According to Bill Mew, CEO of Crisis Team, the short answer is no. In his experience, the smaller the claim the better the odds of reimbursement, since insurance companies don’t like the negative publicity associated with denying claims. Large claims on the other hand, are a different matter.
A well-known example is a multi-million insurance claim made by Mondelez, a multination food and beverage manufacturer. The case shows how insurers can get creative when denying claims. It was denied on the basis that the hack and subsequent encryption of Mondelez’s data was an ‘act of war’, after the US government stated that the NotPetaya ransomware, which originated from Russia, accidentally spread beyond its intended target, the Ukrainian government.
According to The Register, some insurers have a list of recommended firms to help you during a crisis. Keep in mind however, that these firms may be looking for ways in which you have not complied with ‘reasonable’ precautions as mandated by their policy. It’s imperative that you strictly follow best practices, NIST guidelines and any other special requirements outlined by the insurer in order to increase your chances of a successful payout.
If all this is not enough to make your stomach churn, consider that paying the ransom does not guarantee getting your data back. With Interpol and the FBI actively hunting down and disabling command and control servers, you may find that your data is not recoverable, even after having paid the ransom.
Also keep in mind that cyber criminals put more effort into the process of encrypting than in that of decrypting. In a more recent case, Colonial Pipeline decided to pay the ransom amount in order to avoid spending several weeks rebuilding their systems from backup. Much to their surprise, they discovered that the decryption process ran so slowly that it was faster for them to recover from backups after all.
As many businesses turn to the cloud to mitigate cyber risk, keep in mind that most cloud providers put the onus of backing up and securing data on you. While cloud providers may have good border defenses, they need to let you and your employees in, and there’s the Achilles’ heel. If you can access the data, so can a hacker. As many people who have had their cloud-based email and storage accounts compromised will tell you, just because you work in the cloud doesn’t mean that security issues are magically solved for you.
So, what is the best course of action? Prevention of course; investing to avoid a cyber incident is the most efficient use of time and budget. As Dr. Thomas Fuller coined, and Benjamin Franklin popularized: “A stitch in time saves nine”.
Here are Some Preventive Measures to Help Avoid a Ransomware Incident:
- Implement an intrusion detection system (IDS) with live monitoring. Hackers often spend weeks and months exfiltrating data, disabling antivirus programs and deleting backups before they execute their malware and encrypt your data. IDS systems can flag anomalous network traffic and alert the IT team.
- Block access to countries that you don’t do business with or need to communicate with, especially countries known for harboring cyber-criminals.
- Block e-mail attachments that can carry malicious payloads such as zip files, executables and macro enabled MS Office files.
- Use a modern threat management firewall that can scan inbound and outbound traffic for malware. Security is layered and the more layers, the more secure.
- Use an anti-virus software that cannot be uninstalled without a password.
- Take our cybercrime awareness course at least once per year and require all your employees to do the same.
- Create a security focused culture in your organization, starting from the top down.
- Use network policy and logical constraints to prevent non-managed devices from joining your trusted network segments.
- Segment your network, because a flat network topology is a security risk. Networks should have a trusted LAN segment for managed, secure devices, a guest network for untrusted devices and a separate DMZ segment for IP phones, IP cameras and IoT devices.
- Use off-line backups, remote backups and password protected NAS devices to back up data.