Ransomware claims: behind the scenes

Sadly, many of your clients will have fallen victim to cybercrime over the past couple of years – their data held hostage, systems suspended, or payments redirected by some faceless criminal halfway around the world.

Worse, despite the clear benefit of cybercrime policies, there are many businesses — small- to medium-sized enterprises (SMEs) in particular — who insist on believing a cyber attack won’t happen to them, and that buying a cyber policy would be a waste of valuable budget.

Here are a few insights for those sceptics.

Let’s say a recruitment firm in Winnipeg is by a cyber ransom attack. They’re locked out of their systems. None of their employees can access their data. They can’t log in and many of their laptops have been encrypted. There is a ransom note in an innocent looking text file demanding 20 Bitcoin – worth over a million dollars at the current rate, a vast sum for any SME. The firm has never experienced a cyberattack before. They don’t know if they should even pay the ransom, let alone how to buy Bitcoin.

Our first job is to find out where the company’s backup files are stored and whether they’ve also been encrypted. Then we work to identify the hackers and determine how they accessed the insured’s systems.

Calling on our in-house cyber incident response experts, we examine the note and a few samples of the encrypted files. Using various threat intelligence feeds and insights gained from cyber claims we’ve previously dealt with, we can quickly pin down which of the thousands of variants of ransomware we’re dealing with.

iStock.com/Tomasz Śmigla

While the incident responders work their magic, we’ll also have engaged with one of our specialist in-house negotiators to buy some time for our forensics team to investigate the extent of the damage and potential for recovery. Our goal is to gather as much information as possible to provide the client with response options.

Within 24 hours of receiving that first panicked call, we bring together the insured, our response team and, if necessary, one of our specialist lawyers from the partner panel under the policy. Together we talk through the options, along with any legal and regulatory obligations.

With all eyes on the progress of Bill C-11, which would see Canada create one of the strictest data protection regimes in the world, we provide the insured with the complete picture of what they’re facing. We’ll have checked that the hackers aren’t on any blocked persons list, as it is illegal to facilitate payments to entities on the U.S. Office of Foreign Asset Control’s specially designated national list. Not many SMEs are even aware of such lists, but they could find themselves in deep trouble if they initiated a payment to a prohibited entity.

One option is to pay the hackers for the decryption key. While this might seem the quickest way out of trouble, it isn’t. Gaining access to large amounts of Bitcoin isn’t easy although cyber insurers do have access to third parties that make this possible. And while the hackers do generally hand over the key, the decryption process is often complex and the key isn’t always reliable.

Alternatively, the insured can ignore the hackers and focus on rebuilding their systems and data.

Back-ups provide a starting point, but it can be a slow process resulting in a substantial amount of disruption for the business while the malware is eradicated, machines are rebuilt and data is restored.

In choosing this second option, we’ll assess all these activities against the policy and determine the overall financial loss to the company. Most policies today are heavily weighted toward first-party exposures such as the business interruption impact associated with ransomware events and the financial losses incurred due to funds transfer fraud and other types of cybercrime.

Ashley Burdon is the cyber incident manager at CFC Underwriting. This article is excerpted from one that appeared in the Aug.-Sept. issue of Canadian Underwriter.

Feature image by iStock.com/AndreyPopov