All too often, companies’ focus after being victimized by a ransomware attack is on the ransom paid, which is generally the most trivial outcome of the incident. From the perspective of a CFO, what goes unaccounted for in any meaningful way is the lost productivity, lost profits, harm to business reputation, cost of reconstructing data, and other damages that flow from these attacks.
While state and federal laws may require breaches of privacy to be reported, that’s not the case with ransomware attacks. As such, a significant number go completely unreported and unpublicized, so the true extent of the damages caused remains a mystery. In some cases the ransomware attack is just one prong in a multi-pronged attack on an organization’s infrastructure, making it almost impossible for even the victim company to determine the specific impact of the ransomware.
So, in short, CFOs are struggling to understand the financial impact of these attacks. To help them better understand, and to mitigate the impact, this article discuss the types of harm and damages and makes specific recommendations for better controlling security risks, including the use of cyber-liability insurance.
Types of Damages and Harm
Ransomware typically targets an organization’s most valued information. But it could reach almost any information, including marketing materials, payroll data, intellectual property, financial transactions, and health records.
Hiring an expert who is able to decrypt the information is often more expensive and time-consuming than paying the ransom to get the information restored. And sometimes data restored by a recovery service is incomplete, with full recovery requiring the decryption key. However, by the time an organization discovers that the recovery is incomplete, the attacker likely has already destroyed the key and moved on, making full recovery an impossibility.
If the ransomware hits certain servers, it may be distributed throughout an organization to all users and potentially to third-party users connecting to those servers or other infected user devices. It can also infect the organization’s backup media, meaning that if the target tries to restore data from its backups, it could re-infect its systems and data.
These attacks can take hostage and threaten to or actually disclose confidential or proprietary information to the public or, even worse, the highest bidder. The fear of such disclosure a motivating factor for victims and gives them little time to think rationally about their options.
An overall approach to addressing the threat of ransomware could include the following practices:
- Train and educate personnel on an ongoing basis.
- Specifically address and plan for ransomware in the business’ disaster recovery and business continuity plans, including testing of those plans.
- Ensure that all anti-virus and other security software is properly updated. Many forms of ransomware can be detected and avoided using this simple step.
- Engage a third-party expert security vendor to assess your organization’s systems and procedures.
- In the event of an attack:
- Identify and isolate infected and potentially infected systems.
- Disable shared network drives connected to the infected systems.
- Consider suspending ordinary-course backups of those systems to prevent further propagation of the virus.
- Engage an information security consulting firm that specializes in assessing and mitigating these sorts of attacks.
- Circulate a warning to all other organization personnel advising them of the threat and cautioning them not open email and attachments from suspicious sources.
Insurance as a Path to Mitigation
CFOs have traditionally looked to insurance as a key means of mitigating risk. In the security context, a wide range of cyber-liability policies are now readily available.
Cyber insurance policies are an important tool for CFOs in managing the impacts of cyber and other information-breach incidents. Some policies include the payment of a ransom, while others expressly exclude it due to the “moral hazard” of such coverage. Where such policies do exist, many are limited and may have coverage exclusions.
For organizations that have such policies, working with the broker and insurers to understand the policy and the procedures for filing a claim is crucial to payment under the policy. Often the policies are tightly drafted to mitigate the impact of cyber fraud and require the policyholder to educate its workforce and implement appropriate means, such as business continuity and disaster recovery procedures, to prevent the ransomware intrusion and mitigate the impacts of an incident.
Unfortunately, incidents of ransomware are increasing daily and there appears to be no end in sight. With every payment to an attacker, we only embolden and incentivize attackers to continue and encourage others to join the ransomware community. Presently, there is no panacea for preventing these attacks. No one is immune.
Given the difficulty of preventing ransomware infection, companies should focus on personnel training and awareness, which has one of the best returns on investment in preventing these attacks. Following closely behind training in effectiveness is the deployment and testing of business continuity and data backup procedures designed with attacks like ransomware in mind.
Michael R. Overly and Aaron Tantleff are partners in the information technology and outsourcing group at law firm Foley & Lardner LLP. Each focuses on counseling clients regarding technology transactions, privacy, and information security.