After an attack, some governments are deciding to pay the ransom to restore their data and get systems and services back online. But insurers can also help negotiate a different path forward.
In February 2016, the town of Medford, Mass., paid a $300 ransom to get access to its data from cyberextortionists. Outside of the local media, the incident attracted little attention. Three years later, hackers collected a combined $1.1 million bitcoin ransom from two small cities in Florida. The payout made national news.
The size of the recent payouts startled just about everyone, but in some respects, it’s not surprising. Government continues to be a major target, with only the most prepared jurisdictions able to stop ransomware from disrupting information technology. And the demands aren’t the only thing that is growing. So too is the sophistication of the attacks. Cities that have refused to pay ransoms have found it extremely difficult to restart their systems, in some cases having to rebuild from scratch.
The city of Atlanta was hit with a $52,000 ransom demand in April 2018, refused to pay and has been left with a $17 million cleanup bill that includes the cost of lost business to the city. Extortionists crippled Baltimore’s IT systems this April and demanded $100,000 in bitcoin. Like Atlanta, the city refused to pay, and like Atlanta, it has found that the recovery has proven far more daunting and expensive than expected — $18 million and growing.
Many governments, especially small to mid-sized local cities, lack the funds to build up a robust cyberdefense. Limited budgets are also the reason why so many jurisdictions continue to run aging and outdated IT systems, which further hampers attempts to thwart the rise in ransomware attacks. The solution for many jurisdictions is to turn to cyberinsurance to limit the costs that come from an attack. The policies can help cities and counties respond and recover, bring in cyberexperts to evaluate the damage and even help pay the ransom as a last resort.
But not all cyberinsurance policies are the same, and large numbers of local governments don’t carry the insurance at all. Baltimore did not have a policy that could have helped the city offset some of the costs for what has been paid out in terms of recovery and lost business. And with costs exploding — both for recovery from an attack and for the size of the ransom demands — it’s possible the cyberinsurance market is due for a shakeup.
Louisiana Gov. John Bel Edwards declared a state of emergency in the state following a series of mallware attacks on multiple school districts in July. / Shutterstock.com
First, the good news. Ransomware incidents are actually declining, according to cybersecurity firm Symantec. But that’s primarily because high-volume attacks using basic ransomware software have been easy to block using anti-malware tools or work-arounds involving backup data. Instead, professional criminals are using sophisticated malware, such as Ryuk, to go after fewer, but larger, targets. The cybersecurity consulting firm Crypsis points out that rather than attack a single machine, criminals are using enterprise malware that can spread virally throughout an organization, making it harder to respond and recover.
Enterprisewide ransomware attacks mean higher extortion demands, with some organizations receiving ransoms for 20 to 50 bitcoins (the preferred method of payment in ransomware attacks). When criminals attack with the Ryuk malware, the impact is large and the payment demands average $288,000, compared to just $10,000 with other types of malware, according to Coveware, a ransomware recovery firm.
“Ransomware has become a notorious problem in the last two to three years,” said Dave Chatfield, vice president of NetDiligence, a cyber-risk and response service that works with insurance companies and their clients. “There has been a striking uptick in the number and percentage of cyberclaims that have been the result of ransomware.”
Tim Francis, enterprise cyber lead at Travelers Insurance, also sees a growing trend with ransomware attacks. “The [extortion] demands are getting larger, unfortunately, and it’s not unique to the municipal sector,” he said. “It is a phenomenon borne out of the fact that the software the bad actors are using is much more sophisticated than it used to be.” Early on, ransomware software wasn’t that good, which meant attackers only asked for a small amount of money, according to Francis. “The problem was a nuisance and it was easy to bring systems back online,” he said.
Today, however, the complexity of the malware has made the attacks much more serious and potentially harmful to an entire organization. “There are times that if you don’t pay [the ransom], your systems are not going to come back online, leaving you having to rebuild from the ground up,” he said. “If you are a government with legacy systems, that’s a daunting task.”
As Francis and other experts point out, ransomware is a problem affecting both the public and private sectors. It tends to impact small to mid-sized firms that don’t have the robust cyberdefense capabilities typically found in large firms and governments. But cities and counties have also become soft targets for ransomware attacks, thanks to their limited budgets and reliance on out-of-date technology.
Alan Shark, executive director of the Public Technology Institute, believes the problem will get far worse before it gets better, given the history of tight IT budgets and the limited control CIOs have over their systems and the changing nature of technology. “The problem for CIOs is that they cannot control all the end points in their systems; so much of government is mobile communications,” he said. “Meanwhile, the political forces are against spending more on protection. Elected officials don’t want to put the extra money into IT. Governments are stressed for capital.”
