starting with expenses resulting from the immediate aftermath of an attack. These have not been quantified in financial terms, since the price to pay for a ransomware attack will vary depending on several factors, including company size, the type of data they collect and the severity of the attack. One US insurer reportedly made a $40 million ransomware payout in March 2021, setting a new world record.
One of the key features of the cyber insurance product, which makes it such a unique offering, is the provision of an Incident Response Team (IRT). This comprises a technical, legal, and reputational panel of local and international vendors which aims to nip any attack in the bud and get businesses up and running ASAP.
1. First Response IT Services
This team conducts a forensic examination of the incident, uncovers its causes and origins and determines whether it is still ongoing. It will also identify the type of breach resulting from the incident, by probing the extent to which Personal and/or Corporate Information has been compromised. It will then work to contain and eradicate the attack by removing any malicious software, computer code or virus from the company’s computer system and/or identifying any compromised data. The IT response team will also scrutinize the company’s computer system to determine the remediation actions that are required.
2. Legal Services
Specialized legal advisors will identify the notifications which must be made both to the authorities and clients. If applicable, they will also assist with representation in third-party claims.
Record-breaking ransom demands are increasingly placing victims between a rock and a hard place: the victims must weigh up paying the ransom as hush money, against the potential fines and sanctions they could recieve if news breaks out. Companies operating in jurisdictions where privacy and data protection regulations are particularly stringent will be in even greater need of expert legal advice.
Let’s take the EU’s GDPR, for example, introduced in 2018. This new law provoked a major shake up, not just for daily business operations but also for cyber attackers. The enormous regulatory fines meted out have enabled malicious actors to hike up their demands, knowing all too well that their victims would have to carefully way up potentially heavy sanctions with extortionate fees. Generally speaking, EU regulators take an unsympathetic stance on ransomware attack victims. Under GDPR rules, even if personal data is not exposed, the lost availability of personal data experienced during a ransomware attack could be considered a regulatory breach.
The situation gets stickier when other local criminal and counter-terrorism laws are taken into account: those agreeing to pay ransoms must be confident that they will not be in breach of terror-financing laws. They will need legal advisors to weigh up complex questions of law: namely, whether there is a possibility that the ransom could be used in the commission of further offences by the cyber-attacker, making the payment an “instrument of crime.”
One of the other major areas of legal advice needed in a ransomware event is on the reporting of the incident to governing authorities. Legal advisors can assess whether there is a wider risk of further attacks and, should they decide not to report, they should produce comprehensive documentation as a fool-proof papertrail.
3. Negotiation team
Coughing up a ransom is not a straightforward decision to make. Everyday that passes in a ransomware attack has costly implications for the affected business(es), but, whilst paying a ransom minimises damage and downtime, it by no means isolates the incident as a one-off. In fact, it may well be that the hacker left a back-door for a future attack, encouraged by the money they made from the first attack – and so the headache begins all over again.
The negotiation team will communicate with the attacker and aim to reduce the ransom payment due. They will carefully assess the data produced by the IT team, calculate the extent of the damage, qualify it against the size of the ransom demand and devise a competent negotiation strategy off the back of this. Some techniques they will employ include asking for “proof of life” (i.e. verifying that the attacker can decrypt the stolen data and restore it back onto the system). They will also be able to complete checks to verify the attacker’s identity, removing any concerns over terrorism financing and enabling the victim to play the game as safely as possible. By far the biggest value which the negotiation team delivers is the time which they buy for the victim – it is during this time that the technology teams can try to restore data from backups and conduct other methods of damage control.
A ransomware attack is not only an IT issue – it is a reputational issue that can make or break a victim’s recovery. As with any hostage crisis, communication is key, but the full details can only emerge well after the event – once the ransom has been paid, the data has been restored and the remaining gaps in network security are boarded up.
Public relations experts will manage the client’s reputation, often breaking news of the event before it is leaked by the attackers. Informing customers and shareholders in a timely manner and avoiding distress. This will ultimately ensure that the victim maintains control over the narrative, maintaining a calm composure and trust with key stakeholders.
5. Restorations costs
Even with good quality back-ups of data, this is a complex task. This team will restore business networks and any stored data to get the business up and running.
But the impact of a cyber attack is far-reaching and long-lasting. There will be significant prices to pay in the days, weeks and even months following an incident. Below, we have listed further practical costs which must be factored for the period after the attack’s initial aftermath:
6. The Ransom
Even with a negotiation team, the ransom demand is unlikely to be reduced to zero. The costs of the ransom typically include the payment agreed with the attacker and conversion fees for converting the money into crypto currency.
But arranging a crypto payment may be more complex than anticipated and, quite often, advice and support from specialists is required. It is recommended that payment arrangements are set out in a company’s cyber incident response plan in advance, as this will expedite recovery. Support might be needed to open a cryptocurrency wallet, purchase cryptocurrency and then to make the transaction in line with regulatory requirements.
7. Business Interruption
Let’s imagine that a manufacturer uses a computer network to process and fulfil orders, set machinery into production and monitor hazards. Let’s then imagine that this computer network is subjected to a ransomware attack which shuts down the facility. The manufacturer is not a proactive policy holder, and does not undertake regular threat intelligence research or security patches. Various cyber consultants are engaged, but, with no pre-existing incident response plan nor a comprehensive insurance policy, immediate progress is slow. Three weeks go by and the factory remains shut.
This can lead to loss of income and operational costs that exceed normal rates, since increased resources may need to be engaged in order to restore the affected business to the same level of operability as before.
8. Fines and Penalties
These can arise if the incident indicates a breach of legislation on the part of the business. The extent of a business’s liability and the size of the fines they may have to pay will therefore depend on the jurisdictions in which they operate. But there is another catch – in many jurisdictions around the world, it is against the law for insurers to cover a fine or sanction handed out as a result of a ransomware incident. For example, under GDPR, insurance carriers cannot cover a regulatory fine stemming from a ransomware breach.
9. Third Party Claims
These may arise from, for example, suppliers or customers who are also affected as a result of an incident where their claim would be covered by the policy.
Want to gain a more in-depth understanding of the costs of a ransomware attack? The Cyber Insurance Academy provides a comprehensive educational program on the financial costs of various cyber attacks and the variety of services and support that a victim of ransomware will need to get them back up on their feet. Our students work through detailed case studies which they can successfully apply to their professional day-to-day. Find out more here.