Ransomware attacks – in which hackers attempt to seize control of, and withhold access to, a target’s operational or personal data until a fee is paid – are a growing threat to businesses. To mitigate against this threat, it’s vital that firms have a crisis management plan in place to be executed in the event of an attack, and to limit the extent of any damage.
Ransomware – a major cyber security threat
Ransomware continues to represent a major cyber security threat to businesses. According to IBM’s 2023 Cost of a Data Breach Report (opens a new window), the global average cost of a ransomware attack was US $5.13 million, an increase of 13% compared to 2022. Ransomware attacks accounted for almost a quarter (24%) of all cyber security breaches against businesses.
Analysing the Lockton London Cyber portfolio provides further evidence of the threat facing businesses. Among the last 10 ransomware claims observed, the largest incurred was approximately USD 53m. Others included a USD 17m claim involving a large retailer, and a USD 6m claim affecting a healthcare organisation. On all three cases above the ransom payment constituted approximately 25% of the actual incurred cost. Energy providers and financial institutions were also among the most recent claims, indicative of the wide variety of businesses targeted by cyber criminals.
Victims of a ransomware attack may, or may not, decide to pay a ransom (opens a new window). Strategy here is likely to depend on factors including the extent of the attack, feasibility of continuing business operations, the size of the ransom demand, and access to cyber insurance/crisis response support.
Before any decision to pay an attacker, firms should obtain legal advice from breach counsel, who would also advise them whether to notify to law enforcement. Firms should also seek technical advice from ransomware negotiators, who specialize in handling ransomware events on behalf of clients. Their services include: engagement with the threat actor to verify that they are “credible” criminals; verification of proof that threat actors have access to what they claim they have; negotiation of the ransom itself (typically around 20%); and facilitation of the ransom payment if the firm decides to pay. They keep a record of all communication with the threat actor should the client require it as evidence.
If firms have cyber policies, they should notify their insurers and obtain their written consent to pay the ransom, provided they require insurance coverage for it.
Creating a crisis management plan
Given the devastating impact of ransomware, it is essential that firms establish a comprehensive crisis management plan to be executed in the event of an attack. This typically includes:
Preventative controls – e.g. adopting the relevant hardware and software solutions; conducting risk assessments; creating data backups; training employees to understand ransomware risks and identify potential attacks
Detective controls – e.g. determining affected systems and isolating them from the remainder of the network; taking the network offline; informing staff of the attack and actions to contain further spread; informing relevant clients, business partners and other relevant stakeholders of an attack; capturing volatile memory contents from affected devices to help determine the sequence of events leading to the attack
Corrective controls – e.g. alerting key partners to assist with strategy and ransom negotiation; reporting the attack to relevant parties, including insurance partners and law enforcement; deploying decryption tools where necessary; wiping and rebuilding systems, including resetting passwords and checking backups are uninfected
To be most effective, any crisis management plan should be stress-tested through simulated-incident and table-top exercises.
Cyber insurance protection
While a crisis management plan can reduce the likelihood and severity of any ransomware attack, it cannot offer complete protection. To provide themselves with an additional layer of security, firms may consider taking out cyber insurance.
Cyber policies can include:
Pre-incident support – including access to cyber security expertise and threat intelligence services, IT vulnerability assessments, staff training on cyber security, and help with password management
Security and privacy breach costs – including costs of notifying customers of a cyber breach, handling enquiries, public relations advice, IT forensic costs, and claims of infringement of privacy and associated legal costs
Post-incident support – including systems assessments, identifying the source of any breach, advice on legal and regulatory requirements, and data landscaping and restoration
Business interruption – including cover for loss of income during the period of interruption, including if this is caused by increased costs of conducting business in the aftermath of the incident
Cyber extortion – including reimbursement of the ransom amount demanded by the attacker, as well as any consultant’s fees to oversee the negotiation and transfer of funds to solve the ransom request
Damage to digital assets – including loss, corruption, or alteration of data, as well as the misuse of computer programmes and systems
For further information, please visit Lockton’s Cyber (opens a new window) page, or contact:
Carlo Ramadoro, Broker, Cyber and Technology
E: carlo.ramodoro@lockton.com