The widespread WannaCry attack demonstrated the acute vulnerability of computer systems to ransomware attacks. There is no reason to think that larger, more sophisticated attacks aren’t already being planned — the perpetrators of WannaCry reportedly profited handsomely — and companies that have not assessed and addressed the risk posed to their systems by such attacks may remain vulnerable.
Companies can take prophylactic steps to protect their systems against ransomware, focusing on improving data security hygiene, establishing effective governance and raising employees’ awareness of the threat.
Upgrade and update
Patched systems have a better chance of avoiding the consequences of an attack. Before WannaCry struck, Microsoft had released a security update in March that addressed the Windows vulnerability exploited by the ransomware in May, and it released additional security patches after the attack. In a statement released on May 12, Microsoft said, “Those who are running Microsoft’s free antivirus software or have Windows Update enabled are protected. Given the potential impact to customers and their businesses, Microsoft released updates for Windows XP, Windows 8, and Windows Server 2003.”
Companies can improve their security posture tremendously if they review their in-service software and replace out-of-date software that is no longer supported by the developer.
They should also implement strong IT policies and procedures, including:
- Using daily automatic file backup and offsite storage. Automatic data backups to off-site storage areas ensure that, if devices are infected, minimal loss will occur.
- Ensuring that the IT department updates spam filters and firewalls daily.
- Having a system in place for automatically updating security patches within an hour of receipt.
- Disabling macros, auto-play and file-sharing in employee email settings.
Raise awareness of the threat
As the U.S. Department of Homeland Security stated on May 12: “Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school.”
Many people are simply not aware of the ubiquity of threats. IBM estimates that ransomware is present in 40% of spam emails. A study done by Nuix showed that 84% of hackers utilize social engineering while carrying out their attacks. Ransomware is most commonly spread through attachments in emails (.pdf, .doc, etc.).
Education of company personnel — impressing on them the importance of not clicking on unfamiliar links, continually reviewing security policies with all employees and training employees on how to recognize and prevent phishing — goes a long way toward preventing breaches.
Of course, even companies that have taken all of these precautions can still be hit by a ransomware attack. What do you do if that happens?
- Isolate the malware. You may be able to prevent the malware from spreading to other systems by isolating the malware. Disable connections between infected computers and resources and other parts of your network immediately.
- Assess backup resources. Determine when your last uninfected backup occurred. If you have strong backup practices, meaning that you back up frequently and your backups are not directly connected to your network, you may risk only losing a day’s work as a result of a ransomware attack.
- Initiate your incident-response plan. Now is the time to use the incident-response plan you had the foresight to adopt. Get the right decision-makers on the field, follow your escalation plan, consult your outside vendors, activate your crisis communications, consult with outside counsel and work the problem until it is resolved.
- Contact law enforcement. Ideally, you will have an established relationship with your local FBI or Secret Service Cyber Unit. Still, no matter how familiar your company (or counsel) is with these agencies and their personnel, understand that in the event of a widespread attack, the FBI may be inundated with victim complaints. Law enforcement most likely will not have the technical resources to resolve the ransom demand, but reporting demonstrates a proactive response.
If you have not identified a law enforcement point of contact in your incident-response plan, contact your local FBI field office directly (www.fbi.gov/contact-us/field provides a list of office by location) or file an online complaint with the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov. Regardless of the option you choose, be prepared to provide the following information:
- Date of infection
- Ransomware variant (identified on the ransom page or by the encrypted file extension)
- Victim company information (industry type, business size, etc.)
- How the infection occurred (link in email, browsing the internet, etc.)
- Requested ransom amount
- Attacker’s bitcoin wallet address (may be listed on the ransom page)
- Ransom amount paid (if any)
- Overall losses associated with a ransomware infection (including the ransom amount)
- Victim impact statement (how the attack disrupted the business, shook company morale, etc.)
The value of insurance
Many policies within your company’s insurance portfolio may respond to a ransomware attack. Below are examples of insurance coverage your company may have to help with ransomware losses and tips for policyholders to maximize all available insurance:
- Cyber extortion coverage. Found in cyber/privacy policies, this coverage will pay ransomware demands and expenses, including reimbursement for legal expenses and any amounts spent in in obtaining the ransom currency (bitcoin, foreign currency, etc.) on short notice.
