In January 2017, Licking County, Ohio, was hit with a massive ransomware attack, affecting more than half of the county’s servers and locking up and encrypting data. Even the phone system was crippled, impacting the county’s 911 system. The hackers demanded 28 bitcoins, or the equivalent of $30,000, in order for the county to access its information and resume operations. By the time county tech workers discovered the malware, they had a choice: Pay the ransom or use backups to recover the data and work through every system and delete the malicious code. They opted for the latter, and while most county operations were slowed for nearly two weeks, after the initial recovery, most vital systems were back online.
“We thought we were pretty good,” said Licking County Commissioner Tim Bubb. “We found out we weren’t as good as we thought.”
Bubb hopes that others can learn from their experience, and a neighboring county is taking that message to heart, working to protect itself from potential ransomware attacks. On July 18, Franklin County, Ohio, approved the purchase of a $140,000 cyberinsurance policy that included extortion-specific protections. “It just makes sense in this day and age to expend the funds to make sure we have protections in place,” explained Franklin County Administrator Ken Wilson. “We want to be able to be in a situation where we aren’t reactive … but proactively protecting ourselves.”
The rise of ransomware, a type of malicious software that invades computer networks and encrypts data until a ransom is paid, has been exponential. The bugs often take advantage of older operating systems with security vulnerabilities. “Every government level is going to be a target because they have tons and tons of data,” said Erin Ayers, editor for Advisen Ltd., an insurance company. Ransomware is “prevalent enough of a threat that most sophisticated cyberbuyers are not buying coverage if it does not have some kind of recovery for ransomware.”
Cyberinsurance policies increasingly include ransomware protections that can be used to help recover losses that otherwise result in business disruptions or actual ransom paid. Ransomware insurance usually takes the form of a “separate extortion endorsement that is added to a policy if you want coverage for ransomware,” explained a representative from the National Association of Insurance Commissioners (NAIC).
One issue for the widespread adoption of ransomware extortion riders is the lack of standardization in cyberpolicies. Because the industry is still in its relative infancy, there are a number of criteria buyers need to abide by in order to ensure their policy covers cyberattacks. For any public agency looking to purchase cyberinsurance, NAIC recommends doing your research beforehand, understanding what you’re getting and asking lots of questions.
While updating its cyberinsurance policy, the Indianapolis Airport Authority recently included protections against ransomware attacks. Senior Director of Information Technology Reid Goldsmith said the move was spurred by a ransomware incident in nearby Madison County, Ind., in late 2016. The county eventually paid more than $200,000 for data recovery services and offsite backups. Goldsmith took a lesson from that, and ensured that ransomware “was top of mind when we were discussing a cyberliability policy.”
But no cyberstrategy, even one that includes robust protections backed up by cyberinsance, is foolproof. “It’s like you live in a house with 1,000 doors,” Bubb said. “If one is left cracked open, that’s enough for a break-in.”