Management, compliance & auditing

Insurance Against Ransomware Threats

Daniel Dimov
February 24, 2017 by
Daniel Dimov

Section 1. Introduction

Although there is a vast amount of information on the risks of cyber-attacks, not all businesses engage in preparation and implementation of comprehensive cyber risk management plans that include security training, detailed incident response plans, and insurance against cyber threats. In this article, we will focus on the latter only.

Cyber insurance allows the insured persons to mitigate the financial losses caused by cyber-attacks. For example, cyber insurance may cover the ransoms which organizations need to pay to criminals in exchange to regaining access to their computer networks.

Our article will shed some light on the interrelation between cyber insurance and ransomware by overviewing the current trends in ransomware (Section 2), analyzing general cyber insurance practices (Section 3), and examining ransomware coverage in cyber insurance plans (Section 4). At the end of the article, a conclusion is drawn (Section 5).

Section 2. Latest trends in ransomware

Although ransomware (i.e., malicious software restricting access to computer files until a monetary ransom is paid) is not a new phenomenon, it remains one of the most popular forms of cyber crimes targeting organizations and individuals today. The popularity of ransomware can be explained by its characteristics that are appealing to attackers, namely, non-complex distribution model, short execution time, and immediate profit. Also, the difficulties related to tracking digital currencies, such as Bitcoin, have also contributed to the proliferation of ransomware. Email attachments and insecure Internet downloads remain the main routes for spreading ransomware. In addition, every year, a number of new advanced forms of ransomware dissemination are discovered by security researchers. At present, the trending types of ransomware attacks are:

2.1 Cloud storage ransomware. Cloud storage ransomware usually self-propagates after being installed on cloud servers. Virlock is a typical example of cloud storage ransomware. It impersonates FBI authorities and requests victims to pay the fine of USD 250 due to alleged misconduct on behalf of the victims.

2.2 Highly personalized ransomware. Personalized ransomware targets specific organizations and/or individuals, thus reducing the suspicions about the authenticity of ransomware-infected messages. By way of illustration, the personalized ransomware Ransoc: (i) collects personal data from Facebook, LinkedIn, and Skype; and (ii) screens victims' online activities with the aim to detect illicit activities. On the basis of the collected information, Ransoc creates software interfaces which request specific users to pay "fines" for specific illicit acts (e.g., downloading pirated content). If the victims refuse to pay the "fines," they are threatened with court proceedings.

2.3 Ransomware spread through web servers. Criminals often exploit vulnerabilities in web servers to spread ransomware. Such exploits usually consist of three stages, namely, (i) scanning the targeted servers for security flaws, (ii) injecting malware through the backdoor to the interconnected machines, and (iii) controlling servers remotely by using web shells. Samsam is an example of ransomware spreading through web servers. It has infected a number of organizations connected to the same server, including schools, governmental agencies, medical institutions, and aviation companies. Samsam uses Advanced Encryption Standard (AES) mechanism and Jexboss tools for targeting over 300 types of files.

2.4 Windows interface ransomware. This type of ransomware is designed to mimic Windows interface for tricking potential victims. After the ransomware is injected into victim's computer, the victim receives an invitation to reactivate the system due to privacy concerns. It can be done by dialing a toll-free phone number. Alternatively, such a reactivation request may ask the victim to submit credit card numbers and other personal information.

2.5 Windows script files ransomware. File-encrypting ransomware is often spread by malware-injected .wsf files containing a mix of scripting languages. The reason for using .wsf is that such files are hardly detectable by regular anti-malware software. In 2016, more than 1 million emails were suspended from circulation because they contained .wsf files contaminated with the ransomware Locky. The files were camouflaged under .zip files.

Section 3. Cyber insurance practices

Simultaneously with the appearance of new cyber threats in the digital landscape, cyber insurance policies are steady gaining prominence. A PWC report states that about 30% of U.S. organizations have some kind of cyber coverage (most covered sectors are healthcare, technology, and retail), whereas only 2% of the UK companies have insured themselves against cyber threats.

