On Friday, May 7, 2021 the Colonial Pipeline cyberattack forced the shutdown of a major gas pipeline in the U.S. that supplies 45% of all fuel consumed on the East Coast.
Colonial Pipeline proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of their IT systems. In addition, the company hired an outside cybersecurity firm to investigate the nature and scope of the attack and also immediately contacted law enforcement and federal agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
Eric Goldstein, from the CISA issued a statement saying they were working with Colonial Pipeline to get the situation resolved.
“This [Colonial Pipeline cyberattack] underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats.”
Not only does the Colonial Pipeline cyberattack highlight the rise in ransomware attacks and their sophistication, but also the fact that a proper cyber response plan and insurance protection are essential. Further, stand-alone cyber policies that cover ransomware are becoming more necessary than ever before.
What is Ransomware?
Ransomware is any type of malicious software that infects a computer and either prevents it from working as it should, or prevents access to certain files until the user pays a ransom. Typically, the hackers behind the ransomware demand bitcoin—a type of digital currency that is difficult for police to trace.
Businesses of all sizes have become targets of ransomware, as it can infect not only personal computers, but also entire networks and servers.
How Ransomware Can Spread
There are different ways that ransomware can spread, including the following:
- Visiting fake or unsafe websites
- Opening emails or email attachments from unknown sources
- Clicking on suspicious links in emails or on social media
What Ransomware Does to Your Computer
There are two main types of ransomware that can hold computer systems hostage:
- Lock-screen ransomware works by displaying a window on the computer’s lock screen that attempts to prevent access to the computer. The message on the lock screen may even claim to come from the federal government, accusing the user of violating a law and demanding a fine.
- Encryption ransomware works by keeping the computer available but encrypting certain types of files, thus making them unreadable. The files most commonly affected are those that include sensitive information and are assumed by the hacker to be of the most value. When people try to access the files, they then see a pop-up screen that instructs them to buy a private decryption key that can decrypt the scrambled files.
How to Respond
Some operating systems provide instructions for responding to lock-screen ransomware, though results aren’t guaranteed. In contrast, encryption ransomware has no quick fix without an encryption key, which only the hackers typically have access to.
Regardless of the type of ransomware, experts recommend against paying the ransom. After all, there is no guarantee that you’ll regain access to your computer, network or files after you pay. Furthermore, by paying the ransom, you could be encouraging future cyber crimes.
If your business is affected by ransomware, take the following steps:
- Report the event to your local FBI office
- File a complaint with the Internet Crime Complaint Center
- Restore file backups, if you have them
- Check your insurance coverage to see if it covers the costs of ransom money paid and lost business
What to Do if You’ve Already Paid the Ransom
Since business can come to a halt without access to essential data, business owners are often tempted to pay the ransom in order to quickly regain access. If you’ve paid the ransom, contact your bank and call the police as soon as possible. Credit card companies may be able to block the transaction and refund you if you contact them promptly.
The Federal Trade Commission’s OnGuard Online website is a good resource for more tips on what to do if you’re affected by ransomware or any other type of internet fraud.
How to Protect Your Business
Cyber extortion from ransomware is a legitimate threat to all businesses—no matter the size. The best method of prevention is to keep confidential information and important files securely backed up in a remote location that is not connected to your main network.
In addition to backing up your files, taking the following prevention measures can help keep your information secure and prevent you from becoming a victim of cyber attacks:
- Teach your employees about ransomware and the importance of preventing it
- Show your employees how to detect suspicious emails and attachments. For example, watch for bad spelling or unusual symbols in email addresses
- Develop a protocol for reporting incidents of ransomware and other suspicious cyber activity
- Develop a schedule for regularly backing up sensitive business files
- Update your company software as soon as new updates are released. In doing so, you can patch the security vulnerabilities that cyber criminals rely on, and avoid becoming an easy target
- Purchase cyber liability insurance that not only helps you respond to threats, but can also help cover the cost of the ransom and any other losses incurred as a result of cyber extortion
Consider a Stand-Alone Ransomware Insurance Policy
Since cyber insurance isn’t standardized, organizations should review all policy language with one of our insurance advisors before choosing a plan that effectively covers ransomware. Policies can vary significantly in their language and coverage options, so we recommend policies that—at the very least—provide coverage for extortion demands and payments, as well as lost income resulting from an attack.
Organizations should also take a close look at the following definitions, terms and conditions when choosing a policy:
- Sublimits and deductibles—Most policies set a sublimit for covering ransomware. It’s important to review this limit carefully, considering that demands may start on the low side, but can increase quickly. Also, since making a ransom payment may make organizations a target for subsequent ransom demands within the policy year, the deductible amount should reflect that risk.
- Payment terms—Most policies require prior written consent before the insured can pay any ransom. This can result in payment delays and increased demands by the hackers. If an organization pays a ransom in order to resume business, without prior written consent by the insurer, there’s a chance that it may not be reimbursed. Therefore, organizations need to be comfortable with a policy’s terms in order to avoid compromising coverage.
- Definition of extortion—It’s important for organizations to fully understand and agree with their insurance company’s definition of extortion, since the definition dictates the trigger for coverage. For example, although hackers may intend to sell or misuse information, the ransom demand may only involve a countdown timer and demand for money. While the combination of the two may seem like an obvious threat to the insured, a carrier could possibly deny coverage on the basis that there was no explicit threat to sell or misuse information—all because of its unique definition of extortion.
What to Look for in a Policy
Companies should look for ransomware coverage that uses broad terminology and protects against a wide range of threats, including threats to do the following:
- Access, sell, disclose or misuse data stored on your network, including digital assets
- Alter, damage, or destroy software or programs
- Introduce malicious software, including viruses and self-propagating code
- Impair or restrict access. Look for policies with broad terms like, “threats to disrupt business operations”
- Impersonate the insured in order to gather protected information from its clients, also known as pharming or phishing
- Use your network to transmit malware
- Deface or interfere with your company’s website
The Importance of Risk Management
Ransomware insurance is most effective when coupled with a proactive risk management program, as there are many components in the fight against cyber crime. Business owners should work with one of our licensed advisors to review all applicable options before choosing cyber coverage.
Don’t let ransomware—or any type of cyber exposure—threaten your business.
Contact CoverLink Insurance today to learn more about available cyber policies and effective risk management techniques to protect your organization from ransomware attacks.