Ransomware is the single biggest risk facing businesses today.
Such attacks are becoming increasingly prevalent as the criminals develop ever-more sophisticated methods and attack vectors. Increasing digital interconnectivity, and the use of mobile devices and the Internet of Things have provided the hackers with more touch points to attack. As companies grow further and faster than before, so too are they leaving themselves more exposed to these cyber threats, which are only increasing in severity and frequency.
The problem is exacerbated for larger firms with legacy systems and networks or those undergoing mergers or acquisitions. Certain industries, such as manufacturing and many in the public sector, are also less well prepared for these new types of attacks.
Driving this rising tide of ransomware attacks are nation-state sponsored hackers from countries such as Russia and Ukraine, who have only one aim: to causing maximum disruption. Such is their growth that they have now become an industry in their own right, with the criminals hiring out their services or acting as a broker to return for a cut of the profits.
The costs go far beyond the initial loss too: they extend to business interruption, forensics, recovery and restoration costs from the event. Added to that, ransom demands are increasing as the hackers target higher value organizations.
“Gone are the days of limited seven-figure ransom demands,” said Tim Nunziata, Associate Vice President and Head of Cyber Risk at Nationwide. “Now we’re seeing multi-million dollar demands regularly.”
The effects of such attacks on businesses can be ruinous, not just operationally and financially, but also reputationally — something many small and mid-sized firms don’t have the wherewithal to deal with. In worst-case scenarios, they can be forced out of business.
One key challenge is that claims are no longer confined to specific industries.
In the past, claims were largely limited to data privacy and network security breaches, so therefore, sectors such as banking, healthcare and retail were more likely to be targeted.
Now, any business could fall victim to a ransomware attack. Consequently, a more collective approach to controls, policies and procedures is needed to counter the problem.
Given the global nature of ransomware, consistent data privacy and security regulation is a big issue. Particularly, in the U.S. where firms may be operating in multiple states, each with their own legislation.
“One challenge the industry faces is the lack of consistency. Not only is it a low bar for certain requirements and regulations, often times the bar wasn’t there a few years ago,” said Nunziata.
The recent introduction of new laws aimed at setting the standard for cybersecurity and data privacy practices has at least provided the framework for a broader approach to tackling the problem. New York State Department of Financial Services’ Cybersecurity Regulation, the California Consumer Privacy Act, the European Union’s General Data Protection Regulation and China’s Cybersecurity Law, all aim to step up cyber and data privacy.
Insurers are also reacting to the ransomware threat. The primary markets are significantly increasing retention, raising rates by as much as 400% in some areas, supplementing coverage, tightening terms and putting limits on certain extensions.
“It was a soft market for a long time,” said Nunziata.
“But primary markets are increasing retentions substantially and restricting certain coverage extensions, because the ransomware incidents have become more common and complex.”
Businesses need to prepare for a ransomware attack by putting appropriate risk management controls and policies in place. They must also have an incident response plan, which includes secure and reliable backups on separate networks that are updated regularly and data segmentation in the event of an attack.
Companies should be in regular contact with their insurer to discuss the risk mitigation strategies they are taking to address the problem both before and after an attack. They also need to work with their IT and network security, and cybersecurity teams to constantly test and update their systems and protocols.
Given that ransomware attacks stem from unauthorized access to a system or data and the fact that more staff are now working from home, organizations need to focus on their management controls to ensure that access is restricted to only those who need it to perform their duties. They also need to implement and reinforce remote desktop working protocols.
“The majority of incidents are self-inflicted,” said Nunziata.
“Whether it’s social engineering or phishing, an employee clicks on a link that takes them through to a website set up to capture their data or they work in an unprotected network, the employee is an organization’s biggest vulnerability.”
Companies, with the help of their broker, need to make sure that their insurance is comprehensive enough to cover them in the event of an attack. Too often, they assume that they will be covered under their property, liability, or crime policies, yet, in reality, they aren’t.
Firms, therefore, need to have a standalone cyber insurance policy in place to guard against potential exposure.
For those that have property and casualty policies too, insurers are now explicitly stipulating in their terms whether cyber is included or excluded to avoid any confusion and gaps or overlaps.
“As insurers examine increased loss history and claims data, they are able to better assess and price for the risk, and provide the affirmative coverage the client needs,” said Nunziata.
“That will translate into more comprehensive coverage at a rate which more accurately reflects the risk and makes sense for the client.”
Nationwide has been at the forefront of cyber insurance for the last 10 years. The company has built a portal that provides its brokers and clients with training modules, news and updates on industry trends, and a business interruption calculator to enable them to get a better understanding of the risk, as well as access to a list of vendors in the event of an attack.
Nationwide’s Enterprise Cyber Insurance product is designed to improve organizations’ cyber risk profiles. It provides policyholders with access to a range of loss prevention tools and services, breach response and remediation expertise, and an experienced claims team.
No matter how good your cybersecurity is, the criminals are always one step ahead. That’s why you need to act now to make sure you are taking all the right precautions to avoid an event happening in the first place.
“Network security and cybersecurity used to be just a conversation that organizations would have,” said Nunziata.
“Now, they are doing everything in their power to protect customer data, particularly in light of the rise in ransomware attacks, increased regulatory scrutiny, and generally more aware and savvy customer base.”
For more information, visit https://mls.nationwideexcessandsurplus.com/fs/products/cyber-and-professional-liability/.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.