News

Collecting on Ransomware Cyber Insurance: 'It Was Really Awful'

• By David Ramel
• 09/30/2021

So you dutifully signed up for ransomware cyber insurance, you were hit, you lost money and now you want recompensation from your insurer. Good luck.

Unsurprisingly, like all insurance companies, your vendor will do everything possible under the sun to find a way not to pay up. It's all in the "fine print," and insurers start up front, demanding that organizations follow specific practices regarding security, reporting and more. They require your systems be audited and pass every last metric. If something changes in your IT environment and you are then found to be out of compliance after an attack, well ....

But it's not all bad.

"The good news is, most cyber insurance policy vendors that I've worked with have actually paid out in the event that it needs to happen," says Dave Kawula, managing principal consultant at TriCon Elite Consulting. He was speaking to an audience of hundreds who attended last week's three-part, half-day online summit titled "Best Practices for Cloud Storage, Backup & Recovery," presented by Virtualization & Cloud Review and RedmondMag.com.

He was presenting with John O'Neill Sr., chief technologist, AWS Solutions, who has worked with Kawula on ransomware cases. Presenting as a team, they shared their expert knowledge about a host of subjects, but it's ransomware that's top-of-mind right now for many enterprises hoping to survive the current deluge of attacks, hoping not to become a victim held hostage until they pay up to get their business working again.

"There is a whole process for this," Kawula continued after stating that most insurers do pay out. "I'm not gonna lie, it's not really pretty. I could say it was really awful, because cyber insurance vendors are so hammered with claims that it's taking a long time for them to react. But typically, they'll have their own SecOps, security operations teams and cyber threat analysis experts that will come in and help your organization."

Noting that some insurers require organizations to employ security practices like using multi-factor authentication (MFA) and pass those aforementioned cyber audits, he asked O'Neill Sr. if he had come across such requirements.

He had, making three main points:

The NIST 800 Series
This is a set of U.S. federal government policies, procedures and guidelines for computer security. "If you're not familiar with the NIST 800 series policies, get familiar because a lot of cyber insurance carriers are doing reviews that are thoroughly based on those standards and recommendations," O'Neill Sr. said. "So get familiar with them, and not just the 800-53, but the newer 100, 200 series documents."

Spreading the Risk
"The second thing is ... cybersecurity insurance is all based on carriers' ability to spread risk. Okay, it's kind of like hurricane insurance, that sort of thing. No individual insurance company can absorb the risk of a large-scale event like that. They can take something that is spread over so many organizations, so many companies, they just couldn't pay all those claims. So they spread that risk. And for them to do that, and get those those underwriters and other companies that buy in and things like that, of course, they have to mitigate their risk. And they do that by asking more and more pointed questions, and making you evaluate. And I cannot recommend to you enough, don't just give lip service to your answers. Because Dave, as you mentioned, when an event occurs, and you have to have that conversation, and you're thinking, 'Okay, well, our cyber insurance carrier is going to come in, they're gonna help us offset some of these costs,' they are going to look at every answer you gave them with a fine-tooth comb. And if anything was inaccurate, you're going to get denied, end of story.

"So if you tell them that, yeah, we have multi-factor authentication in place, and they come in and they find out that really, you only have multi-factor authentication for your IT group -- you haven't implemented it across the rest of your organization -- well, that's the basis for them to deny you. If you tell them that you haven't implemented things like Android devices on your network, and they come in and they find -- and I use the example in the previous session, which is why I bring it up -- they find out that you have some time clocks, or what's very common right now are those COVID scanners that do temperature scans when you walk in and out, and a lot of them are Android based and you plug them into your network. Well, now that goes against an attestation you made and it is basis for denial. Even though your current incident could have nothing to do with those things, understand they have the right to look at all of them and make a decision on paying out a claim for them."

The Deductible
"The other thing that I'm going to throw up about insurance is, be very particular as you look at these. The carriers, again to mitigate risk, are increasing the deductible way up there. So if you think that they're going to absorb the cost of paying that ransom, or you being down for six weeks or anything else in its entirety, you're probably going to be disappointed. In fact, most of them, you're absorbing the first million dollars' worth of risk sometimes just to have that, so you know, pay attention to this stuff."

To that list, Kawula added two points:

• Prepayments: Kawula and O'Neill Sr. have had experience with this. Kawula noted that in a recent case, the victimized organization had to pay $55,000 per server, pre-paid by the organization. "So I really hope that you've got a slush fund that's kicking around, because I don't know very many banks that are gonna lend you money to go pay off threat actors."
• Reimbursement: "So that's number one. And number two, it's on kind of a reimbursement basis." So cash is needed up front even if an organization does receive a claim reimbursement.

Along with MFA, Kawula said cyber insurance vendors often ask clients to install advanced persistent threat protection on systems so investigators can find the command-and-control servers and shut them down, isolating them at a network level to protect infrastructure. "No recoveries will take place until you can actually figure out what is going on where root cause came from, because it is absolutely pointless to recover an environment while you still have an active attack taking place."

Another sticky point can be outdated, perhaps forgotten systems. To illustrate that, O'Neill Sr. used the Android time clock example mentioned above.

"So recently, we found some employee clocks ... used to punch in and out and record the date of the day. Of course, they're built on an Android operating system, they were plugged into the network, and nobody has been paying attention to patching that OS or doing anything with it. So you have Android, which is one of the most targeted operating systems out there statistically, by malware, right? And it's implemented, it's fully connected to your network. Okay, it's on the same VLAN in this case that the servers live on. So your production ERP system, your counting system, your HR system, your your quality system, and nobody is paying attention to it, nobody is keeping up to with applying security updates, or any of those kinds of things.

"You know, it's bad when you're the victim of a malware event. It's worse when you're the victim of a malware event that compromised a system using a breach that was patched by the vendor months and months and months before. I can tell you as an IT professional, that's one of the hardest ones to explain to your bosses, right? How did you, as the paid IT resource, the paid IT professional, manage to leave the back door open so long that eventually somebody found it and took advantage of it?"

A question certainly to be avoided. Which you can help do by watching the above summit on-demand and attending upcoming live summits focused on security, which can be found here. New ones coming up live in the next month include:

• AWS Cloud Security Summit -- Oct. 6
• Cloud Data Attacks & Prevention Summit -- Oct. 8
• Microsoft 365 Security, Backup & Recovery Summit -- Oct. 14
• Hybrid Coud/Multicloud Security Summit -- Oct. 29
• Cloud Data Protection for 2022 Summit -- Nov. 2.