Pay Up or Shut Down?

It had been simmering beneath the surface for some time. The profound increase in frequency and severity of ransomware attacks on U.S. businesses in every sector was impossible not to notice.

Ransomware is malicious computer software that is designed to remove a user’s access to a computer system. The attacker, or “threat actor,” will demand an extortion payment (which is typically in the form of cryptocurrency) in consideration for restoring the access. Our own clients—who optimistically will only have to deal with a ransomware incident once—will often wonder, after witnessing the process of a ransomware incident response, “How do these cyber insurance companies stay in business?” (One word: reinsurance).

For cyber claims professionals, having the authority to issue seven-figure extortion payments within days following receipt of a first notice of loss is rather routine. And ransomware claims have accelerated considerably during the COVID-19 pandemic. Those who keep statistics on these metrics are uniform in their conclusions: The average ransomware payment now far exceeds $100,000, and there are more cases that involve data privacy risks to third parties than there are that do not.

A ransomware attack involves a data privacy risk when, before “executing” the ransomware malware, the threat actors have prolonged unauthorized access to an IT environment, enabling them to steal electronic (presumably sensitive) data from their victims. In these situations, ransomware is only the “parting gift” of a larger cyber claim.

On May 7, 2021, unauthorized third parties reported to be affiliated with the DarkSide criminal group gained access to the systems of Colonial Pipeline, causing the company to shut down over 5,000 miles of pipeline in the U.S., which then correlated with gas delivery delays and shortages at gas stations, particularly in the Southeast. The DarkSide ransomware variant involved the “ransomware-as-a-service” business model. This means that the developers of the malware sell the technology to other criminal affiliates, which are then the ones that perpetuate the actual attacks.

Debating Ransomware Payments

With one attack, suddenly the ransomware issue that is routinely examined by the cyber insurance industry was front page news, and the issues that were being regularly debated in law firm and insurance webinars over the past year were being debated by talking heads on cable news programming and Washington politicians. 

Cyber insurance is, of course, an ecosystem. Well before the pipeline attack, in response to the worsening claims conditions, cyber insurance underwriters had already largely toughened the terms upon which coverage would be granted. This was done through the use of expanded and supplemental application forms, and an increase in premiums. Due to the nature of the risk itself, cyber insurance as an insurance product is required to be constantly evolving to stay current with newest risks to the policyholders. Insurance entrepreneurs have offered numerous creative solutions to mitigate the growing ransomware peril, including leveraging new underwriting technologies and innovating cyber claims-handling operations.

However, all of this hard work and effort to mitigate the overall risk to the cyber insurance market regarding the ransomware risk in particular does not necessarily trickle down to the information security community or the cybersecurity researchers, engineers, intelligence analysts, ethical hackers, data scientists, and others who work in the information security community.

By the time the Colonial Pipeline was shut down, there had already been a disconnect between the information security community and the cyber insurance industry on the issue of ransomware. In information security circles, distrust of insurance companies is commonplace. Many do not believe that cyber insurers will afford coverage for extortion payments in the first place. Others leap to the conclusion that, to the extent ransomware coverage is afforded, it has the perverse effect of incentivizing further extortion.

Following this logic, some information security professionals have come to believe that cyber insurance actually perpetuates the ransomware peril itself. The more activist among them then go one step further to argue that, consequently, the government should prohibit the payment of ransomware extortion by private companies. Other even more extreme interests have gone so far to argue that cryptocurrency itself should be outlawed to disrupt the ransomware surge. That leads to proverbial slippery slope arguments that caution against a world in which the government totally regulates every part of the cybersecurity efforts of private industry.

Prevention Strategies

Following the Colonial Pipeline shutdown, perhaps these voices from the information security community have been heard. On cue, an Executive Order was issued on May 12, 2021, just days after the Colonial Pipeline attack, which set certain standards and requirements for government agencies and federal contractor to prevent cyber events. The order’s purpose is to remove impediments for information sharing between government agencies and contractors when it comes to threat intelligence and information about cybersecurity incidents, as well as to compel government agencies to modernize their approach to cybersecurity.

