Recovering from Ransomware: Cyber Insurance and Incident ResponseWhile cyber insurance can help mitigate the financial impact of a ransomware attack, organizations must understand the parameters of their policy before engaging an incident response vendor. By: Rebecca Taylor, Incident Response
Ransomware prevalence continues to grow. In 2020, the U.S. Federal Bureau of Investigation's Internet Crime Complaint Center observed a 225% increase in ransom demands over the previous year. With ransomware variants like Conti and Defray777 fine-tuning their destructive qualities, organizations are turning to cyber insurance for financial and incident management support.
Most ransomware victims that request Secureworks® incident response services have some form of cyber insurance. Secureworks incident responders work closely with customers and their legal counsel, who engage with the insurance providers, to set expectations around collaboration, work effort, and key factors such as identifying if data is protected by legal privilege and determining if the victim will pay the ransom demand. However, it is critical for organizations to understand their cyber insurance policies before an incident happens to avoid complications and conflicts.
Same problem, different perspectives
A ransomware attack is a high-pressure, anxiety-inducing, and all-consuming situation. Cyber insurance policies may have specific requirements that dictate the policyholders' initial response. These requirements can include strict notification processes and pre-approved incident response vendors. Insurance providers have forced victims to switch incident response vendors as much as 48-hours after response actions started, causing significant disruptions and slowing response. Organizations should understand the details of their insurance policies and incorporate any requirements into their incident response plans. The day of a crisis is not the time to determine if certain vendors and costs are covered.
During a ransomware attack, cyber insurance providers tend to focus on limiting liability and cost. They often partner with law firms to provide “breach coaches.” These attorneys direct the investigation and advise the policy holder on legal matters related to the incident. The breach coach provides feedback to the insurance provider regarding investigative status and macro risks.
Secureworks incident responders take guidance from legal counsel on salient aspects of the investigation but have a slightly different focus. They concentrate on evicting the threat actor from the compromised environment and restoring the victim's business operations as quickly and securely as possible. They also provide recommendations to help the victim prevent and detect future malicious activity. Some of these recommendations may not be covered by the cyber insurance policy because they are considered improvements to the victim's security posture rather than part of the incident response. Understanding the details and scope of their policy can help victims recognize which costs are covered and evaluate how to address the other recommendations.
To pay, or not to pay?
Often, the biggest question during these attacks is whether to pay the ransom. While most cyber insurance policies cover this cost, the victim decides how to proceed. Secureworks incident responders have observed some victims paying and others refusing. The decision is based on factors such as whether data was stolen (which could result in exposure of sensitive information) and the validity of backups (which determines the need for decryption keys to restore operations). Some name-and-shame ransomware groups exfiltrate data and post the data to leak sites to pressure victims to pay the ransom. Threat actors also use tactics such as contacting senior executives, employees, or customers of the compromised organizations to generate fear, embarrass the victim, and motivate negotiations.
The decisions are yours
Every ransomware victim has a different story. Their incident response decisions are affected by the attack characteristics and the known and potential impacts to business operations, finances, and reputation. Cyber insurance policies can reduce concerns about financial stability, but they introduce additional factors that the policyholder must consider. Secureworks incident responders offer guidance and assistance to help victims make the right decisions about removing the threat actor and securing their environment, regardless of an insurance policy. Although cyber insurance providers and Secureworks incident responders present risks, options, and advice, the victim ultimately makes the decisions.