Why are companies more vulnerable to ransomware? 6:07
(CNN Business) – The list of high-profile ransomware attacks grows longer and more alarming by the week, affecting everything from pipelines and meat supplies to ferries. Businesses and agencies that are affected must fight to protect their systems and make the difficult decision of whether they should pay hackers to remove the damage.
Faced with this situation, affected companies could rush to communicate with their information technology (IT) teams, the police, their crisis management public relations teams, lawyers and law enforcement. But often one of the first calls is to your insurance provider.
Businesses often purchase specific cyber insurance plans to help protect their systems and cover any loss from a cyber attack. And ransomware, which allows hackers to take over computer systems (or even physical infrastructure) and fetch million-dollar fees to unlock them, has only fueled demand for that insurance.
But this lifeline can also be more difficult for businesses to access due to rising costs, stricter requirements from insurers, and increased government scrutiny when foreign hackers are involved.
AIG, one of the world’s largest insurers, says it saw a 150% increase in ransom and extortion claims between 2018 and 2020. Ransom demands now account for one in five cyber insurance claims, the company added.
“Data-intensive companies were the first […]But in the last few years, all types of industries have started buying cyber insurance, “Tracie Grella, AIG Global Cyber Insurance Director, told CNN Business.” I think at this point it is certainly clear that all industries are affected. They all have to manage cyber risk. “
Depending on the size of the company and what needs to be covered – from security teams and attorneys to potential lawsuits and reimbursements for business losses or even ransom payments – plans can cost as little as “a couple hundred dollars. […] up to several million dollars, “said Grella, adding that AIG customers make ransom payments about 50% of the time.
The FBI and cybersecurity experts recommend not paying ransoms, saying the payments encourage cybercriminals to step up their business and infrastructure goals.
The average cost of a cyber insurance policy, in 2019, was $ 1,500 a year for $ 1 million in coverage with a $ 10,000 deductible, according to Mark Friedlander of the New York-based Insurance Information Institute. York.
Lessons from Cyberattacks on US Oil Pipelines 0:53
It gets harder and more expensive
As the frequency and target range of ransomware attacks increases, that cost goes up. According to a Fitch Ratings report, presented in April, total premiums for cyber insurance coverage reached US $ 2.7 billion, in 2020, a 22% increase, over the previous year, and is expected to increase further in 2021.
Businesses that want cyber insurance are now also subject to much more severe scrutiny of their existing cyber security measures before they can get a plan approved.
AIG offers potential customers a list of 25 specific questions about their ransomware protections, including details on how often they test employees against email phishing attacks and how long it takes to implement critical security patches ( ranging from “in 24 hours” to “more than 7 days”).
“Right now, ransomware is more prevalent, so we have a deeper and more specific underwriting strategy around ransomware,” Grella said. “If certain controls are not met, we will likely still provide coverage […] but coverage will be reduced. “
Some cybersecurity experts also warn that taking out insurance is not a blanket solution, especially when demand is increasing.
“In some cases, organizations are too prepared to transfer this type of risk through insurance. They think it’s a really healthy backup and they can avoid making some of the other more painful investments in security,” said Mike Hamilton, Chief Security Officer. of Information in the cybersecurity firm Critical Insight.
And with the U.S. government deciding this week to use similar protocols to deal with ransomware attacks as it does terrorism, particularly those linked to nation-state cyberattacks, Hamilton says insurance providers have a potential avenue. to avoid paying cyber insurance claims. Terrorism insurance is often a separate plan offered to companies and rarely covers events that are considered acts of war.
“If insurance companies can call something a nation-state act or an act of terrorism, they don’t have to abide by their policies, and that’s going to be a problem,” he added.
Microsoft warns of group cyberattacks in Russia 2:38
Who else to contact
With or without a cyber insurance policy, most companies’ first line of defense against cyberattacks remains their internal IT department. It is not uncommon for companies to contract with third-party cybersecurity firms that can deploy incident response teams and cyber ransom negotiators.
But experts say it’s also important to get government agencies and law enforcement involved early on. The FBI is the lead agency in charge of investigating cyber attacks and provides resources such as the Internet Crime Complaint Center (IC3) and the National Cyber Investigation Task Force (NCIJTF). where companies can report incidents.
Other agencies that handle cyberattacks include the Department of Homeland Security (DHS) National Communications Integration and Cybersecurity Center (NCCIC) and the US Computer Emergency Preparedness Team. (US-CERT). Most of those agencies have online portals to report incidents and also provide phone numbers.
“The first thing a company should do is call the federal government,” said Andrew Rubin, founder and CEO of cybersecurity firm Illumio.
“When companies operate in a silo, things get out of hand,” he added. “The exchange of information between the public and private sectors is essential.”