How Your Company Should Handle Ransomware Attacks and Cyber Insurance: A Complete Action Plan

What is ransomware and how does it work? Read more for the answer and to learn about the process of reporting, how insurance responds to ransomware claims, and three rules to ease friction with your carrier during a ransomware incident

Cyber insurance carriers will remember 2019 as the "Year of Ransomware." That's because many carriers have reported sharp increases in ransomware cases being filed as claims. 

Cyber Security Lock Blue Hexagon

According to incident response firm Coveware, the average ransom payment increased 105% from Q3 2019 ($41,198) to Q4 2019 ($84,116). Coveware also noted that the average downtime for an organization experiencing a ransomware incident was 16.2 days.

When these jumps in both frequency and severity occur, carriers start to take notice.

What Is Ransomware and How Does it Work?

Ransomware is not a new issue. As far back as 1989, companies started seeing malicious actors infecting their networks with malware and demanding a ransom payment to reverse the effects. 

The issue was exacerbated as encryption technology improved and cryptocurrencies entered the picture, providing the attackers a secure and anonymous method of getting paid. 

Ransomware gained some mainstream notoriety in 2017 when North Korea allegedly launched the WannaCry ransomware strain. In a relatively short period of time, ransomware attackers have morphed from nation state actors to criminal organizations and even individual actors looking to cause damage.

Ransomware today runs the spectrum from ransomware-as-a-service malware, available for purchase on the dark web, to highly sophisticated and organized criminal groups running billion-dollar businesses. 

It is not unusual for a client infected with ransomware to discover that the attacker doesn't actually know whom they've infected until the client sends an email asking for their networks or data to be unencrypted. 

Some malicious actor groups even have separate teams that act as a customer service department, negotiating the ransom demands, delivering the decryption key, and checking-in to make sure all the data was unencrypted successfully. 

We wouldn't be shocked if, eventually, clients are asked to complete a short survey about their experience in exchange for a gift card or 10% off their next ransomware infection.

Latest Ransomware Trends

Of course, ransomware can have impacts that go far beyond locking up organizations' networks. Typically, a company infected with ransomware will incur costs in responding to the incident, such as IT forensics costs, legal costs, lost profits during the network downtime, and potentially the ransom payment. 

These costs add up quickly, and, with the exception of the actual ransom payment, are incurred whether the data or networks are restored from backups or not. Attackers have taken notice, and amended their tactics accordingly.

The first tactic change we've noticed is attackers infiltrating a network and searching for backups right off the bat. If they can encrypt your backups before encrypting your primary network or databases, you'll have no choice but to pay the ransom amount demanded. 

And when you're left with no choice and the attacker knows it, you can expect the amount demanded to increase significantly.

Another new trend sees attackers no longer content to just encrypt your network, but trying to steal data before doing so. This serves one of two purposes: 

  1. To actually get the data and cover their tracks by deploying ransomware. In this scenario, ransomware is often known as "the parting gift" as it is dropped on the way "out the door" once the attackers have maximized their time in your network and mined your data.
  2. To shame you into paying the ransom amount (arguably more sinister). Recently, a group of attackers behind the MAZE ransomware published a "shaming site" which lists all the companies they've infected that haven't paid the ransom. 

By being publicly shamed for falling victim to ransomware, companies potentially face a public relations crisis, costs related to responding to state consumer notification laws, and investigations from regulators that may not have otherwise known about an incident. 

Given the often private nature of dealing with ransomware quietly, this can change the equation for companies considering whether to pay the ransom. 

Insurance Market Changes

As mentioned previously, insurance carriers are taking notice of the increasing frequency and severity of ransomware incidents. Many have implemented new strategies for dealing with this issue, ranging from gathering more data on potential risks via additional underwriting questions to adding a sublimit to all cyber policies that don't have favorable answers. 

The latter option is a rather extreme response that we've seen a select few carriers take. However, it is worth noting that the market for cyber insurance remains robust at the moment and there are carriers maintaining an approach of full limits for ransomware incidents. 

