Sunday, September 5, 2021

Think You Can Use Your Cyber Insurance As Down Payment For A Ransomware Payment? Think Again!!!

 


The one question that I keep getting asked and even asking myself of my podcast guests is what they think the number one Cyber threat is this year.  Hands down, and without a doubt, it has to be Ransomware. 

This threat variant started to get some serious notice back in 2019, but really proliferated right after when the COVD19 pandemic hit the shores of the United States and started to reach its peak.  We saw this with the uptick in domain name in heisting, and the creation of fake and malicious websites, most notably that of the World Health Organization (WHO).

And in 2021, its really make its mark well known now in the healthcare sectors and Critical Infrastructure here in the US, given the recent events of the Colonial Pipeline.  But apart from this, Ransomware has gone to even further extents, which now includes that of even extortion. 

In these tragic cases, the victim company is often threatened that if they do not make payment via some sort of Virtual Currency, they will then make for public all of the Personal Identifiable Information (PII) datasets that they have captured.  But now this comes down to the question, of whether the victim should pay the Cyberattacker or not in order for them to restore mission critical operations.

In the case of the oil pipeline attack, the CEO decided to pay about $4.4 million (worth about 75 Bitcoin) to the Cyberattacker group so that the flow of gas and oil could resume once again, without causing too much more pain at the pump and in the financial markets. 

I have actually addressed this question in previous blogs, and even in articles that I have written for clients in the past.  My fundamental answer, and it still continues to be is:  Do not pay up.

Why?  Well, there are two primary reasons for this: 

*If you pay up, this is only going to fuel the Cyberattacker to come after you again, but this time, causing more havoc, and even demanding more money.  After all, if they could get in once, they pretty much know where all of your vulnerabilities and weaknesses lie at, so they can penetrate you once again quite easily.  Worst yet, they can even stay in for a very long period of time, without you even knowing anything about it.

*If you have maintained a proper and regular cycle of creating backups and have a rock-solid restoration in place, all your IT Security team has to do is discard the infected equipment and get new ones.   Or better yet, if you had your stuff in the Cloud, like the AWS or Microsoft Azure, it all comes down to getting rid of the impacted Virtual Machines (VMs) and Virtual Desktops (VDs) and creating new ones in just a matter of minutes.  From here, you can then restore all of the information and data into them, from the backups that you have created. 

So, in the end, there is no need to pay the Cyberattacker, assuming other “normal” circumstances still exist (I leave this terminology to your own interpretation).  But now, companies not just here in the United States but worldwide may have no choice now. 

Just recently, the global insurance firm, AXA, just announced that it would not reimburse impacted businesses anymore if they have actually paid a ransom and filed a legitimate claim.

One of the primary reasons cited for this decision for this landmark decision is that with giving out such kinds of payouts, the rise of Ransomware attacks is simply going to proliferate at levels even far greater than what we are seeing now.  But this is a catch 22 sort of proposition.  Now, companies will pretty much have no choice now but to further beef up their lines defenses and take Cybersecurity much more seriously.  But what about those companies that have already been proactive in doing this, and through no fault of their own, they still become a victim? 

Shouldn’t they deserve some sort of financial help from their Cyber Insurance Policy?

But it is not just AXA that is trying to stop companies from making Ransomware payments.  Even our own government is taking steps in making sure that this does not happen.  For example, it could be considered a felony under US laws if a company pays out anything to a Cyberattack group that have been put on a watch list by law enforcement agencies worldwide.  This is according to Office of Foreign Assets Control, which is overseen by the Department of Treasury.

This legislative ruling has already started to have some effect, some 1,400 mayors across the United States have pledged that, as long as they continue to remain in office, they will make no Ransomware payments whatsoever. 

But even Ransomware attacks or not, the Cyber Insurance Industry here in the US is already starting to feel the financial strain of other forms of threat variants.  For instance, premiums have increased by a whopping 22%, coming close to the $3 billion mark.

More information about the AXA decision can be seen here:

https://apnews.com/article/europe-france-technology-business-caabb132033ef2aaee9f58902f3e8fba

More information about the Department of Treasury’s decision can be seen here:

https://www.darkreading.com/risk/us-treasury-warns-of-sanctions-violations-for-paying-ransomware-attackers/d/d-id/1339066

My Thoughts On This:

This is a very dicey situation, really with no clear-cut answer that can be figured in a short amount of time.  The truth of the matter is that Cyber Insurance Policies is still a new “thing” out there, and even the insurance companies that carry it are still trying to figure out. 

Worst yet, with the advancements and explosions that take place on a daily basis, it is hard for any one in this line of work to fully determine what can be covered and not.

But Corporate America also has a huge responsibility here as well.  The common line of thinking now seems to be:  “Well, I now have an insurance policy, so who cares if I am hit?  I can just file a claim to cover all costs”. 

Because of this, many in the C-Suite are now becoming lazy in making sure that the right controls are in place to protect their digital assets to the best degree that they can.  In other words, there are many people in the Cyber Insurance Industry who now feel that the C-Suite is shifting this burden to them, and thus is also one of the reasons that as fueled the decision by AXA.

In other words, Corporate America is now viewing their Cyber Insurance Policies as a way to shift their burden of risk reduction to somebody else.  But this line of thinking has to stop here and now.  Nobody is immune from becoming a victim of a Cyberattack, and that is a given.  Heck, it has been cited that even AXA was just recently a victim themselves.  But Cyber Insurance was not created to award sheer negligence and laziness by the C-Suite.

Rather, it was designed to financially assist those businesses that were impacted to restore mission critical operations as quickly as possible, and to also cover the indirect costs down the road even as well.  But this is going under the assumption that the business had done everything right in the first place, and just happened to become a victim. 

As I just mentioned, Cyber Insurance was not designed to be a tool to replace risk reduction mechanisms which is the sole responsibility of the C-Suite and their respective IT Security teams to carry out.

So in this case, should a claim be paid out in the case a company does make a Ransomware payment?  Again, I say no.  But this should be determined on  a case-by-case basis.  It should not be ruled out entirely.  After all, if an organization has done all they can to reduce the possibilities of a breach, why should their employees and customers have to suffer because of this? 

They should not.  But whether a company has taken all steps needed is a whole different issue, as this will require an exhaustive audit and careful study of the forensics analysis reports.

In the end, there will be many more issues like this that will crop up down in the world of Cyber Insurance, and there will be no quick fix to them.  As a result, the C-Suite has to keep in mind that having Cyber Insurance is not the same as having Automobile Insurance, where one call to your insurance company will get you covered in the case of a fender bender. 

Filing a Cyber Insurance claim can be much more complicated than that, and the chances are, that you may not even get a payout on your claim, and best, maybe just a partial one.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...