Although each cyber insurance policy is subject to individual terms and conditions, cyber insurance coverages usually include expenses incurred by the insured organization and claims made by third parties. Moreover, it is important to note that cyber insurance policies are often non-standardized. Therefore, companies can individually choose and customize coverage that is most suitable to their business specifics. Cyber insurance typically covers and reimburses the following attack-related expenses:

  1. Expenses related to forensic investigations aiming to identify security problems. Such investigations may be performed by the organization or by external security specialists.
  2. Business losses. Security incidents may result in (i) financial losses caused by downtime, (ii) expenses for data recovery, (iii) implementation of crisis management plans, and (iv) mitigating reputational consequences.
  3. Expenses for notifying clients about the data breach. Many jurisdictions require organizations collecting personal data to inform data subjects about information security incidents related to their personal data. The preparation and submission of such notifications may require additional organizational resources.
  4. Legal expenses. Victims of cyber-attacks may be subject to court proceedings if the attackers make the compromised information publicly available.
  5. Cyber extortion costs. This type of coverage may also include ransoms and similar payments made to criminals.

Taking into account that cyber insurance is a rather new service, it has certain drawbacks. For example, insurance companies cannot precisely estimate the financial impact associated with cyber-attacks. Therefore, to mitigate the adverse effects of this uncertainty, the prices of cyber insurance are relatively high in comparison with other types of liability coverage. Moreover, insurers often include restrictive terms, conditions, and exclusions in cyber insurance policies to reduce the chance of incurring unpredicted business losses.

Section 4. Ransomware insurance

The main element distinguishing ransomware insurance from other types of cyber insurance policies is the coverage of cyber extortion costs. The recent study conducted by SkyHight security researchers reveals that almost a quarter of companies (24.6%) would pay a ransom in case of a ransomware attack even if such amount exceeds USD 1 million (14% respondents). Organizations who sign insurance policies covering ransomware risks need to become aware of the terms and conditions governing these policies. Below, we mention eight important aspects of ransomware insurance policies of which organizations need to be aware.

First, insurance companies often set strict time limits for customers that would like to submit ransom attack claims. Therefore, organizations which fail to submit such claims within the prescribed limits may lose their insurance coverage.

Second, holders of ransomware insurance policies need to be aware of insurance deductibles (i.e., amounts paid from the insured persons before any coverage can be applied). In some cases, such deductibles may be larger than the ransom paid. Some cyber insurance policies do not contain clauses regarding deductibles.

Third, insurers may also request the insured persons to prove a number of circumstances related to occurred ransomware attacks, such as payments of ransom under duress, insured organization's efforts to find out whether the threat experienced during the ransomware attack is genuine, the existence of a management decision to pay a ransom.

Fourth, the timeframe for notifying insurers about ransomware attacks differs depending on the type of ransomware insurance policy. Some insurers require their clients to inform them as soon as a ransomware attack occurs, whereas other insurers require notifications within 30 days.

Fifth, it is important to note that most insurers require organizations to put reasonable efforts to avoid or negotiate paying a ransom. Such efforts should usually be proved to the insurer or coordinated with insurer's assistance. Some insurers reserve the right to cancel ransomware insurance policies if the person who requires a ransom learns about organization's ransomware insurance policy.

Sixth, particular attention should be given to the types of the covered cyber-security incidents. Some ransomware policy may not cover specific types of ransomware (e.g., CTB-Locker or TeslaCrypt).

Seventh, ransomware insurance policies may not always cover the fees charged by security experts for attempting to decrypt files encrypted by ransomware. Such fees can be significant as the majority of ransomware programs use complex encryption. To illustrate, the ransomware Locky uses the Advanced Encryption Standard (AES) - 128. It will take billions of years to brute force (i.e., systematically checking all possible keys until the correct one is found) files encrypted in such a way.

Eight, ransomware insurance policy may not allow the insured to assign its rights under the insurance policies to third parties and/or authorize third parties to act on behalf of the insured. As a result, in the event the insurance company does not pay the insurance compensation in time, the insured may not be able to authorize collection agencies or other third parties to collect the compensation. Thus, the insured may need to devote significant organizational resources to the collection of the compensation.