- Cyber breach coverage. Cyber/privacy policies also pay costs incurred if the ransomware attack included a breach of third-party sensitive data. Most U.S. states have breach-notification laws that require you to notify any individuals and companies whose data was compromised. This coverage pays the costs of a notification service, mailing costs, privacy attorney fees and more.
- Business interruption coverage. Business interruption costs can be the most expensive loss component after a ransomware attack. Business interruption coverage pays the company for lost income incurred as a result of the company being unable to access its computer system. This coverage can be found within your company’s cyber/privacy, property, and bundled business owners policies.
- Forensic investigation coverage. Could the ransomware have been a ruse for a larger nefarious breach of your company’s computer system? This is a common trick of thieves. All companies that have been attacked need to assess whether the attack stopped with the ransomware or whether other malicious code was placed within the company’s system. Forensic investigation coverage pays these costs and is regularly found in multiple business policies including cyber/privacy, property, directors and officers, and crime policies.
- Regulatory coverage. Regulators may have questions regarding the extent of the breach and whether the breach impacted third-party data. Regulatory coverage often reimburses the company for the costs of privacy counsel hired to interact and respond to the regulators and payment for fines and penalties imposed against the policyholder if the policyholder was negligent in safeguarding the data. Regulatory coverage can be found in cyber/privacy, directors and officers, and errors and omissions policies.
- Data restoration coverage. Data restoration coverage pays costs to recreate lost data, decrypt data or reinstall data from backup servers. This coverage is typically found within cyber/privacy and property policies.
- Additional insured status. Companies often overlook additional policies that may respond to ransomware attacks — policies where they are listed as additional insureds. Legal should ask the company’s risk manager if it is listed as an additional insured under any policy that may potentially respond to the ransomware.
Policyholders should not be discouraged when policy exclusions initially appear to preclude coverage. The case law in this area is still in its infancy, insurance case law varies by state, and many policies contain ambiguous language that should ultimately be construed in favor of coverage. If in doubt, notify your carriers.
Once you have determined which policies will respond to your loss, provide the carrier with prompt notice in accordance with the requirements of the language in the particular insurance policy. Each policy’s notice section may require different information or method of delivery. If the information you are required to disclose is sensitive, you can provide broad notice, explaining the sensitivity of the information and requesting the carrier to sign a nondisclosure agreement prior to sending the sensitive details.
Every policyholder needs to be careful in explaining how the ransomware attack occurred, what happened in the aftermath, and what steps the company is taking to prevent future attacks. What is communicated to the carrier may be the difference between having a claim covered versus having it denied.
Maintain a single cohesive message with insurers and your broker by identifying a single point of contact in your company who will communicate with the insurance companies and broker, along with outside counsel, throughout the life of the claim. This is usually the risk manager or in-house counsel.
One mistake companies often make is not carefully managing the forensic consultant’s scope of work. The work should be limited to determining how the attack occurred, restoring the computer system and files, and, if necessary, how your company’s computer system was breached. Expanding the forensic consultant’s work beyond specific details of the current fraud could provide information your insurance carrier could use to deny your claim or even rescind your policy.
Maximizing your insurance coverage is not easy. Taking the steps above is a great start, but in complex or expensive claims, your company should hire outside insurance recovery counsel to help navigate the coverage. Outside coverage counsel works with risk managers and in-house legal counsel to ensure that a policyholder meets its reporting obligations without compromising any potential coverage. When multiple policies respond, the policyholder may be faced with strategic decisions. Are there applicable “other insurance” provisions within the potentially responsive polices that dictate which policy is primary and which is excess? Do the policies allow the policyholder to choose which policy responds first? Experienced coverage counsel can assist your company in parsing out which coverage exists and your company’s best path to obtaining a total recovery.
Selena Linde is a partner in Perkins Coie’s Insurance Recovery Practice. She can be reached at firstname.lastname@example.org. Markus Funk, who served with the U.S. Attorney’s Office in Chicago and the U.S. State Department in Kosovo, is the firmwide chair of Perkins Coie’s White Collar & Investigations Practice. He can be reached at email@example.com. Todd Hinnen, who served as the acting assistant attorney general for National Security at the U.S. Department of Justice, is a partner in Perkins Coie’s Privacy & Security Practice. He can be reached at firstname.lastname@example.org. Jonathan Hardin is a counsel in Perkins Coie’s Insurance Recovery Practice. He can be reached at email@example.com. This article was adapted from a May 15, 2017, Perkins Coie Update, “Ransomware: How to Avoid It and What to Do If You Have Been Hit.”