Over the past few months, the news has been filled with reports of cyberattacks, ransomware attacks, and infrastructure concerns for businesses and consumers.
During an interview with Yahoo Finance Live, the former CEO of Cisco Systems, John Chambers, said that he expected US companies to experience over 65,000 ransomware attacks this year – and he said that was conservative. He estimated that the number of ransomware attacks in 2021 could be as high as 100,000, with companies experiencing an average cost of $170,000. In some of the larger attacks, such as Colonial Pipeline and JBS, the costs are much larger. Colonial and JBS paid a combined $15 million in ransom, and even though the DOJ later recovered $2.3 million in cryptocurrency, the amount of ransom is astronomical, and the impacts are far reaching. At the World Economic Forum in 2015 Chambers said there are two types of companies – those that have been hacked and those that don’t know they’ve been hacked.
How big is the problem?
The ransomware impact is projected to reach $20 billion in 2021, and small to middle size business are at significant risk. Typically, smaller businesses have fewer security measures in place and, as a result, the companies are easier, profitable targets.
For many businesses the ransomware attack begins when someone clicks on a phishing email or downloads an email attachment. The perpetrators of these attacks are becoming more and more creative. In the past two weeks, I have received emails that are supposedly from the IRS, from a company network server, from a company telephone system, from Microsoft Outlook, from Apple, and from other companies with important sounding names, all with files attached asking to click and download. These examples are important – they drive home the amount of diligence each employee needs to maintain to keep a company’s records safe and secure.
If an attachment is clicked on, ransomware could result in being locked out of devices, or users’ data could be encrypted. The ransomware perpetrator demands receipt of funds, typically in cryptocurrency, to unlock devices or remove encryption.
Small businesses are estimated to be the targets of 71% of ransomware attacks, with higher risk in finance, healthcare, and online retail industries. A survey of senior executives showed that seven out of ten businesses hit by cyberattacks paid a ransom to recover their data. The National Cyber Security Alliance estimated that 60% of small businesses fail within six months of an attack. And, for companies that do survive, Cybereason, a Boston-based cybersecurity firm, estimates that 80% of victims are hit a second time.
How does a business protect itself and reduce or minimize its risk? And how do stakeholders, such as lenders or investors, evaluate a company’s risk?
Risk Management
Risk management is key when considering the potential of a cyberattack. No system is completely fool proof, but the management of a company needs to evaluate risk and consider the cost / benefit impacts of cyberattacks. To discuss risk management, the following components of a cyber security plan should be discussed:
Company IT Security Policy
Disaster Recovery Plan
Development
Testing
Back Up of Systems
Insurance
It will be impossible to completely reduce the risk of cyberattacks, but a combination of policy, recovery planning, backups, and insurance can serve to reduce the financial and operating risk for a company. The cost of a cyberattack goes well beyond the ransom that is paid. Current and future business can be negatively impacted.
Company IT Security Policy
This policy identifies the rules and procedures for all individuals accessing and using a company’s IT assets and resources. For example, this policy includes BYOD (Bring Your Own Device) policies, and password reset policies, among many other items.
An IT security policy typically includes:
The purpose of the policy, which is to create an overall approach to information security.
The audience to which the policy applies.
Policy objectives such as confidentiality, integrity, and availability of needed systems.
The authority and access control policy, which identifies the senior manager in charge of who has access to data and how they are able to share and use the data, and the network security policy for passwords, biometrics, ID cards, tokens, etc.
Classification of data into categories such as top secret, secret, confidential and public.
Data protection regulations, data backup practices, and movement of data protocols, such as encryption.
Training requirements for employees, which should include at least social engineering (such as phishing emails) training, clean desk policies, and acceptable internet usage policies.
Responsibility of company personnel to provide policy reviews, education, update requirements, implementation plans.
The policy would provide guidelines for:
Timing and frequency of antivirus scans for computers and other devices.
Firewall requirements.
Employee training, especially related to phishing techniques.
Email filters.
Operating system upgrades and security patches.
Two factor authentication.
Disaster Recovery Plans
A disaster recovery (“DR”) plan contains detailed instructions for responding to natural disasters, power outages, telephone system outages, loss of access to facilities due to weather or fire, cyberattacks, and other disruptive events.
This DR plan needs to be developed and then tested. Many companies conduct regular disaster testing to ensure the plans are well developed and frequently stressed.
