CFC’s Nelson: to pay or not to pay ransomware demands?

Continuing our interview, Lindsey Nelson, Cyber Development Leader at CFC Underwriting, talks to Emerging Risks about paying ransom demands and the role that brokers can play in addressing cyber risk.

It has been reported that some companies have paid the ransom demands, yet the US Energy Secretary has urged companies not to do this. What would be your advice?

A critical part of what cyber insurers provide policyholders is the ability for them to make an informed decision when the worst happens. Ultimately it is the insured’s decision as to whether they should pay or not pay a ransom demand, and while everyone seeks to avoid the payment at all costs under the notion that it is potentially rewarding criminals, realistically it’s not always a possibility and determines a case by case approach with expert assistance as there can be significant implications if the decision is made without appropriate due diligence.

That becomes all the more apparent when a business is faced with the amount of considerations they have to make before deciding whether to a pay a ransom or not: do they need to inform law enforcement? What is the estimated recovery time of getting data back if they don’t? How do they source cryptocurrency? Can they recover from back-ups?

Critically, there are existing legal implications and global sanctions laws that exist, and as of today several major criminal groups behind some of the largest ransomware variants are all on sanctions lists, with both civil and criminal penalties for payment to them. So, while historically many businesses have been focused on avoiding a violation of privacy laws, we see this as a much bigger regulatory concern, especially as ransomware attacks largely outstrip privacy incidents.

It’s been our experience that most companies, particularly small businesses where they don’t necessarily have the IT expertise in-house, will in fact pay the ransom demand without the assistance of an incident response team provided by their insurer. Equally, the restoration and system rebuild costs to return to a position of indemnity following an incident are several multiples longer than those who have appropriate guidance from a team of security experts.

Brokers equally play a critical role in not only helping companies understand the benefits of the services that are provided with a cyber insurance policy, but also with respect to policy and limit management. Conversations around what extortion limit is appropriate relative to a companies’ net profits are necessary to have, to ensure they aren’t purchasing a limit that’s larger than what would have been their ability to pay a ransom demand without the scope of insurance – and to their benefit, ensures that they have limit available under their policy for the often more costly elements of a cyber claim around forensics, incident response and system rebuild costs following an event.

What role can specialists such as yourself play when it comes to tackling cyber-crime? Is there a need for greater co-operation across the market to tackle this issue eg sharing of data so that a better understanding can be gained of the risks?

The cyber insurance market has played a vital role over the years in helping tackle cyber rime, and with the amount of limits exposed they have the most motivation to get ahead of the criminals before their clients are faced with a cyber event. One of the latest developments has been cyber insurers’ participation in the Ransomware Taskforce (RTF), which is a union of government, software, cyber security vendors and academic institutions around the world, including CFC – where the ultimate aim is to tackle the global ransomware threat and by doing so encourages better global transparency between firms.

The cyber market is also going through a lot of change at the moment, and it’s clearer than ever that insurers will struggle to compete if they don’t have a fully integrated suite of risk management services built into their product.

The cyber markets who have made significant investments into their incident response and risk management infrastructure are the ones who are really taking action to notify clients of vulnerabilities before they even know to file a claim.

Companies like CFC have a Cyber Threat Analysis team who do just that, by providing a continuous monitoring service for policyholders scanning for external vulnerabilities, and informing clients where we have detected a match or compromise – leading to our whole philosophy that a business will be less of a risk as a cyber policyholder than they will be uninsured. We believe that this function truly represents the future of insurance, and we’ve now got countless examples of clients that we’ve identified as being compromised, reached out to and remediated, all before they’ve even realised they needed to file a claim.

It’s been our experience that most companies, particularly small businesses where they don’t necessarily have the IT expertise in-house, will in fact pay the ransom demand without the assistance of an incident response team provided by their insurer.

Lindsey Nelson, CFC Underwriting