Cyber incidents against companies have roared back after a slowdown last year, but one thing that’s different is fewer companies are paying ransoms. Organizations have learned the importance of having multiple system backups that are separate from their network, Matt Ross of insurance brokerage Marsh McLennan said in a webcast.
“You’re able to restore your system faster,” said Ross, national cyber claim leader at the brokerage.
That puts your company in a better position to negotiate with threat actors because you know you can be up and running again, he said. “You can negotiate at the same time” you’re working to restore your system.
“Take your time, as long as you’re not completely down,” Ross said.
A trend has emerged – still small, but it could grow – in which some states and local governments have passed laws prohibiting entities that receive public funds from negotiating with and paying ransom to threat actors. The impact of the laws – Florida and North Carolina are two states that have them – is mostly on public entities like school districts and public hospitals, but they could impact private companies to the extent they receive public funds.
“It could put some companies out of business,” said Ross. “You can’t have that, either.”
The extent to which the trend grows will depend in part on the impact these early laws have. “If [those jurisdictions] can prove that it costs less at the end of the day, rather than pay criminals, then we may see more of it,” he said.
Ross dispelled the idea that companies don’t need to report an incident if they’re able to keep the data out of the hands of threat actors by suppressing or deleting it. They still need to report based on the number of people whose data was involved.
“If the information has been accessed … often there is going to be a notification obligation,” he said. “The plaintiffs bar is very aggressive in looking for entities they can try to sue.”
These attorney-driven third-party privacy lawsuits are increasing, especially in the healthcare space, he said.
“The Office of Civil Rights in [the Department of] Health and Human Services has what’s colloquially called a wall of shame,” he said. “So, any time an entity has to notify 500 individuals or more, that gets published and attorneys are just kind of hanging out at that website and waiting to find a named class member that they can [use to] file a suit.”
For the most part, companies have come to understand they’re vulnerable to cyber incidents no matter how small they are or what industry they’re in, Ross said.
“I had a claim earlier this year [involving a small company] and it was the first time I had dealt with a double extortion,” he said.
In the case, the company had negotiated a payment only to have the threat actor ask for more money after agreeing to an earlier amount.
“The threat actors moved the goal post and asked for a couple hundred thousand dollars more,” he said. “I’ve never seen that in all my years. Usually the threat actors are good on their word for the most part.”
The act of bad faith might stem from a shift in who’s getting into the criminal enterprise. Ross said he’s seen more amateur criminal organizations get involved by accessing hacking tools from so-called ransomware as a service entities, enabling these less professional organizations to breach company systems.
“With that sort of amateurism there comes unreliability and unpredictability in negotiations and whether you’re going to get a decryption key that actually works,” he said.
In response to the increase in attacks, companies that in the past might have balked at cyber insurance are starting to consider it. “We’re seeing more companies enjoy the benefit of the risk transfer position a cyber policy offers,” he said.
When you’re doing your due diligence on coverage, he said, it helps to work with a broker that’s part of a network that can provide legal, compliance, forensic and other types of support in the event of an incident. That way the company can respond based on industry best practices, lowering the breach cost but also better protecting the company from future incidents.
“Don’t try to do any of this on your own,” he said. “Get the third-party professionals engaged on your behalf for attorney-client privileges, [using] your deductible properly and [providing appropriate] pre-notice. Sometimes carriers are cutting [payment] off if they aren’t in the loop. Cyber specialists have been doing this at a high volume and pace the past 5-6 years and they’re here to help you. If they’re helping you, it won’t hurt as badly.”