What Should I Do If My Company Gets Hit With a Ransomware Demand?

By: | February 28, 2019

Jeremy Gittler is the Practice Leader and Head of Cyber Americas at AXA XL. He and his team coordinate and implement data breach response and crisis management services for AXA XL insureds that have suffered a cyber-attack. Jeremy and his team also evaluate coverage and draft detailed analyses pursuant to cyber, technology, media, and miscellaneous professional liability policies. He advises senior management, underwriters, brokers and insureds on coverage, litigation / dispute resolution strategies, and the business impact of lawsuits. Jeremy joined AXA XL in 2012 after working six years in the Cyber / Technology / Media Liability claims group at AIG, where he rose to the position of Senior Complex Claim Director. He can be reached at [email protected]

Your company has just been the victim of a network security breach. Cyber criminals have locked you out of your company’s system and are now demanding a ransom to allow you to continue with your business. Do you pay?

It’s a question far too many companies are facing each and every day. Ransomware attacks are forever increasing, as are the dollar amounts hackers are demanding. Cybersecurity Ventures statistics predict that the global annual total of ransomware attacks will top $11.5 billion in 2019, up from a 2018 estimate of $8 billion.

Moreover, the targets of these attacks: every company. A ransomware attack is the one crime that can strike at any company of any size or from any industry. The most vulnerable companies, however, are those that are smaller entities — businesses that typically don’t have the large budgets to combat cyber crime or the IT departments to monitor cyber security measures regularly.

Plus, many businesses do not have the financial means by which they can pay a ransom if it’s large enough. In some instances, cyber criminals demand lower ransoms — hundreds of dollars instead of tens of thousands — and businesses are more inclined to simply pay the ransom and hope they can get back up and running. But now, ransoms are increasing exponentially — hundreds of thousands of dollars is more and more common.

Should Your Company Pay the Ransom?

That depends. Typically, when a ransom attack occurs, companies that have network system backups may not need to pay. If the threat stems from your company being unable to conduct business because you can’t access your files, paying a ransom makes little sense since your company’s files are still accessible through the backup system.

However, many ransomware attackers will lock both the main systems and the backup systems.

In that case, ransom may be the only option. Yet your company should not go it alone. Victims can negotiate both on ransom amounts and time constraints, such as when an office is closed or when the demand occurs on a holiday.

It’s Not Just Ransom

Whether or not your company pays a ransom, regaining control of your company’s system is not the full extent of the attack. Unless you know your systems are no longer infected, you can’t be certain the attackers won’t return in the future demanding more ransom.

Also, a compromise of your systems equals a compromise of your data. Information on employees, customers, vendors, along with financial records, could have been exposed or worse, stolen. Paying a ransom is not the end in many cases.

For example, a client company, a municipality, received a ransom demand when thieves locked their systems. The ransom demand was for $300. The municipality paid the demand, regained control of their systems and assumed all was well. Problem solved.

Except the problem wasn’t solved. In this case, the client’s systems were still infected. A forensics investigation determined that there were many instances of data compromise that impacted most of the residents in the community. The municipality was then required to contact those people who were affected by the breach and inform them of the event.

Even if your company is able to pay the ransom and get back up and running, you still have an obligation to ensure the affected parties are notified in a timely manner and that systems are actually secure and data is no longer vulnerable.

Responding to a Ransom Demand

So when a ransom demand is made, the first call should be to your insurance carrier. Have a conversation to determine the level of risk your company faces and gain a complete understanding of your insurance coverage. A top insurance carrier will be able to help you navigate this extremely stressful situation in a professional and cost-effective manner, beginning with putting you in contact with a capable attorney to understand legal ramifications, your obligations and next steps.

Your attorney will contract a forensics firm to complete a thorough investigation of your systems. They will determine the extent of the compromise, what data was exposed, and whether an encryption key promised by the attackers will work. In the event you do have to pay a ransom, forensics firms often provide bitcoin payment capabilities.

Dealing with ransom demands alone is not an option. Few companies have the mechanisms in place or the experience to handle negotiating with attackers, make bitcoin payments or even how to communicate with the thieves. It is always advised that risk management bring in ransomware experts and legal counsel, no matter how small the ransom may be.

Preventing Future Attacks

Before a ransom attack, there is much that risk managers can do. A must-have item: cyber insurance. Cyber insurance products offer two benefits: monetary relief and a team of crisis response experts. The real value in a ransomware policy is in the services provided. Navigating the situation effectively while reducing the damage takes expertise.

Also, risk managers should work with IT to build a strong overall prevention solution that includes educating employees on phishing scams and other social engineering ploys.

Risk management can serve as the catalyst for creating a company-wide focus on ransomware prevention. By working with everyone along the chain of command, risk managers can involve every employee in ensuring that the potential for ransomware attacks is reduced and that a clear response plan is in place.

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.


That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.


Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]