Ransomware: To pay or not to pay remains an open question

Ransomware has become big international business and a major headache for companies of all shapes and sizes. Risk and insurance managers are increasingly working with colleagues from IT, legal, HR and other areas to try and work out how to prevent the attacks, deal with them and transfer the risk. To investigate the best approach to this rising risk, JLT Specialty and Commercial Risk Europe gathered a group of risk managers, security managers and cyber experts. Adrian Ladbury hosted the discussion and reports on the key findings. It is legal in most countries around the world to pay ransomware demands. So the core decision is commercial. Is the price of the ‘deal’ worth it to retrieve the data? Is it really worth paying an outrageous fortune for the return on offer? But there are potential complications that need to be carefully evaluated with the support of experts, including whether such payments could contravene international regulations on money laundering and terrorism funding. It is also important to follow the right steps and procedures to show you have made every effort to ensure you are not breaking rules and regulations. Failure to do so could lead to fines, reputational damage and, of course, invalidate your insurance cover. These were the core conclusions of a panel of experts gathered by JLT Specialty and hosted by Commercial Risk Europe to discuss this increasingly important problem. “Assuming the due diligence pans out, this is a business decision,” said Winston Krone, global managing director of Kivu Consulting, which advises victims of ransomware how to react and negotiate the best ‘deal’. “We work with clients to reach the right decision in very stressful circumstances. We identify whether the data is needed, how long it will take, whether it will be corrupted and the actual likelihood of getting it back at all. There are a lot of factors to be taken into consideration. Whether to pay or not can be a red herring. The big question is: do you need the data and is it worth it to pay to get it back?” continued Mr Krone. Ffion Flockhart, global co-head of cyber risk at law firm Norton Rose Fulbright, said the direct legality of ransom payment is not complicated, but advised victims to consider wider areas such as sanctions and terror funding. “Whether the ransom funds terrorism or breaks sanctions is a question to be taken seriously. It is not actually illegal to pay in the UK. There is nothing to tell you that it is illegal to pay. But if you know you are paying a terror group, that is illegal under the UK Terrorism Act 2000. This is clearly an important factor and you are well advised to get people on board to help identify the actual nature of the crime,” she explained. John Harrison, head of information and cybersecurity at Charles Stanley, the independently owned private-client investment management firm, said any company under attack also needs to consider whether they will be breaking the US Office of Foreign Assets Control (OFAC) rules. OFAC administers and enforces economic and trade sanctions in support of US national security and foreign policy objectives. And things are often complicated by the fact that the first-line criminal may be an independent party, but a terror group may well sit behind them. Anti-money laundering (AML) rules are also another important consideration, particularly for the financial sector, added Ms Flockhart. “Another element that is tying the financial sector in knots is the AML rules. It is possible that if you are making a payment to the wrong party then you can be deemed to be conspiring with the attacker to cause harm. What you need to do to make sure that it is not illegal, is make reasonable enquiries. If you have done this and are satisfied, then it is a business decision,” she explained. According to the experts, leading law enforcement agencies such as the FBI in the US do not openly encourage companies to pay ransom demands but will increasingly turn a blind eye, so long as it is clearly not funding terrorism. Carol McLeod, managing counsel, global shipping at BP, asked whether it is wise to consult the authorities and ask permission to engage in talks with perpetrators of ransomware attacks. Is this best practice? “You will never get a rubber stamp from the FBI. But you really need to be careful here. If you deal with authorities in Asia – Singapore, for example – you may find that your servers have been taken over because it is illegal to pay ransom in some countries of this region. You need to do your homework and take good advice,” responded Ms Flockhart. Another panellist pointed out that in some countries, notably Italy and Mexico, the rules can be confusing because they are linked closely to kidnap law. So again, care must be taken when deciding whether to pay up or not. Mr Krone said that any responsible company will make sure they are complying with all the relevant rules, but stressed again that, at its root, this is a business decision that needs to be weighed up in the normal way. “We are only generally brought in when it is bad. A lot of the time companies have not lost everything, only a certain part of the data. Then the question is whether it is worth retrieving. Clearly, an important factor is whether the data is backed up or not. If it is not permanently backed up, then that is what you will be paying for,” he said. Mr Krone and Ms Flockhart agreed that the reliability of criminals is another important consideration when deciding whether to pay up or not. “The dark web has its own version of TripAdvisor for ransomware criminals that shows their reliability on returning the data and actual technical ability to hand it back,” explained Ms Flockhart. So, asked Mr Harrison of Charles Stanley, if the criminals themselves are graded on the dark web, is the willingness of companies to pay up also graded, thus making them vulnerable to future copycat attacks? Not so the experts agreed. “This is a myth,” said Mr Krone. “The attackers do it because they have an easy way of getting in. Usually companies that have been hit already are more difficult to hit again because they tend to be wiser,” he continued. Another important consideration when trying to work out whether it is worth paying up, is to know what you are paying for, added Ms Flockhart. “Too often, people do not actually know what is in the data that they no longer have access to. Clearly knowing what is actually there is vital!” she said. Dedicated policies, clear evidence and partnerships help claims payment If risk managers want to make sure their cyber claims are paid without fuss and in good time, they need to take out dedicated cyber insurance rather than relying on silent cover in existing standard policies. Relying on a kidnap and ransom policy to help deal with ransomware attacks may lead to coverage disputes. It also means that the company is provided with a kidnap negotiator rather than a cyber expert to help deal with the problem. When a ransomware claim hits, it is absolutely critical to gather and save the relevant details and