Skip Navigation?

Held to ransom: how can risk managers prepare for cyber extortion?

In the world of cyber risk, 2017 will be remembered as the year that global ransomware attacks burst onto the scene, causing companies significant economic damage and disruption. The two biggest attacks – WannaCry in May and Petya in June – infected hundreds of thousands of PCs worldwide and caused estimated losses of billions of dollars. High profile victims included Maersk, FedEx, Renault and Merck. In a worrying escalation of the impact of cyber warfare, one company cut its full year sales forecast following disruption to its manufacturing and distribution operations, and another has warned of a three percentage point drop in sales growth because of disruptions to shipping and invoices.

Analysis of the cyber claims we received between 2013-2016 showed that cyber extortion and ransomware is one of the fastest growing sources of cyber loss for companies of all sizes, with 16% of claims coming from encryption ransomware extortion and another 4% relating to other cyber extortions. We expect this number to rise considerably over the next couple of years as more European businesses buy cyber policies and the number of ransomware attacks increases.

This crime that is only predicted to keep on growing. It’s a lucrative trade for hackers, enabled by cryptocurrencies such as bitcoin which allow them to remain anonymous. A recent IBM report found that ransomware emails spiked by 6,000% in 2016, with businesses being increasingly targeted rather than individuals. These attacks are often underreported though because of fears of damage to their corporate reputation.

Whilst neither of these events has led to significant insured losses, the potential business interruption costs dwarf those of the ransoms demanded, and have focused risk managers’ attention on their business continuity plans. Production, operations and supply chains have all been shown to be at risk.

Here we look at some of the steps companies can take to reduce their exposure to cyber extortion events, or lessen their impact if they do occur. Most of them will be seen to be the IT department’s responsibility, but many argue the seriousness of the threat demands an enterprise-wide response.

  • Regularly back up your computer files to a source offsite and offline. Once files in an infected PC become encrypted you can either pay the ransom to have the files restored or restore them from your backup files. If you’re relying on the backup, these should be regularly tested to make sure they are archived correctly.
  • Make sure you know which software you have installed on your computers and that you install the latest updates. Attacks typically target companies with older computer operating systems that aren’t up to date with the latest security patches. Microsoft had issued a security patch in March which would have prevented devices becoming infected with the WannaCry malware, but many users couldn’t or didn’t download it. Some insurers have a ‘failure to patch’ exclusion so their claim would be void if a patch hadn’t been installed.
  • How much business interruption cover will you need? Hackers typically strike when it will hit companies hardest, such as just before busy holiday weekends. BI limits should reflect the worst-case scenario for lost sales, increased cost of working, mitigation expenses and how long it will take you to recover. Although BI currently accounts for just 4% of AIG’s EMEA cyber claims, we expect this to increase in frequency and severity in the future.
  • Be ready to respond. If you decide to pay the relatively small ransom then you need to have a supply of bitcoins and know how to make the payment. Bitcoin exchanges allow you to buy bitcoins in exchange for other currencies. Some cyber policies do cover ransom payments but the insurer needs to be informed before any payment is made. With others, paying the ransom could void the policy.
  • Invest in cyber training for employees. Most ransomware attacks rely on employees clicking on links or opening malicious attachments in spam emails. Make sure everyone knows not to open emails from sources they don’t recognise and what they should do with these suspicious emails. Some companies are even considering blocking internet access for employees on their PCs to prevent malware being downloaded at all.
  • Conduct an annual penetration test and regular vulnerability assessments. This will help build your IT resilience but also allow you to improve your breach response and business continuity plans, potentially reducing the size of any future cyber BI claims. Some cyber policies, such as AIG’s CyberEdge, include loss prevention services which tests the vulnerability of your current IT infrastructure.

There will be cyber insurance experts on our stand at the FERMA Risk Management Forum in Monte Carlo who will be happy to discuss the CyberEdge cover modules, and how it responds to cyber extortion events.

Back to FERMA 2017 home page