A ransomware attack can wreak havoc on an affected business on many levels – not least operationally, financially and reputationally. Given the severity of these impacts, it’s understandable that for many businesses fortunate enough not to have experienced such an incident firsthand, there is a lingering question regarding what to do if a cyber attack does occur. Lending her expertise on this subject, the cyber development leader at CFC, Lindsey Nelson (pictured), outlined the steps taken by the MGA in the event of an attack.
Find out more: Explore CFC’s market-leading cyber insurance proposition
When a suspected or actual event is first flagged, she said, CFC encourages clients to make them the first point of contact. Suspected is the keyword there, as if there is even a suspicion that something untoward has happened and the client needs clarification on whether that’s actually the case, it’s better to be conservative and get the experts engaged in the initial investigative work as quickly as possible.
“[That ensures] we can remediate any vulnerabilities down the line,” she said, “And we’ve said it for years but it’s still true today that any regulatory action or third-party liability claims are still less than 4% of our claims activity. And we think that’s all to do with how the incident is triaged and managed upfront to avoid those severity driven third-party events down the line. So, we’re really mitigating against those quickly from the start.”
Their in-house security team, CFC response, are the project managers of these events, Nelson said, and provide a triage point – bringing in the right people at the right time, depending on what the incident demands. They take a technically orientated approach, providing an initial consultation with the client. From there, they take over the whole event, examining the ransomware variant, whether a familiar group is involved, or if they need to start engaging in ransomware negotiations with the threat actors.
“There’s a lot of psychology around how they engage with the threat actors,” she said. “That’s something that really differentiates between the outcome of a claim if an insured tries to handle the cyber negotiation process directly rather than using experts. [Experts] know the tactics, they know the groups well and know what works and doesn’t in terms of getting the demand down, if not the decryption key back. I think that’s a key and a vital part of our service.”
Ultimately, Nelson said, it’s the client’s decision as to whether or not they want to pay the ransom. The job of the cyber claims team or CFC’s response team is to ensure they are making an informed decision whatever they choose, with all the relevant information on the ransomware variant and the threat actor to hand.
Read more: CFC’s new CEO on what the future holds
The teams negotiate to mitigate the ransomware payment or to get the decryption key back, as well as to provide sanctions checks – a three-step process that goes well beyond making causal links to online blogs or previous incidents. Everything that can be done to avoid paying criminals will be done, she said, but, in some cases, a ransom payout is inevitable.
The team also work to determine what – if any - data was exfiltrated during the attack, what systems were affected, and what information might have been compromised. They then bring in a third-party law firm to determine obligations surrounding any privacy legislation. When the decision is made by the client regarding whether or not to pay the ransom, work begins on restoring their systems.
“Often, when clients get the decryption key back, it’s not as simple as flicking a switch and getting access to your systems back,” Nelson said. “It’s a process that can take days and sometimes weeks to get back up to where they were operationally and we can help with that. Equally, if a client decides not to pay, then we go into the system rebuild and restoration phase of rebuilding their networks completely from scratch. That tends to be the more expensive element of a ransomware event, in addition to the forensics and investigating what’s happened with their network, but [that] tends to get overshadowed by the severity of some of the extortion demands that we’re seeing.
“So when we talk about how expensive ransomware claims can be, it’s not just the extortion demand itself, it is also the rebuild costs. And if the client makes the decision not to pay a ransom, it’s important that they know they’ve got the full availability of a limit to rebuild those systems and the additional extra expenditure costs.”
Read more: What is actually fuelling cybercrime?
Nelson emphasised that underpinning all the work CFC does in the event of an attack is a focus on providing a sensitive, timely approach to the client. As she’s heard from the group’s broker partners, she said, these incidents are inherently intrusive and can leave victims feeling exposed. And this sensation is further compounded by the tendency for the furore surrounding a cyber incident to focus on its victims rather than the criminals who carried out the act.
“I think that’s due to a lack of understanding around how [these attacks] are happening in the first place and the lack of ability to trace it back to anybody where we can point the finger and say, ‘this is who’s causing it and here are their motivations’,” she said. “There’s been a lot of media attention around businesses who have experienced this and there have also been really heavy-handed regulators issuing out fines and penalties for businesses that fall victim to it.
“So, what that ultimately ends up doing is incentivising a lot of these businesses to pay ransoms, because they want to avoid the reputational harm of data being leaked into the public domain through some of these data exfiltration events. It can be quite a panicky situation for a client, and I think the attention around it reputationally doesn’t do any good.”
Of course, some clients have been completely negligent in terms of having protective measures in place around client data, but that is a very small percentage. The majority of the claims seen by CFC disseminate from human error, she said. They come from clients that have invested heavily in their IT security, done all the latest patch updates, have offline backup and MFA in place, but also have an employee who clicked a malicious link, or lost a USB stick, or transferred funds during a social engineering event.
Employees will always be the weakest link in an organisation, Nelson said, which is why cyber insurance is so effective at offering that dual layer of protection, should the systems go down after the client has put all the best measures in place. The blame directed at victims of cyber crime is largely misguided, and there’s a lot that the cyber insurance industry can do to combat the myth that victims are responsible for causing a cyberattack. This is why the CFC team is so passionate about trying to enforce minimum security controls across firms to prevent these attacks in the first instance.
“Cyber insurance is really pivoting from a reactive wording to a proactive service,” she said. “And if we can help stop ransomware from happening in the first place, then it will be really valuable for our clients, something that has proven to be working so far.”
You can find out more about how CFC protects businesses against cyber risk here
