[Editor's Note: The following content is sponsored by PNG Cyber and Selman Breitman LLP.]
What trends are most prevalent in cyber claims today? How are companies and their insurers fighting back? And what are some of the strategies to employ when a cyberattack takes place?
WHAT TRENDS ARE YOU SEEING IN CYBER CLAIMS RELATIVE TO TYPES OR FREQUENCY OF ATTACKS?
Thomas Langer, PNG Cyber: In 2021, we have seen an increase of cyberattacks, including zero-day attacks, operating system attacks, and software vulnerability attacks including remote monitoring and management attack vectors. Consequently, ransomware attacks have increased this year, and we have also seen an increase in cloud business email compromises.
Casey Quinn, Selman Breitman LLP: 2021 has been the year of ransomware attacks. Not only are they happening with increasing frequency, but also they are happening on a more public scale and getting more attention than they have in the past. Whether they are disrupting the supply chain, shutting down a hospital, or even just necessitating loading up a backup, these attacks can have dire consequences. The result is that not only are businesses suffering the consequences of losing data, but also they are getting negative publicity at the same time.
We are also seeing bad actors rework their plans of attack, bringing back old, revamped methods that can counter the latest updates. Trends from prior years are still prevalent, however, including the fact that, by far, the biggest cause of breaches is human error.
HOW ARE COMPANIES FIGHTING BACK AGAINST CYBERATTACKS? WHAT SUCCESS STORIES ARE OUT THERE EITHER IN TERMS OF PREVENTION OR CONSEQUENCE?
Casey Quinn, Selman Breitman LLP: Unsurprisingly, we don’t hear anything about the success stories of companies that are preventing attacks. For the most part, those victories are only savored by a few unsung heroes who can truly appreciate what they prevented by implementing sufficient measures to protect their companies. The successful prevention of cyberattacks is an ongoing battle that requires consistent training and reassessment. Bridging the gap between the people who know what cybersecurity entails with the decision-makers who decide what kind of money to spend on it and the end users who decide whether to follow the established protocol often seems like a daunting task, but it’s still true that your people are your greatest asset in preventing cyberattacks.
Thomas Langer, PNG Cyber: Companies have increased their cyber security by adding additional security layers and by not relying on a single prevention system. This is especially true for companies that were hit with a cyberattack this year and then focused their attention to heighten their security measures by implementing things like multi-factor authentication; multi-layered security prevention systems; and proactive security measures.
OBVIOUSLY, THE RISKS IN NOT PAYING A RANSOM COME IN THE FORM OF DOWNTIME, BUSINESS INTERRUPTION, REPUTATION RISK, AND LOSS OF SENSITIVE PROPRIETARY INFORMATION. BUT ARE THERE ANY RISKS IN PAYING A RANSOM? IF SO, WHAT ARE THEY?
Thomas Langer, PNG Cyber: The U.S. federal government has provided guidelines to ensure that any ransom payment follows the Office of Foreign Assets Control’s (OFAC) regulations. Anyone not following those regulations, and paying a ransom blindly, risks government prosecutions and sanctions. Other risks of paying a ransom are not receiving the decryption tool (which is rare, but has happened), or receiving a poorly written decryption tool that requires a lot of troubleshooting steps and follow ups to decrypt the dataset.
Casey Quinn, Selman Breitman LLP: There are several risks in paying a ransom that are seldom outweighed by the reward. First, you don’t know who you are paying, and therefore you may be violating federal OFAC guidelines for which you are strictly liable. That means you could be in trouble with the government if it turns out you pay someone the government says you shouldn’t. Second, paying the ransom doesn’t mean you will get all of your data back. You may get part of it, or you may get nothing at all. You may end up paying not only the ransom, but also amounts in excess of that to simply recover from the attack even after paying the ransom. Finally, if you pay once, you may buy your peace for a moment, but it may make you an easy mark for the next group doing ransomware attacks—especially if it becomes public that you paid.
CAN YOU DISCUSS A SPECIFIC CYBER CASE AND A LESSON LEARNED FROM IT, EITHER BY YOU OR A CLIENT?
Thomas Langer, PNG Cyber: Every company/entity environment affected by a cyber incident is different. We’ve had many scenarios where the data restoration and rebuilding efforts of a network environment was the better choice for eliminating business interruption. I have also seen the flip side, where companies absolutely needed the decryption tool to get their important data back just to stay in business.
WHAT ARE SOME GOOD STRATEGIES FOR DEALING WITH INSUREDS FACING A CYBER CLAIM?
Casey Quinn, Selman Breitman LLP: One of the best strategies is being proactive. Encourage your insureds, big and small, to have a cyber incident response plan. They don’t have to be complicated; even the simplest one will assist your insured so that when something does happen, they have a plan and a general idea of what to do to help mitigate their losses. Encourage them to have someone who will serve as their dedicated point person when a cyber incident occurs. They should also take advantage of legal services (including those that may be offered with their policy) to ensure that their contracts protect them. As these issues become more common, it is increasingly important to make sure that your own rights are protected when doing business with others. Make sure that a contract is not only protecting you, but also serving to protect your clients and/or your business. Make sure your cloud service agreements are tailored to protect your interests. You may not want to enforce them all the time—and enforcing some provisions may prove difficult—but you put yourself in the best position to protect yourself by giving your company the option.
Thomas Langer, PNG Cyber: Fluid and constant communications with all parties involved is a great start. Follow up with law enforcement agencies like the FBI is another great step. Have a potential plan A-B available and provide clear objectives, tasks, and realistic timeframes. Provide follow-up calls on all objectives and tasks until business is back in operation and security measures have been implemented.
Thomas Langer is vice president digital forensics incident response at PNG Cyber, powered by ProNet Group. tlanger@png-cyber.com
Casey Quinn, CIPP/US, is a senior associate in the Las Vegas and Phoenix offices of Selman Breitman LLP. cquinn@selmanlaw.com