(Learn more about how cyber insurance can mitigate ransomware costs in our Cyber 101 article .)

The additional underwriting questions typically revolve around controls proven to minimize the impact of a ransomware infection, including frequency of backups, disk-based backups preferably being located off-site, and the use of multi-factor authentication for access to cloud-based backup systems.

What Happens When You Report a Ransomware Event?

The claim process may vary, and generally includes the following steps:

1. Acknowledgment

Cyber insurance carriers understand time is of the essence and usually respond within an hour or so to schedule a call with you. On that call, they'll discuss the ransomware event and begin coordinating the investigation/response as well as engaging consultants such as a breach counsel, forensic IT specialists, and cyber extortion case managers.

2. Hiring Third-Party Consultants

Be mindful that some policies have a vendor panel requirement, which means the insured needs to select a vendor from the insurance carrier's list. Importantly, if you don't get the insurance carrier's prior consent to hire third-party consultants, you may be heading towards choppy waters. 

For instance, the insurance carrier may try to snub your vendor choice after they've already commenced work, or balk at what is a "reasonable" hourly billing rate. Changing vendors mid-stream or learning you'll need to pay the difference between the rate the insurance carrier deems "reasonable" and the rate you agreed to pay is frustrating. 

3. Breach Counsel's Role

Best practices dictate the prompt engagement of cyber breach counsel to establish the attorney-client privilege and facilitate the response efforts. It is common to learn unflattering things about a company's IT network during the response process, and having breach counsel conduct these difficult conversations under the auspices of the attorney-client privilege is preferred. 

Similarly, to maintain the attorney-client privilege, breach counsel oftentimes retains third-party vendors to assist in the investigation.

Breach counsel usually retains an IT forensics consultant to conduct an independent, third-party analysis of the incident, which may include the fundamental cause, origin, and scope of the incident. The investigator will also make recommendations for network/system remediation.

Breach counsel may also engage a cyber extortion case manager to negotiate the ransom demand on the company's behalf as well as identify suitable markets to procure the cryptocurrency. Breach counsel may also retain a forensic accounting firm to analyze business interruption loss.

At the same time, breach counsel will analyze if there has been any data exfiltration or wrongful disclosure of sensitive data, including personally identifiable information, protected health information, financial information, or other sensitive data.

Finally, breach counsel may recommend the insured ask for help from the FBI or United States Secret Service in response to a ransomware event.

4. Information Gathering and Investigation

In the first hours or days after a ransomware event, there is a flurry of activity involving the insured, breach counsel and the carrier. There may be hourly or daily status updates with everyone involved. There are likely calls with the carrier regarding if the insured is going to pay a negotiated ransom or not. 

As the investigation continues, it is important for the insured or breach counsel to provide updates to the carrier. The insurance carrier's claim professional may also require additional information to assist in the investigation of the claim.

5. Notification Obligations

To the extent an IT forensics expert confirms there was exfiltration of sensitive data, breach counsel will analyze a company's legal obligations to notify the impacted individuals, the government, credit ratings agencies, and/or the media. 

In doing so, breach counsel will analyze the applicable legal authority and guide a company concerning its notification obligations.

6. Invoice Review Process

We recommend the insurance carrier review and approve vendor statements of work (SOW) before the projects begin. We also recommend submitting vendor invoices to the insurance carrier each month as incurred even if you're well within your self-insured retention (SIR) or deductible. 

This allows the insurance carrier's claims analyst an opportunity to review the invoices, and you can address any potential billing issues up front.

This monthly process is far superior to delivering a wheelbarrow full of invoices to the insurance carrier when you think you've breached your SIR, only to find out it will take the claims analyst several weeks or months to review the bills.

Worse still is finding out that you are in for further frustration as the claims analyst starts to make "haircuts" to your vendor invoices because of perceived issues with "reasonable" billing rates, staffing issues, time entry descriptions, etc.