Industry statistics show cyberattacks may be undetected for over 200 days, allowing the attackers to hide in a network and plant malware that works its way into backup information sets as well as the active data systems. This means not only are the active data systems impacted, but also the backup systems are at risk.
Backup of Systems
The purpose of a system backup is to provide a means to restore a computer system in the event of a hardware or software failure, a physical disaster, or human error. This process may consist of a full backup, incremental backups or a combination of the two depending on the information and the systems.
Backup processes may be onsite, offsite, or cloud based. And these processes should be tested to ensure the ability to restore the company’s systems for a comprehensive recovery of data to run the company. An untested backup process cannot be relied on. In an emergency or stressed situation, the recovery process is aided by people who have had to perform the recovery from backup first in a test or practice environment.
If a company has multiple computer systems, perhaps one for general ledger processing, one for inventory management, and one for maintenance and repairs tracking, the backup of each of these systems must be developed and tested.
Insurance
While cyber insurance policies are in their infancy from the perspective of standardizing coverage and the ability of insurers to meet customer needs, the cyber insurance marketplace is certainly expanding, and more and more companies need to consider coverage to meet new and changing threats.
When evaluating cyber insurance coverage, these are some areas to consider:
Data loss, data recovery and data recreation.
Responsibility for lost or stolen customer information.
Business interruption / loss of revenue.
Loss of funds – wire fraud, ACH fraud, social engineering attacks.
Computer fraud.
Extortion / ransoms, including negotiation.
It is important to consider all the insurances a company carries. Director and officer insurance, business interruption insurance, errors and omissions coverage, and other policies may sound like they cover parts of the cyber insurance needs, but they are not sufficient when considering proper cyber coverage risk management.
For example, if hackers expose or steal personal information of customers and other business partners, a cyber liability insurance policy would pay for:
Notification costs. These costs include identifying potential victims, an internal investigation, and notification that meets the need to provide reasonable notice to potentially impacted parties.
Credit monitoring for victims. This monitoring will need to meet regulatory requirements.
Civil damages. Victim liability lawsuits are typically class action suits that are actively pursued by class action lawyers.
Computer forensics. The cost of IT consultants who will work with counsel to determine whether a breach occurred, develop methods to contain and prevent further damage, and investigation of the cause and scope of the breach.
Reputational damages. The cost of negative PR resulting from a data breach or cyberattack can be significant. Experts could be hired to help mitigate the impacts.
Policies may also provide resources to design appropriate programs to protect against future attacks but will not normally cover ongoing design and implementation of cybersecurity policies.
Note that typically intellectual property theft will need to be covered by a specific intellectual property insurance policy. And lost future profits are also not covered under cyber insurance.
Social engineering attacks are attacks that rely on psychological manipulation to gain access to sensitive information or company funds. These are situations where individuals follow instructions from fraudulent emails or calls, and these may not be covered under a typical cyber policy and could require a specific special policy for social engineering.
Be aware that most coverages do not cover acts of war, which could be an attack by an agent of a foreign power.
In Summary
Recent cyberattacks have underscored the need for all business stakeholders to evaluate risk management related to IT systems and procedures, disaster recovery plans, backup plans, and insurance coverages. Evaluation of a company’s approach to IT risk management is as important as evaluation of a company’s financial performance, because without a well-developed IT risk management strategy a company’s financial performance can be brought to its knees.
All sizes of companies and types of companies are at risk. Consider these examples:
A December 2020 attack by REvil targeted sensitive and intimate photos from a cosmetic surgery clinic.
The July 2, 2021 cyberattack by REvil on Kaseya had a trickle-down impact on at least 1,500 businesses, including restaurants and accounting firms that used Kaseya products.
A medical practice in Miramar, FL was hacked, and its patients received ransom demands threatening release of private medical data.
The small town of Colonie, NY was hacked and received a demand for $400,000 in cryptocurrency to unlock the computer system.
A synagogue in New Jersey was attacked and received a ransom demand of $500,000.
The Grubman Shire Meiselas & Sacks NYC law firm was hacked in May 2020 by REvil, with those hackers threatening to expose 1 TB of private celebrity data unless a cryptocurrency ransom was paid.
Every size business and every type of business is at risk for a cyberattack. Careful planning and testing are critical to survival, as is appropriate insurance coverage. Stakeholders need to add cybersecurity risk management checklists to their ever-lengthening list of risks to be concerned about.