Ransomware attacks – in which hackers attempt to seize control of, and withhold access to, a target’s operational or personal data until a fee is paid – are a growing threat to businesses. To mitigate against this threat, it’s vital that firms have a crisis management plan in place to be executed in the event of an attack, and to limit the extent of any damage.
Ransomware – a major cyber security threat
Ransomware continues to represent a major cyber security threat to businesses. According to IBM’s 2023 Cost of a Data Breach Report(opens a new window), the global average cost of a ransomware attack was US $5.13 million, an increase of 13% compared to 2022. Ransomware attacks accounted for almost a quarter (24%) of all cyber security breaches against businesses.
Analysing the Lockton London Cyber portfolio provides further evidence of the threat facing businesses. Among the last 10 ransomware claims observed, the largest incurred was approximately USD 53m. Others included a USD 17m claim involving a large retailer, and a USD 6m claim affecting a healthcare organisation. On all three cases above the ransom payment constituted approximately 25% of the actual incurred cost. Energy providers and financial institutions were also among the most recent claims, indicative of the wide variety of businesses targeted by cyber criminals.
Victims of a ransomware attack may, or may not, decide to pay a ransom(opens a new window). Strategy here is likely to depend on factors including the extent of the attack, feasibility of continuing business operations, the size of the ransom demand, and access to cyber insurance/crisis response support.
Before any decision to pay an attacker, firms should obtain legal advice from breach counsel, who would also advise them whether to notify to law enforcement. Firms should also seek technical advice from ransomware negotiators, who specialize in handling ransomware events on behalf of clients. Their services include: engagement with the threat actor to verify that they are “credible” criminals; verification of proof that threat actors have access to what they claim they have; negotiation of the ransom itself (typically around 20%); and facilitation of the ransom payment if the firm decides to pay. They keep a record of all communication with the threat actor should the client require it as evidence.
If firms have cyber policies, they should notify their insurers and obtain their written consent to pay the ransom, provided they require insurance coverage for it.
Creating a crisis management plan
Given the devastating impact of ransomware, it is essential that firms establish a comprehensive crisis management plan to be executed in the event of an attack. This typically includes:
Preventative controls – e.g. adopting the relevant hardware and software solutions; conducting risk assessments; creating data backups; training employees to understand ransomware risks and identify potential attacks
Detective controls – e.g. determining affected systems and isolating them from the remainder of the network; taking the network offline; informing staff of the attack and actions to contain further spread; informing relevant clients, business partners and other relevant stakeholders of an attack; capturing volatile memory contents from affected devices to help determine the sequence of events leading to the attack
Corrective controls – e.g. alerting key partners to assist with strategy and ransom negotiation; reporting the attack to relevant parties, including insurance partners and law enforcement; deploying decryption tools where necessary; wiping and rebuilding systems, including resetting passwords and checking backups are uninfected
To be most effective, any crisis management plan should be stress-tested through simulated-incident and table-top exercises.
Cyber insurance protection
While a crisis management plan can reduce the likelihood and severity of any ransomware attack, it cannot offer complete protection. To provide themselves with an additional layer of security, firms may consider taking out cyber insurance.
Cyber policies can include:
Pre-incident support – including access to cyber security expertise and threat intelligence services, IT vulnerability assessments, staff training on cyber security, and help with password management
Security and privacy breach costs – including costs of notifying customers of a cyber breach, handling enquiries, public relations advice, IT forensic costs, and claims of infringement of privacy and associated legal costs
Post-incident support – including systems assessments, identifying the source of any breach, advice on legal and regulatory requirements, and data landscaping and restoration
Business interruption – including cover for loss of income during the period of interruption, including if this is caused by increased costs of conducting business in the aftermath of the incident
Cyber extortion – including reimbursement of the ransom amount demanded by the attacker, as well as any consultant’s fees to oversee the negotiation and transfer of funds to solve the ransom request
Damage to digital assets – including loss, corruption, or alteration of data, as well as the misuse of computer programmes and systems
Zero deductibles via cyber extortion consultancy
As a complement to cyber insurance, Lockton London has recently introduced coverage for cyber extortion response through kidnap & ransom (K&R) insurance – a bespoke solution tailored to the requirements of cyber extortion scenarios. With this addition, clients with a K&R policy can benefit from coverage for response consultants’ fees, up to USD 1m.
This extension unlocks immediate access to a specialised response consultant who delivers invaluable advice on crisis management and helps resolve the highly pressured situation of cyber extortion. It can be purchased to coordinate with a cyber policy, and infill the deductible for ransom negotiation response fees on a cyber programme.
Key features of cyber extortion consultancy through kidnap & ransom cover:
Up to USD 1m limit for response consultant’s fees and expenses, including access to threat actor analysis, containment advice, ransomware negotiation advice, and financial strategy planning
Cost-effective primary cover with zero deductibles
Coverage can be used to infill deductibles on existing cyber policies
It should be noted that unlike traditional cyber coverage, cyber extortion consultancy does not cover the cost of paying the ransom itself. More information about cyber extortion consultancy can be found here.
For further information, please visit Lockton’s Cyber(opens a new window) page, or contact:
Carlo Ramadoro, Broker, Cyber and Technology
E: carlo.ramodoro@lockton.com
Bob Williams, Vice President | FinTech, Digital Assets & Blockchain Advisory
E: bob.williams@lockton.com
