The one question that I keep getting asked and even asking
myself of my podcast guests is what they think the number one Cyber threat is
this year. Hands down, and without a
doubt, it has to be Ransomware.
This threat variant started to get some serious notice back
in 2019, but really proliferated right after when the COVD19 pandemic hit the
shores of the United States and started to reach its peak. We saw this with the uptick in domain name in
heisting, and the creation of fake and malicious websites, most notably that of
the World Health Organization (WHO).
And in 2021, its really make its mark well known now in the
healthcare sectors and Critical Infrastructure here in the US, given the recent
events of the Colonial Pipeline. But
apart from this, Ransomware has gone to even further extents, which now
includes that of even extortion.
In these tragic cases, the victim company is often
threatened that if they do not make payment via some sort of Virtual Currency,
they will then make for public all of the Personal Identifiable Information
(PII) datasets that they have captured.
But now this comes down to the question, of whether the victim should
pay the Cyberattacker or not in order for them to restore mission critical
operations.
In the case of the oil pipeline attack, the CEO decided to
pay about $4.4 million (worth about 75 Bitcoin) to the Cyberattacker group so
that the flow of gas and oil could resume once again, without causing too much
more pain at the pump and in the financial markets.
I have actually addressed this question in previous blogs,
and even in articles that I have written for clients in the past. My fundamental answer, and it still continues
to be is: Do not pay up.
Why? Well, there are
two primary reasons for this:
*If you pay up, this is only going to fuel the Cyberattacker
to come after you again, but this time, causing more havoc, and even demanding
more money. After all, if they could get
in once, they pretty much know where all of your vulnerabilities and weaknesses
lie at, so they can penetrate you once again quite easily. Worst yet, they can even stay in for a very
long period of time, without you even knowing anything about it.
*If you have maintained a proper and regular cycle of
creating backups and have a rock-solid restoration in place, all your IT
Security team has to do is discard the infected equipment and get new
ones. Or better yet, if you had your
stuff in the Cloud, like the AWS or Microsoft Azure, it all comes down to
getting rid of the impacted Virtual Machines (VMs) and Virtual Desktops (VDs)
and creating new ones in just a matter of minutes. From here, you can then restore all of the
information and data into them, from the backups that you have created.
So, in the end, there is no need to pay the Cyberattacker,
assuming other “normal” circumstances still exist (I leave this terminology to
your own interpretation). But now,
companies not just here in the United States but worldwide may have no choice
now.
Just recently, the global insurance firm, AXA, just
announced that it would not reimburse impacted businesses anymore if they have
actually paid a ransom and filed a legitimate claim.
One of the primary reasons cited for this decision for this
landmark decision is that with giving out such kinds of payouts, the rise of
Ransomware attacks is simply going to proliferate at levels even far greater
than what we are seeing now. But this is
a catch 22 sort of proposition. Now,
companies will pretty much have no choice now but to further beef up their lines
defenses and take Cybersecurity much more seriously. But what about those companies that have
already been proactive in doing this, and through no fault of their own, they
still become a victim?
Shouldn’t they deserve some sort of financial help from
their Cyber Insurance Policy?
But it is not just AXA that is trying to stop companies from
making Ransomware payments. Even our own
government is taking steps in making sure that this does not happen. For example, it could be considered a felony
under US laws if a company pays out anything to a Cyberattack group that have
been put on a watch list by law enforcement agencies worldwide. This is according to Office of Foreign Assets
Control, which is overseen by the Department of Treasury.
This legislative ruling has already started to have some
effect, some 1,400 mayors across the United States have pledged that, as long
as they continue to remain in office, they will make no Ransomware payments whatsoever.
But even Ransomware attacks or not, the Cyber Insurance
Industry here in the US is already starting to feel the financial strain of
other forms of threat variants. For
instance, premiums have increased by a whopping 22%, coming close to the $3
billion mark.
More information about the AXA decision can be seen here:
https://apnews.com/article/europe-france-technology-business-caabb132033ef2aaee9f58902f3e8fba
More information about the Department of Treasury’s decision
can be seen here:
My Thoughts On This:
This is a very dicey situation, really with no clear-cut
answer that can be figured in a short amount of time. The truth of the matter is that Cyber
Insurance Policies is still a new “thing” out there, and even the insurance
companies that carry it are still trying to figure out.
Worst yet, with the advancements and explosions that take
place on a daily basis, it is hard for any one in this line of work to fully
determine what can be covered and not.
But Corporate America also has a huge responsibility here as
well. The common line of thinking now
seems to be: “Well, I now have an
insurance policy, so who cares if I am hit?
I can just file a claim to cover all costs”.
Because of this, many in the C-Suite are now becoming lazy
in making sure that the right controls are in place to protect their digital
assets to the best degree that they can.
In other words, there are many people in the Cyber Insurance Industry
who now feel that the C-Suite is shifting this burden to them, and thus is also
one of the reasons that as fueled the decision by AXA.
In other words, Corporate America is now viewing their Cyber
Insurance Policies as a way to shift their burden of risk reduction to somebody
else. But this line of thinking has to
stop here and now. Nobody is immune from
becoming a victim of a Cyberattack, and that is a given. Heck, it has been cited that even AXA was
just recently a victim themselves. But
Cyber Insurance was not created to award sheer negligence and laziness by the
C-Suite.
Rather, it was designed to financially assist those
businesses that were impacted to restore mission critical operations as quickly
as possible, and to also cover the indirect costs down the road even as well. But this is going under the assumption that
the business had done everything right in the first place, and just happened to
become a victim.
As I just mentioned, Cyber Insurance was not designed to be
a tool to replace risk reduction mechanisms which is the sole responsibility of
the C-Suite and their respective IT Security teams to carry out.
So in this case, should a claim be paid out in the case a
company does make a Ransomware payment?
Again, I say no. But this should
be determined on a case-by-case
basis. It should not be ruled out
entirely. After all, if an organization
has done all they can to reduce the possibilities of a breach, why should their
employees and customers have to suffer because of this?
They should not. But
whether a company has taken all steps needed is a whole different issue, as
this will require an exhaustive audit and careful study of the forensics
analysis reports.
In the end, there will be many more issues like this that
will crop up down in the world of Cyber Insurance, and there will be no quick
fix to them. As a result, the C-Suite
has to keep in mind that having Cyber Insurance is not the same as having
Automobile Insurance, where one call to your insurance company will get you
covered in the case of a fender bender.
Filing a Cyber Insurance claim can be much more complicated
than that, and the chances are, that you may not even get a payout on your
claim, and best, maybe just a partial one.
No comments:
Post a Comment