Affected by a ransomware attack? Here’s who to call
Faced with this situation, the companies concerned may rush to contact their IT teams, the police, crisis public relations, lawyers and law enforcement. But, frequently, one of the first calls is to their insurance provider.
Businesses often purchase specific cyber insurance plans to protect their systems and cover losses due to a cyber attack. And ransomware, which allows hackers to take over computer systems (or even physical infrastructure) and extract millions of dollars in fees to unlock it, has only increased demand. for this insurance.
But that lifeline can also become increasingly difficult for businesses to access due to rising costs, tighter insurer requirements, and increased government scrutiny when foreign hackers are involved.
AIG, one of the world’s largest insurers, says it saw an increase of 150% in ransom and extortion demands between 2018 and 2020. Ransom demands now represent one in five cyber insurance claims, the company added.
“Data-intensive companies were the first … but over the last few years all types of industries have started buying cyber insurance,” Tracie Grella, global head of cyber insurance, told CNN Business. AIG. “I think at this point it’s certainly clear that all industries are affected, all need to manage cyber risks.”
Depending on the size of the business and what needs to be covered – from security teams and lawyers to potential lawsuits and reimbursement for business losses or even ransom payments – the plans can cost “a few hundred dollars … up to multi-million dollar programs, ”Grella said, adding that AIG clients pay ransoms about 50% of the time.
The FBI and cybersecurity experts recommend against paying ransoms, saying the payments encourage cybercriminals to step up their targeting of businesses and infrastructure.
The average cost of a cyber insurance policy in 2019 was $ 1,500 per year for $ 1 million of coverage with a $ 10,000 deductible, according to Mark Friedlander of the Insurance Information Institute of New York.
It’s getting harder and more expensive
As the frequency and scope of ransomware attack targets increase, this cost increases. According to an April report from Fitch Ratings, total premiums for cyber insurance coverage reached $ 2.7 billion in 2020, an increase of 22% from the previous year, and are expected to rise further in 2020. 2021.
Companies that want cyber insurance are also now subject to a much more rigorous review of their existing cybersecurity measures before they can get approval for a plan.
AIG gives potential customers a list of 25 questions specific to their ransomware protections, which include details about how often they test employees for email phishing attacks and how long it takes to deploy fixes security critical (ranging from “within 24 hours” to “more than 7 days”).
“Ransomware is more prevalent right now, so we have a deeper and more specific underwriting strategy around ransomware,” said Grella. “If certain controls are not followed, we will probably still provide coverage… but it will be reduced coverage.”
Some cybersecurity experts also caution against treating insurance as a catch-all solution, especially when demand increases.
“In some cases organizations are a little too ready to transfer this type of risk through insurance. They think it’s a really healthy safety net and they can avoid making some of the other more painful investments. in security, ”said Mike Hamilton, chief information security officer at cybersecurity firm Critical Insight.
And with the U.S. government deciding this week that it will use similar protocols to deal with ransomware attacks as it does with terrorism, especially those linked to nation states, Hamilton says insurers have a potential way to deal with it. avoid paying cyber insurance claims. Terrorism insurance is often a separate plan offered to businesses, and rarely covers events which are considered acts of war.
“If insurance companies can call anything a nation-state act or an act of terrorism, they don’t have to abide by their policies, and that’s going to be a problem,” he added. .
Who else to contact
With or without a cyber insurance policy, most businesses’ first line of defense against cyber attacks is their internal IT department. It is not uncommon for companies to have contracts with external cybersecurity firms that can deploy incident response teams and cyber ransom negotiators.
But experts say it’s also important to involve law enforcement and government agencies early on. The FBI is the primary agency responsible for investigating cyber attacks and provides resources such as the Internet Crime Complaint Center and the National Cyber Investigative Joint Task Force where businesses can report incidents.
Other agencies that handle cyber attacks include the Department of Homeland Security’s National Cyber Security and Communications Integration Center and the US Computer Emergency Preparedness Team. Most of these agencies have online portals for reporting incidents, and many also provide phone numbers.
“The first thing a business has to do is call the federal government,” said Andrew Rubin, founder and CEO of cybersecurity firm Illumio.
“When businesses operate in silos, things get out of hand,” he added. “Information sharing between the private and public sectors is essential.”