As a ransomware attack may have a severe impact on IT infrastructure, financial operations, and reputational image, it is important to consider engaging a risk manager who would work to negotiate the terms of cyber insurance with an insurance broker, assist in claiming post-incident payments, and submit mandatory notifications to authorities and/or affected persons.

Section 5. Conclusion

Sustaining organization's credibility can be a challenge in the era of cyber threats. Preventive cyber security measures include employing data recovery plans for critical information, using application whitelisting, keeping operating systems and anti-virus software up-to-date, and controlling employees' access to sensitive information, among other measures.

Cyber insurance, especially the policy covering ransomware and cyber extortion cases, can also be helpful in mitigating the financial impacts of cyber-attacks. This article has overviewed the main aspects of current cyber insurance policies and provided advice that can be helpful in choosing an insurer and customizing insurance coverage that meets organizations' needs. Since cyber insurance is still in its infancy, the limitations of cyber insurance policies remain the main aspects that organizations looking for such insurance should consider.

References

  1. Acohido, B., 'The Growing Problem of Ransomware', Insurance Thought Leadership, 19 September 2016. Available at http://insurancethoughtleadership.com/the-growing-problem-of-ransomware/ .
  2. Blake, A., 'Hacked university touts cyber insurance after $15,000 ransomware attack', The Washington Times, 25th of June 2016. Available at Hacked university touts cyber insurance after $15,000 ransomware attack.
  3. Bonner, M., 'Insuring Against Ransomware and Other Cyber Extortion,' The Balance. Available at https://www.thebalance.com/insuring-against-ransomware-and-other-cyber-extortion-4060470.
  4. Hook, L., 'The rise of ransomware: What should brokers know?', Insurance Business, 31st of January 2017. Available at http://www.insurancebusinessmag.com/us/news/cyber/the-rise-of-ransomware-what-should-brokers-know-58908.aspx.
  5. Dimov, D., '2016 Trends in Ransomware', SensorsTechForum, 23 November 2016. Available at http://sensorstechforum.com/2016-trends-ransomware/.
  6. Franklin, T., 'Cyber Liability and Insurance: Managing the Risks of Intangible Assets: Commercial Lines Coverage Guide,' National Underwriter Company, 2009.
  7. 'Insurance 2020 & beyond: Reaping the dividends of cyber resilience', PWC. Available at https://www.pwc.com/gx/en/insurance/publications/assets/reaping-dividends-cyber-resilience.pdf
  8. Kalinich, K., 'Ransomware – Is Cyber Insurance Warranted?', Risk & Insurance, 1 March 2016, Available at http://riskandinsurance.com/ransomware-is-cyber-insurance-warranted/
  9. Marano, P., Rokas, I., Kochenburger, P., 'The 'Dematerialized' Insurance: Distance Selling and Cyber Risks from an International Perspective,' Springer, 2016.
  10. Nelso, P., 'Why companies are becoming more likely to pay when struck by ransomware,' Network World, 15 February 2016. Available at http://www.networkworld.com/article/3032554/security/why-companies-are-becoming-more-likely-to-pay-when-struck-by-ransomware.html.
  11. Pollack, M., '5 Insights Test Cyber Insurance Policies – What Do Your Policies Say?', GenRe, 9th of November 2016. Available at http://www.genre.com/knowledge/blog/insights-test-cyber-insurance-policies-en.html.
  12. Sullivan, C., 'Will Insurance Cover a Ransomware Attack Against Your Company?', FindLaw, 27 September 2016. Available at http://blogs.findlaw.com/in_house/2016/09/will-insurance-cover-a-ransomware-attack-against-your-company.html.
  13. 'The Cloud Balancing Act for IT: Between Promise and Peril,' Skyhigh Networks. Available at http://info.skyhighnetworks.com/WPCSASurvey2016_Download_Gray.html.
  14. Townsend, K., 'Insurance Firm Directs Response in Madison County Ransomware Attack,' Security Week, 10 November 2016. Available at http://www.securityweek.com/insurance-firm-directs-response-madison-county-ransomware-attack.
  15. '15 Days of Cyber Insurance: Ransomware', Stanford Cyber Initiative. Available at https://cyber.stanford.edu/15-days-cyber-insurance-ransomware.

Co-Author

Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.


Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.