“YOUR COMPUTER HAS BEEN LOCKED! All your files and documents have been encrypted. But do not worry, I have not deleted them, yet. You have 24 hours to pay me $500 in Bitcoins to the address shown at left to get the decryption key. This amount will double every 24 hours and one random file will be deleted until payment is received.”
This kind of alarming message has become all too familiar to businesses and other organizations these days. At this moment, someone is probably clicking on a seemingly benign link in a spam email and inadvertently infecting his or her computer and the entire network with malware, rendering files and data inaccessible until the organization pays a ransom to unlock them.
Ransomware attacks are rising dramatically, with the U.S. Justice Department estimating that their number tripled last year to 4,000 every day. Every industry is seeing an increasing threat, with the education and health sectors particularly hard hit.
Academic institutions are especially vulnerable due to their generally smaller IT teams, tight budgets and a high rate of file sharing activity on their networks. Healthcare providers, especially hospitals, make ripe targets because their patient data is critical in life-or-death situations, which could make them more likely to pay the ransom.
If you’re one of the approximately one third of U.S. companies that purchase cyber-insurance to mitigate the costs of a security breach, you may be covered for a ransomware attack. But policies can vary greatly, and it’s important that companies understand the specifics.
Many carriers insure against ransomware attacks as part of “extortion coverage” often included in comprehensive cyber-insurance policies. The payouts generally encompass not only the ransom amount, should the victimized company decide to pay it, but also potential related costs such as a negotiator and experts to stop the intrusion and block future attacks.
Not all policies have extortion coverage, however, so you need to check. For example, if you’re getting cyber-insurance as part of other coverage such as E&O (Errors and Omissions, which protects against liability for problems in performance of professional duties), extortion may or may not be included. Sometimes, you have to request and pay extra for protection against ransomware.
It’s essential to be aware of policy exclusions. If the extortionist is believed to have a connection to the organization – such as a disgruntled former employee or a vendor who wasn’t paid – insurance won’t cover. It has to be a credible, external threat. And, of course, the attack must occur during the policy’s effective period – if it’s detected before or after, you won’t be covered.
It’s also important to know that sublimits – ceilings on the amount of coverage available to cover a specific type of loss – could be lower than the amount of overall coverage. Say you have a $1 million policy: find out what the sublimit is for extortion and determine whether it would be enough to cover not only the ransom (again, if the organization decides to hand it over), but a host of other possible expenses such as forensic investigation, business interruption costs and legal fees. The higher the coverage, the higher the sublimit to cover potentially mushrooming costs.
The first step after being attacked should be to notify the underwriter. In almost all cases, insurers will decline claims they didn’t know about first. But beyond meeting policy requirements, it’s smart to immediately contact the carrier because they deploy breach coaches and other experts to walk you through the process and help make the best decisions on next steps. Understand that if, after consulting with the carrier, you decide to pay the ransom, it will first come out of the organization’s pocket and then be reimbursed.
Recognize that insurance may not cover all costs. For example, a ransomware attack may wreak such severe havoc on a company’s network that it has to replace computer equipment. The company may be on its own for such expenses – anything beyond the ransom itself and associated professional services for responding to the incident.
While cyber-insurance can protect against the damage from ransomware, as with any type of insurance, the best offense is a good defense – in this case, preventing attackers from getting a foothold in the first place.
Since most ransomware attacks start with someone getting tricked into installing malware through a Trojan disguised as a legitimate file, organizations that regularly train employees to be aware of this threat are more likely to be successful in guarding against it.
Given the sharp rise in ransomware attacks, it almost seems inevitable that an organization will be targeted at some point. With the right preventive program and cyber-insurance policy, your company can be protected.