Ransomware attacks: Balancing protection and response Ransomware cyber-attacks are increasing around the world. But companies can’t always rely on insurance to bail them out. Vinayak Ram and Martin Douglas from Protiviti UK explore the changing dynamics of the market, and why companies need to balance investment in protection, with the right policies to help them recover. In May, one of the largest ever cyber-attacks in US history took place on a key artery of national infrastructure. Colonial Pipeline, which is a major supplier of gas to the eastern half of the country, had to shut down its network after being targeted by a Russian ransomware gang. In the days that followed, chief executive Joseph Blount confirmed to the media that he paid hackers $4.4m to regain access to the company’s data, with further disruption to fuel supplies before the pipeline was brought back on stream. Topics Board Matters Cybersecurity and Privacy IT Management, Applications and Transformation Data, Analytics and Business Intelligence Digital Transformation This story is just one in a series of ransomware attacks reported this year and part of a growing trend of criminal gangs monetising raids on company data. According to cyber security firm BitDefender, ransomware attacks grew by 485 per cent in 2020; and in the UK, new figures from the Information Commissioner’s Office (ICO) reveal that 219 ransomware incidents occurred in three months to the end of September 2021. While phishing scams remain the most prevalent, ransomware is now the second biggest threat organisations face. At the same time, the cyber insurance market is rapidly evolving in response. Companies have often fallen back on their policies when they come under attack: to minimise the operational, financial and reputational losses a major hack can bring. But as the number of attacks has increased, so the major insurance companies have spoken out. In August, US insurance firm AIG said prices were rising and it would tighten up terms and conditions. In France, AXA revealed it would no longer write policies to reimburse ransom payments. Defensible stories; control frameworks This pincer movement of ransomware attacks and tightening insurance is placing renewed focus on chief information security officers (CISOs) and their role. First, the growing media profile of ransomware attacks is creating more awareness in the boardroom, strengthening the relationships between CISOs and executive teams. News headlines one day, can turn into phone calls the next, when CISOs will be asked by their colleagues: What are we doing to protect ourselves from ransomware attacks? Can you talk me through the controls we have in place to ensure the same attack doesn’t hit us? These questions are prompting CISOs to communicate the level of cyber protection in their businesses at any given moment. They are encouraged to share stories, explaining what’s happening behind the scenes, and deliver them in simple language board members can easily understand. They are clear and concise, not technical, and create an overview of the priority areas being protected. The CISO’s ability to communicate the big picture is increasingly important as a means of defence, and to bring the topic alive for executive teams. Secondly, CISOs are moving towards benchmarking their security against industry-specific frameworks. This helps them to adopt best practice, but also strengthens their position in the eyes of regulators and boards. The US government’s National Institute of Standards and Technology (NIST) is just one of the frameworks they can use; and, in October, NIST published a report defining a “ransomware profile”, helping companies to identify the elements of its framework that will help them to prevent, respond and recover from attacks. Insure the right response The steps above will help to create a strong cyber security posture. However, we are now facing the market reality that cyber-attacks are inevitable, and part of the solution is reducing the downside risks of being hacked. Which is why cyber insurance will continue to play a role. According to figures from GlobalData, the cyber insurance market will be worth more than $20bn in the next three years, up from $7bn in 2020; and the financial impact of ransomware attacks is expected to rise to $20bn in 2021, up from just $325m six years ago. To help respond to the growing threat, it’s important for CISOs and their colleagues to understand the insurance they are buying. As a starting point, find out what’s covered and what’s not. Recent moves by AXA and AIG suggest that insurers are looking closely at these details, and they along with their actuaries, will continue to assess the escalating impact of ransomware. Companies face more questions to qualify for their requested coverage, and the level of due diligence is going up: in some cases, minimum control standards are being sought before policies are even written. Frameworks like NIST can help to assess these challenges, however, each provider will have their own list of questions and criteria. Secondly, CISOs should enquire about the process an insurance company expects them to follow in the event of an attack. There may be a requirement, which can be helpful, for an insurance company to be integrated in the response. They can provide specialist teams to help companies navigate the clean-up process, and in some cases, provide expertise related to ransom demands such as negotiation and cryptocurrency exchange. But if these steps aren’t clear, and a company deviates from the policy, they may end up violating the claim. Some businesses don’t always know what’s involved and it’s easy for them to slip up. Protect, but recover, too Ransomware is here to stay, and the evidence suggests its financial impact will continue to exacerbate. Hackers are becoming increasingly sophisticated, and their ability to compromise systems has been amplified by a digital workforce. All industry sectors are at risk, and each one has varying levels of protection against cyber-attacks. According to the ICO, financial services is most affected in the UK, followed by manufacturing and retail, and local government. That’s why the starting point will always be a good cyber security posture; and a security leader who can provide a defensible story to board members, outlining the quality of current cybersecurity controls. If these controls are mapped against one of the major cyber security frameworks, such as NIST, they are more likely to represent best practice in the eyes of regulators and insurance companies. But if the worst should happen, then cyber insurance will continue to play a role in their recovery. Now is the time for CISOs and their colleagues to take the right steps in defence of their companies, but also understand the value insurance will provide, in the event of a ransomware attack. This will help to avoid sharing a negative cyber security story and the unexpected impact to the business. This article is the third in Protiviti’s Cyber Futures series, which is being published during October’s Cyber Security Awareness Month. Other articles explore diversity and skills in cyber security, the role of the modern CISO, and also operational resilience.