02 April 2024

Ransomware attacks: why businesses need a crisis management plan

Written By Carlo Ramadoro in Cyber Security

Ransomware attacks: why businesses need a crisis management plan

Ransomware attacks – in which hackers attempt to seize control of, and withhold access to, a target’s operational or personal data until a fee is paid – are a growing threat to businesses. To mitigate against this threat, it’s vital that firms have a crisis management plan in place to be executed in the event of an attack, and to limit the extent of any damage.

Ransomware – a major cyber security threat

Ransomware continues to represent a major cyber security threat to businesses. According to IBM’s 2023 Cost of a Data Breach Report(opens a new window), the global average cost of a ransomware attack was US $5.13 million, an increase of 13% compared to 2022. Ransomware attacks accounted for almost a quarter (24%) of all cyber security breaches against businesses.

Analysing the Lockton London Cyber portfolio provides further evidence of the threat facing businesses. Among the last 10 ransomware claims observed, the largest incurred was approximately USD 53m. Others included a USD 17m claim involving a large retailer, and a USD 6m claim affecting a healthcare organisation. On all three cases above the ransom payment constituted approximately 25% of the actual incurred cost. Energy providers and financial institutions were also among the most recent claims, indicative of the wide variety of businesses targeted by cyber criminals.

Victims of a ransomware attack may, or may not, decide to pay a ransom(opens a new window). Strategy here is likely to depend on factors including the extent of the attack, feasibility of continuing business operations, the size of the ransom demand, and access to cyber insurance/crisis response support.

Before any decision to pay an attacker, firms should obtain legal advice from breach counsel, who would also advise them whether to notify to law enforcement. Firms should also seek technical advice from ransomware negotiators, who specialize in handling ransomware events on behalf of clients. Their services include: engagement with the threat actor to verify that they are “credible” criminals; verification of proof that threat actors have access to what they claim they have; negotiation of the ransom itself (typically around 20%); and facilitation of the ransom payment if the firm decides to pay. They keep a record of all communication with the threat actor should the client require it as evidence.

If firms have cyber policies, they should notify their insurers and obtain their written consent to pay the ransom, provided they require insurance coverage for it.

Creating a crisis management plan

Given the devastating impact of ransomware, it is essential that firms establish a comprehensive crisis management plan to be executed in the event of an attack. This typically includes:

Preventative controls – e.g. adopting the relevant hardware and software solutions; conducting risk assessments; creating data backups; training employees to understand ransomware risks and identify potential attacks

Detective controls – e.g. determining affected systems and isolating them from the remainder of the network; taking the network offline; informing staff of the attack and actions to contain further spread; informing relevant clients, business partners and other relevant stakeholders of an attack; capturing volatile memory contents from affected devices to help determine the sequence of events leading to the attack

Corrective controls – e.g. alerting key partners to assist with strategy and ransom negotiation; reporting the attack to relevant parties, including insurance partners and law enforcement; deploying decryption tools where necessary; wiping and rebuilding systems, including resetting passwords and checking backups are uninfected

To be most effective, any crisis management plan should be stress-tested through simulated-incident and table-top exercises.

Cyber insurance protection

While a crisis management plan can reduce the likelihood and severity of any ransomware attack, it cannot offer complete protection. To provide themselves with an additional layer of security, firms may consider taking out cyber insurance.

Cyber policies can include:

Pre-incident support – including access to cyber security expertise and threat intelligence services, IT vulnerability assessments, staff training on cyber security, and help with password management

Security and privacy breach costs – including costs of notifying customers of a cyber breach, handling enquiries, public relations advice, IT forensic costs, and claims of infringement of privacy and associated legal costs

Post-incident support – including systems assessments, identifying the source of any breach, advice on legal and regulatory requirements, and data landscaping and restoration

Business interruption – including cover for loss of income during the period of interruption, including if this is caused by increased costs of conducting business in the aftermath of the incident

Cyber extortion – including reimbursement of the ransom amount demanded by the attacker, as well as any consultant’s fees to oversee the negotiation and transfer of funds to solve the ransom request

Damage to digital assets – including loss, corruption, or alteration of data, as well as the misuse of computer programmes and systems

Zero deductibles via cyber extortion consultancy

As a complement to cyber insurance, Lockton London has recently introduced coverage for cyber extortion response through kidnap & ransom (K&R) insurance – a bespoke solution tailored to the requirements of cyber extortion scenarios. With this addition, clients with a K&R policy can benefit from coverage for response consultants’ fees, up to USD 1m.

This extension unlocks immediate access to a specialised response consultant who delivers invaluable advice on crisis management and helps resolve the highly pressured situation of cyber extortion. It can be purchased to coordinate with a cyber policy, and infill the deductible for ransom negotiation response fees on a cyber programme.

Key features of cyber extortion consultancy through kidnap & ransom cover:

Up to USD 1m limit for response consultant’s fees and expenses, including access to threat actor analysis, containment advice, ransomware negotiation advice, and financial strategy planning

Cost-effective primary cover with zero deductibles

Coverage can be used to infill deductibles on existing cyber policies

It should be noted that unlike traditional cyber coverage, cyber extortion consultancy does not cover the cost of paying the ransom itself. More information about cyber extortion consultancy can be found here.

For further information, please visit Lockton’s Cyber(opens a new window) page, or contact:

Carlo Ramadoro, Broker, Cyber and Technology

E: carlo.ramodoro@lockton.com

Bob Williams, Vice President | FinTech, Digital Assets & Blockchain Advisory

E: bob.williams@lockton.com

Up Next ...
15 November 2024

UK Fintech at the Core of Financial Services Strategy

This includes a digital market for private shares, a digital bond initiative, and enhanced anti-fraud measures across sectors

15 November 2024

US Presidential Election: Impact on US Fintech

Trump’s financial policy direction emphasizes loosening restrictions to foster fintech growth while protecting critical infrastructure

15 November 2024

Gate City Bank Adopts Alkami's Digital Banking Suite

Alkami’s comprehensive digital banking solutions aims to elevate customer experience and operational efficiency.

14 November 2024

EXA Infrastructure launches EXA Financial Network, the largest Infrastructure platform for Financial Exchanges across North America and Europe.

EXA Financial Network enables real-time access to market data, fast order execution, price discovery, and market liquidity.

More in Cyber Security

SafeBase secures $33mn in Series B

02 May 2024

Revolutionising security reviews. In brief:SafeBase, a firm known for enabling friction-free security ...

Clarity secures $16mn in seed funding

16 February 2024

In order to combat Deepfakes with AI cybersecurity.In brief:- Specialising ...

Klarytee Raises £700K Pre-Seed Funding

05 December 2023

Klarytee, a London, UK-based provider of a software platform that ...

EU considers widening scope of cybersecurity regulation

27 November 2023

The EU is contemplating the need to widen scope of ...

White Papers Cyber Security

20 Best practice recommendations for improved cyber security protection

08 September 2021

P20 shared their new report on the 20 Best Practice Recommendations for Improved Cyber Security Prot...

Videos Cyber Security

COVID-19 - Anti-financial crime best practices

18 May 2021

How to Secure Online Bank UsersJoin experts from Tide, Fintrail and Jumio who will be sharing some i...

Articles Cyber Security

CyberSecurity in FinTech - How to Develop a Secure FinTech App

05 May 2021

Developing a secure FinTech application is a complicated, time-consuming, and, most importantly, exp...

Articles Cyber Security

Better by design? Re-thinking AML for a digital age

29 April 2021

We ask how the approach to AML can be improved: Can broader adoption of Artificial Intelligence and...

There are no Events in this category