How should you or a client respond when cyber criminals threaten to hold you to ransom?
This article is the second in a series on cyber extortion and how it affects SMEs. Part 1 focused on the exponential increase of ransomware, how it remains a significant threat for smaller businesses, and touched on strategies that businesses could adopt to lessen the risk.
While robust cybersecurity strategies are vital, no network protection or staff training will protect against a determined sophisticated hacker, or a rogue employee. One report shows that 41% of SMEs experienced a cyber-attack in the year to February 2021 while 20% suffered six or more attacks. For this reason, cyber insurance, as the last piece of the puzzle, may no longer be considered a discretionary spend.
What does the immediate aftermath of an extortion event look like?
One of the most welcome features of a market-leading standalone cyber policy is the 24/7 access to a breach response team; a much-needed resource at a time when tensions are high and there is a need to act quickly and definitively.
A call to a designated breach support line will provide immediate access to a ‘breach coach’ – a lawyer who will assist in guiding a business through the process. That process will typically provide for the immediate appointment of IT forensic specialists, a ransomware negotiator, crisis management and public relations consultants.
During this time, the insurance broker and insurance company will be notified and typically the broker will coordinate management of the claim.
Immediate decisions will centre on whether a ransom demand should (or could) be paid.
It is not currently illegal to pay ransom demands in the United Kingdom (subject to provisions of the Terrorism Act 2000) nor to insure the payment of that demand. Market-leading cyber insurance policies will extend to payment of the demand, as well as incidental extortion expenses.
Recent advisory notes from the Office of Foreign Assets Control (OFAC) in the US confirm that payments to a sanctioned entity are prohibited. Further, the FBI’s official stance is that paying demands emboldens criminals and ‘provides an alluring and lucrative enterprise to other criminals’. Sanctioned entities to one side, the position in the US remains the same as in the UK: ransom payments are not illegal per se.
Putting the legalities aside, from a moral perspective the decision might be considered fairly obvious: paying the ransom arguably treats criminals as business partners and promotes criminal activity of this type, pushing up ransom demand figures.
Businesses risk being accused of funding criminal or terrorist organisations by paying the ransom. There is evidence that ransomware groups are involved in other criminal activities such as drug manufacturing or human trafficking and in many ransomware attacks, the ransom is a ‘distraction’ for other nefarious actions. Against this background, it would be difficult to justify payment.
Such a position may not be an option for some businesses. Consider a hospital on the receiving end of a ransomware attack. Recent attacks on the health sector have rendered hospitals unable to manage, effectively brought to a standstill with no access to computer systems and phone lines. An inability to access patient records, save documents or data or carry out elective surgery has obvious implications. The health sector’s primary focus is understandably on confidentiality and patient care.
One size does not fit all. The decision of whether to pay can be extremely difficult and nuanced. Moreover, payment does not guarantee that decryption keys will be provided or, if they are provided, that they will work. Generally, it is in the cybercriminals’ interest to deliver a working decryption key to ensure its business model is sustainable.
A good breach response team and ransomware negotiator (who may be familiar with the particular cyber gang) will manage this process and guide the organisation towards a decision.
In general, organisations should ensure robust cyber security hygiene protocols are in place so that the consequences of an attack are limited, and remediation is straightforward. Maintaining offline backups of any critical data can reduce the impact as well as the other protection methods outlined in Part 1.
A UK accounting firm suffered a ransomware attack in June 2020. The business owners received a demand for £1,500,000 in bitcoin, to be paid within three days, failing which the cybercriminals threatened to release sensitive data and valuable intellectual property into the public domain via Pastebin – a website often used as a public repository of stolen information.
The accounting firm had a cyber policy in place which provided cover for breach response costs including IT forensics (to establish and secure the breach) and expert negotiators (who were familiar with the hackers and therefore able to provide additional insight to the likelihood of those criminals upholding their end of the ‘bargain’).
After considerable internal discussions and after taking advice from specialist breach response lawyers, the parties agreed on the payment of a demand which represented a 60% reduction. The company received a decryption key shortly after payment, together with appropriate assurances that the stolen data would be destroyed. (Ironically, these cyber criminals had a ‘code of conduct’ with which they complied.)
The cyber policy met the first party breach response team costs (subject to the payment of the excess by the accounting firm, and within the limit of indemnity under the cyber policy).
As a final note, there has been some discussion in the marketplace as to whether the advent of cryptocurrencies has promoted ransomware attacks. The first ransomware event took place in 1989, some time before cryptocurrency existed, but many would argue that cryptocurrency has facilitated ransomware attacks, allowing them to proliferate. The prime argument supporting this proposition is typically touted as the anonymity factor.
However, the tracing and clawing back of ransomware demands is possible and as this method gains a foothold, it is likely that the number of attacks will decrease. Many would argue a determined criminal will always find a way to take advantage, cryptocurrency or not.
Vanessa Cathie – vice president, global cyber & technology, Lockton Companies
If you have any questions please contact your Lockton Account Manager for further advice or email ACCAaccountants@uk.lockton.com.
Lockton is ACCA’s recommended broker for professional indemnity insurance