7. Completing the Proof of Loss and Identifying Damages Sustained

 The carrier may require the insured to complete a signed proof of loss (POL) form, which may include several categories of loss, including: cyber extortion costs, data recovery costs, business interruption loss, and third-party POL preparation costs. 

The POL may also ask a series of detailed narrative questions and calculations for each element of loss claimed, such as cyber extortion loss, data recovery costs, and business interruption.

8. Coverage Determination

The insurance carrier will send you a letter that outlines the coverage available under the policy, and applicable exclusions. The letter describes how the claim will be handled, and may also explain why a matter does or does not fall within the coverage provided.

Three Rules to Ease Friction with Your Carrier During a Ransomware Incident

When ransomware hits and backups fail, it is an enterprise-wide emergency. You can lessen the friction that has haunted other companies and set yourself up for a more collaborative and smooth ransomware claim experience, if you follow three simple steps:

1. Notice the Claim in a Timely Fashion 

This seems obvious, and is often missed. For example, sometimes information technology (IT) is the first stakeholder to find out about a ransomware demand, and no one has checked in with whomever handles insurance when such an occasion arises. 

Consider who is likely to receive notice of a ransomware demand, and make sure they know to contact whomever at the company is tasked with working with your insurance broker as part of your documented incident response plan (IRP).

At the same time, a good insurance broker should review your entire suite of insurance policies for potential coverage for a ransomware incident beyond your cyber insurance policy, including your commercial general liability (CGL), fidelity (crime) or special contingency (kidnap & ransom) and place those carriers on formal notice, too.

2. Make Sure the Insurance Carrier Consents 

You want to be sure the carrier consents in writing to hiring breach counsel and third-party consultants. If the carrier has provided a cyber incident hotline, call that number and provide the following: The name of your organization, insurance policy number, and the contact information for the point person handling the investigation. 

This step will trigger an incident response process pre-approved by your carrier, using vendors they have already consented to. If you have specific vendors that you want to work with in response to an incident, work with your insurance broker to get those vendors pre-approved by the carrier. 

Be mindful that sometimes calling the carrier's cyber hotline does not satisfy the formal notification provisions of the policy. Once an incident is formally reported to your cyber insurer, the investigation/response process begins in earnest.

3. Ensure the Insurance Carrier Is Involved

You want to be sure the insurer is involved in ransom settlement discussions from the outset. It is important that the carrier ultimately agrees to any payment, or consents to not paying the ransom demand and rebuilding your systems from backup servers. 

While this decision is ultimately yours to make, involving your carrier in the discussions will smooth the process and get you back to business faster. 

How Should A Company Handle Ransomware? — An Action Plan

Now that you have a better grasp on the rules of the road, let's go back to the moment you first learn of the ransomware demand. What should be in your action plan? From an insurance perspective you'll want to:

  • Get copies of your cyber and any other insurance policies that may provide coverage from the responsible person at your company (and, ideally, read it).
  • Call your insurance broker to talk about the claim, and get a briefing on how the policy works.
  • Discuss who will notice the claim and the timing. Do you want your broker to handle this? Do you want to handle this yourself? Or do you want to have your outside counsel handle this with a copy to your broker? We typically recommend that your broker handle the mechanics of noticing the claim.
  • Discuss the engagement of breach counsel and other consultants, and confirm if the policy has a vendor panel requirement.
  • After noticing the claim to the insurance carrier and obtaining consent to engage breach counsel and other consultants, keep the insurance carrier updated throughout the claim lifecycle.
  • Be sure to get the insurance carrier involved at the first hint of responding to the ransom demand.

Of course, it's not always that straightforward of a process. However, following a few simple rules will go a long way towards putting the claim on a successful path towards resolution and reducing unnecessary friction with your insurance carrier during a ransomware event. 

At a time when the threat of ransomware is at its peak and the consequences are more severe than ever, viewing your insurance broker and carrier as partners in getting your business back up and running is the ultimate best practice.



Table of Contents