The Department of Homeland Security (DHS) will also require all pipeline companies to report cyber events to the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency. DHS also now requires pipeline operators to designate a cybersecurity coordinator. These efforts follow earlier efforts in October 2020 from the U.S. Treasury Department to ensure compliance with Office of Foreign Assets Control checks and Financial Crimes Enforcement Network requirements for suspicious action reporting.

The information security community members who have called for more regulation in this area must be pleased. However, as this government oversight is implemented, the cyber insurance industry has not stood still. In contrast to the logic articulated among information security circles that cyber insurance incentivizes ransomware, cyber insurers themselves decided that they were not going to just sit idle as their claims units were overloaded with new ransomware claims. In today’s cyber insurance market, serious brokers will agree that cyber insurers will not underwrite every single application that comes in the door.

Cyber insurers have become very sophisticated in underwriting a company’s digital extortion risk. Many insurers use a combination of sophisticated human analysis and the leveraging of some kind of data and/or technology. For example, some have introduced the supplemental ransomware application to evaluate the risk. This application compels the applicant to disclose its efforts in some of the core IT security components that are crucial to any kind of anti-ransomware effort. The responses to the deeper-level questions about backup (What kind of backup? Where is it stored? How is it accessed?); end point protection (sometimes requiring advanced end-point tools to be implemented); access controls (requiring multifactor authentication, complex password policies, and needs-based access policies); and workforce training and awareness can greatly inform the underwriter as to the applicant’s overall readiness for a ransomware attack.

Information security professionals should reconsider the role of the foregoing underwriting process and embrace cyber insurance as a more direct and efficacious way to influence the private business sector toward a healthier and more secure cyber posture. The aggregate impact of requiring sound governance—including appropriate access controls, sophisticated backup, and end-point protection—before insurance cannot be understated. While the federal government agencies take the next year or so to begin implementing the actual policies to comply with the recent Executive Order, thousands of companies will have already invested in backup, end-point protection, and workforce training just so they can procure extortion coverage.

In other words, the information security community and the cyber insurance industry are all on the same side and both working toward an overall more secure business community.

Where Do We Go From Here?

The increased exposure caused by the pipeline attack and attending real-life consequences of higher gas prices, shortages, and long lines depicted on legacy and social media also seem to have caused consternation among the threat actors themselves. Shortly after the Colonial Pipeline attack, DarkSide communicated that it would cease operations of its ransomware-as-a-service program, and also alleged that it lost access to its servers, crypto wallets, and other technology as a result of unspecified “law enforcement” activity. Other well-known ransomware variants communicated that they would take precautions to prevent their technology from being misused and have posted updated “rules” barring their affiliates from attacking government, health care, education, and charity assets. Of course, in the world of global organized crime, these statements could simply be subterfuge for a rebranding and reorganization of efforts until the immediacy of the blowback from the pipeline attack subsides.  

The efforts of cyber insurers to mitigate ransomware may not pacify those advocating for the outlawing of digital extortion insurance or for some other massive government bureaucracy. Nevertheless, those voices do not have much to offer in the way of the real-life impacts to business that we must advise policyholders on from our position as breach counsel. Restoring business operations, communicating with consumers impacted by the outage, and wrestling with the litany of legal issues raised if there is evidence of data exfiltration will overwhelm the resources of any small- or mid-sized business. Transferring these risks (and yes, even the extortion payment itself) to cyber insurance remains the greatest tool for small- and mid-sized businesses to withstand the impact of a ransomware attack. 

The silver lining to the Colonial Pipeline attack is that it shined a bright light on an important, but esoteric, area of commercial risk. The government responded with more regulation of the ransomware payment space. Companies are responding by investing in security and governance. Cyber insurance remains much of the business world’s most critical tool in addressing the important issues raised by ransomware. That role should be embraced by the cyber and information security communities.