For years, states and localities have had access to cyberinsurance policies to help cover the costs of any damage or disruption to their IT systems. Most organizations look at cyberinsurance as a product that is meant to deal with compromised confidential information. Think of data breaches and the lawsuits that can ensue once personally identifiable information is exposed. But the rise in ransomware has expanded the role of cyberinsurance, taking it in new directions, according to Francis. “Cyberinsurance would not only pay to deal with an event [involving ransomware], but we would be able to provide the insured with access to a network of professionals, including forensic investigators who deal with these types of incidents all the time,” he said.
The investigators can quickly evaluate whether a ransom needs to be paid, or if a system backup or reboot will fix the problem. Insurance investigators might advise paying only a portion of the ransom, said Francis. “They will work with the bad actors and say something like, they will not pay all the money up front on the premise they will act in good faith. Instead, they might negotiate to pay 10 percent and have them turn over 10 percent of the data, just to see if they are willing or have the ability to turn over the data under ransom.”
Beyond helping negotiate with ransomware attackers and paying for the cost of recovering from an attack, insurance firms and the brokers that work with them can act as risk managers for clients. Mike Volk, vice president of cyber-risk solutions at PSA Insurance and Financial Services, says his firm can review an organization’s IT ecosystem to help a client understand what they currently have and what needs protecting.
“We have a process to help figure out what data they have that is critical to business operations, the key IT systems they rely on, and if those become unavailable from an attack, how it will impact the mission,” he said. “Then we map all that back to cyberinsurance coverage.” Volk says that by showing clients how a cyberincident will impact their business, they can think up front about what needs to be done, rather than scramble on the back end. “Part of that ties into the right kind of insurance to buy,” he said. “We provide recommendations based on those discussions.”
While conducting these kinds of risk assessments seems obvious, in reality, the practice is not widespread. In a 2018 survey of both public- and private-sector respondents by Travelers Insurance, one of the nation’s largest providers of cyberpolicies, 91 percent of respondents reported being confident their companies have implemented best practices to avoid a cyberevent. Yet, 55 percent admitted not completing a cyber-risk assessment; 62 percent had not developed a business continuity plan; 63 percent had not completed a cyber-risk assessment on vendors who have access to their data; and, most revealing, 50 percent had not purchased cyberinsurance.
Francis says the government portion of the cyberpolicy market at Travelers is growing. “The kind of coverage varies on the size of the municipality, and around how we assess the risk and the threat,” he said. “When governments apply for cyberinsurance at Travelers, they are asked to identify the types of data they have, what their security controls are, their patching cadence [frequency] and how well prepared they are to deal with an event, should it take place.”
The city council in Riviera Beach, Fla., unanimously voted to pay more than $600,000 in ransom to get their data back. / Shutterstock.com
When it comes to ransomware and cyberinsurance, everybody talks about Riviera Beach, Fla. After an attack in June encrypted the city’s data, the Riviera Beach City Council voted unanimously to give in to the ransom demand and pay over $600,000 to recover its data and systems. Also in June, Lake City, Fla., paid $470,000 to extortionists. But the city only had to pay a $10,000 deductible; cyberinsurance covered the rest of the money owed to the attackers.
PTI’s Shark called these substantial demands and record ransom payouts game changers. “That’s the first time someone in the public sector has paid such a large amount,” he said. “The insurance company paid out the ransom, knowing that it would be significantly lower than the cost to rebuild the systems from scratch.”
And that’s what worries him. When cyberinsurance firms know it is cheaper to pay the ransom rather than pay for the cost of rebuilding aging government IT systems from scratch, the ransomware problem could spiral out of control with attackers demanding ever-larger payouts. As a result, attacks will continue against the weakest and least-prepared local governments. But Shark doesn’t really blame the insurance companies for the situation. He understands that in the short term, ransom payments remain cheaper than system rebuilds. “This situation requires the feds and states to step up, otherwise the problem will continue.”
Insurance firms say there’s little they can do about making ransom payments a part of their policy. “Even if I philosophically disagree with the payment option, we have to provide our clients with what’s available in the marketplace,” said Mike Volk. “We don’t want to encourage criminal activity, but it has become a necessary part of doing business as a cyberinsurance broker. Payment is a solution, and we have to offer it until the market changes or if there’s some kind of legislation that prohibits it. Meanwhile, this is going to continue.”
With the problem expected to grow, governments, especially small to mid-sized jurisdictions, need to obtain policies, Francis said. “From my perspective, not nearly enough municipalities are buying insurance. More are uninsured, and given the rise in ransomware attacks, the need is there to offset the cost of the ransom attacks.”
In an ironic twist, government has helped the country wake up to just how pervasive and costly ransomware has become. The attacks are estimated to cost American businesses as much as $75 billion in lost business and ransom payments, according to Datto, a disaster recovery and business recovery firm. But few companies publicize when they are attacked and that ransomware is behind their lost data and failed IT systems. Not so with government.
“One thing municipalities have going for them is that when an event happens, it makes the news,” said Francis. “It puts a lot of eyes on the problem that haven’t been looking before. It’s becoming more common for local government risk managers to understand that a ransomware attack can occur anywhere, against anybody.”