notify insurers and brokers as soon as possible. It is also important to make sure the IT department does not take it upon itself to try and fix the problem before telling anyone else about it, not least risk and insurance managers. If evidence of an attack is inadvertently destroyed in its immediate aftermath, seeking full recovery will be made all the more difficult. These were some of the key conclusions reached by a group of risk managers, IT security experts and other market players gathered for a roundtable on ransomware by specialty broker JLT and hosted by Commercial Risk Europe. Sarah Stephens, partner at JLT Specialty, financial lines group, financial and professional risks, cyber, pointed out that claims experience remains relatively limited in this young but fast-growing market. So far, the evidence is generally positive for customers. Any problems that emerge tend to be when the company relies on standard coverage and hopes it covers cyber risk, she explained. “We have not seen that many claims to be honest, but what we have observed overall is really good claims behaviour in this market, which is encouraging. CFC Underwriting, the specialty underwriter in this market, has published good data in this respect that shows the claims denial is 1% to 2%, compared with 15% to 20% across the book. When you look at the details, you generally find that these denials are related to other policies, not dedicated cyber policies, such as professional indemnity,” said Ms Stephens. The obvious advice for any company that seeks to secure robust and reliable cover for ransomware and other cyber risks is to take out a dedicated cyber policy. They should carefully construct the protection in partnership with brokers to make sure it reacts as intended when a claims hits. “Problems with claims tend to arise when there is a fundamental disconnect between what the company wants and needs. Historically, companies would perhaps use a kidnap and ransom policy to try and cover a ransomware attack. But these policies were designed to cover executives rather than against such attacks, so are not perfect and can cause disputes. Moreover, you want help from an expert ransomware negotiator rather than an expert kidnap negotiator! It is best to opt for a dedicated cyber policy or even ransomware policy,” added Ms Stephens. All business insurance claims run more smoothly if the evidence of cause of loss is gathered quickly and efficiently as soon as the event occurs. As with any serious crime incident, efforts to ‘clean up’ too quickly, and often clumsily, will inevitably lead to future problems. But the need to carefully document and store evidence as rapidly as possible is perhaps more important with ransomware incidents than any physical loss, because things move so quickly. Claire Combes, board member at UK risk management association Airmic, said that clear communication on this important matter is needed to ensure evidence is not lost at the early stage. “A common problem is that IT people will not think to notify the risk and insurance manager immediately, they will just get on with trying to fix the problem. Protocols have to be followed or claims can be invalidated,” explained Ms Combes, who is also director of risk and assurance at intu Properties, which focuses on shopping centre management and development. Ffion Flockhart, global co-head of cyber risk at Norton Rose Fulbright, pointed out that it is in everyone’s interests to work together as closely and transparently as possible with such claims, particularly if the insurer also provides value-added services such as crisis management and access to skilled negotiators. The desire of both customer and insurer are then clearly aligned to contain the loss, stressed Ms Flockhart. Amateur ransomware attacks on the rise Experts gathered by JLT Specialty and Commercial Risk Europe to discuss the increasingly important area of ransomware agreed easy access to software needed to carry out the attacks has attracted more amateurs into the market. These amateurs may simply be incapable of delivering on their promise to return the stolen goods or access the ‘kidnapped’ data. Prices on the dark web for ransomware tools are also falling as competition among providers rises. This means those companies held to ransom need to seek support from experts in the area who can help work out whether a ransom is actually worth paying and whether the criminal will really be capable of delivering the goods. John Harrison, head of information and cybersecurity at independently owned private-client investment management firm Charles Stanley, asked his fellow panellists what percentage of companies actually have their data successfully returned after paying a ransom. Winston Krone, global managing director at Kivu Consulting, a firm that specialises in negotiating with ransomware criminals, said it really depends upon the victim’s ability to identify how ‘reliable’ the criminal is. “The return rate is actually about 99.9%, but this is kind of self-fulfilling because we will not pay a ransom unless we are as sure as we can be that it will be successful. If we do not think that the client will achieve a positive return and the data will be returned, then we will warn them not to pay. This year, we have seen a rise in the number of complete amateurs getting into it. Technically they do not know how to do it. We have seen cases in recent times when halfway through the negotiation, the criminals have had their licence cut off by the provider because they have been asking too many questions,” explained Mr Krone. The negotiating expert added that his company has been forced to go direct to providers on the dark web to try and retrieve data that the criminal could not. Mr Krone added that clearly part of the process is to work out whether or not the data is actually worth the risk. “Probably in 20% to 25% of cases the ransom is not worth paying, because of the likelihood of not getting the data back,” he said.

Ransomware: To pay or not to pay remains an open question

Want to read this article?

Read Next

Ferma members told AI will bring risk and reward for corporate insurance buyers

Aon’s revenues up 5% as it completes $13bn NFP deal

Warmer climate spreading risk of malaria and dengue to new regions

UN launches new net-zero insurance forum to replace NZIA

Pen extends fleet capacity deal with Zurich in Republic of Ireland

Ferma members told AI will bring risk and reward for corporate insurance buyers

Aon’s revenues up 5% as it completes $13bn NFP deal

Warmer climate spreading risk of malaria and dengue to new regions

UN launches new net-zero insurance forum to replace NZIA

Pen extends fleet capacity deal with Zurich in Republic of Ireland

Want to read this article?

Read Next

Ferma members told AI will bring risk and reward for corporate insurance buyers

Aon’s revenues up 5% as it completes $13bn NFP deal

Warmer climate spreading risk of malaria and dengue to new regions

UN launches new net-zero insurance forum to replace NZIA

Pen extends fleet capacity deal with Zurich in Republic of Ireland

Related Articles