ProWriters President Brian Thornton Speaks on Ransomware
Today, more people than ever before are realizing the importance of data protection. As comprehensive cyber security plans have become vital to businesses in every industry, the cyber experts at NetDiligence host Cyber Risk Summit each year to explore the threats businesses and individuals face in the digital age.
This year, ProWriters President Brian Thornton was invited to speak at the 2019 NetDiligence Summit in Philadelphia on the issue of data breaches. He was a featured panelist in the Interactive Breach Scenarios Workshop, which occurred multiple times during the event due to popularity. The workshop covered several critical topics, including:
- An understanding of the more recent, and prevalent, cyber security threats
- An overview of legal compliance and response obligations
- Strategies on dealing with hackers and media during a breach
- How to mount a response and what services and products to include
All of these topics were covered in a realistic, interactive cyber breach scenario. Brian and the other panelists weighed in as the scenario evolved, offering their insights at multiple decision points. The scenario presented at the event was created by drawing from real-life breaches.
The Scenario: A Ransomware Attack
The scenario presented revolved around a ransomware attack. This kind of attack holds a computer network hostage, denying access until a ransom is paid. The Department of Homeland Security has observed an increase in these kinds of attacks across the globe, so it’s a timely breach to focus on in this scenario.
You run a for-profit healthcare provider headquartered in Philadelphia that becomes infected with ransomware. All employees have been locked out of the corporate network and can’t access patient files or medical records.
Within minutes, you receive a voicemail from an anonymous hacking group that takes responsibility for the attack. They demand $1M in bitcoin to unlock the network.
The good news:
Foreseeing a scenario in which the network was compromised in some way, your IT team already backed up the hospital’s system. They tell you it can be rebooted, restoring access.
The bad news:
According to your internal IT team and outside experts, it will take at least one week to reboot the system. This would adversely affect patient care and billing during that time.
What would you do?
One group of employees believes you shouldn’t notify your insurance carrier. They argue that because the demand is roughly equal to the size of their deductible, you should just pay the ransom.
However, your newly-hired IT engineer insists that you don’t need to pay the hackers because the systems are encrypted with BitLocker. Your IT team has decryption keys and they should be able to decrypt the data if you give them some time.
So, do you pay the ransom? As the threat of ransomware attacks continues to rise, there are companies faced with this question every day. The right insurance carrier can help you make the right decision—otherwise, you’re on your own.
The Problem Persists
It’s day three and your system is still down. A variety of challenges have arisen as a result:
- Doctors can’t access patient records
- Hospital administration isn’t able to keep track of scheduled appointments
- Surgeons are unable to operate without access to the information they need
- Communication systems are down, as they were also affected by the ransomware
Meanwhile, your anti-virus programs have identified and removed ransomware from some affected systems. Your IT team insists that they are prioritizing reformatting systems and restoring data from backups. They say this is the best way to get up and running quickly and deliver patient care.
What would you do?
The attack has decimated your ability to operate days after the initial breach. You’re being pressed to get to the bottom of what happened but you also want to care for the patients you have now. Do you continue the investigation or focus on recovery?
Investigations are costly, and a dedicated cyber liability policy includes coverage for IT forensics costs. This means the costs for determining how the breach happened and what data was compromised will likely be covered. Determining exactly what happened is one of the most important (and expensive) parts of a data breach.
The Media Gets Involved
News of the attack was leaked to the public.
The media has started to call. Renowned investigative reporter Brian Krebs from Krebs on Security reaches out asking for a comment. You are also getting several email requests from the press.
Patients have caught wind of the attack from media reports and have begun calling as well. They’re worried that their medical records have been stolen and are demanding answers.
What would you do?
Media coverage in these kinds of events is often unavoidable. A comprehensive cyber security incident response plan will prepare for this by instituting a crisis management protocol.
This is where insurance comes in. Stand-alone cyber liability insurance policies include first-party coverage for crisis management. Your policy will cover the costs of managing the public fallout of a breach, including the cost to hire a public relations firm.
The Government Investigates
As the situation evolves, you get a call from the FBI. They tell you that they have opened an investigation into the incident and need access to certain devices.
This is more than a criminal issue. Sensitive personal data, such as medical records or payment information, is regulated. Companies are required to protect customers’ data, and failure to comply with these regulations can result in heavy fines and penalties.
What would you do?
If and when you engage law enforcement is an important part of data breach management. This issue is therefore important to include in a cyber risk management plan. In addition to criminal investigations, regulatory investigations may result in fines and penalties. In this particular case, the Health Insurance Portability and Accountability Act (HIPAA) regulations would likely apply. In the event of non-compliance with HIPAA regulations, the government can impose fines of $100 to $50,000 per compromised record, up to a maximum of $1.5 million per incident.
Comprehensive cyber liability insurance includes third-party coverage for fines and penalties resulting from a breach. Without this kind of coverage, you would be forced to pay any fines out of pocket.
The Depth of the Breach is Revealed
You finally regain access to your system. Your forensic IT investigation finds evidence of malware in the environment that captured information on thousands of patients. This includes names, dates of service, and treatments. Based on this, you and your legal counsel determine that notification is necessary to 50,000 individuals whose data may have been affected.
Your forensics team is extracting a mailing list for notification. Meanwhile, your internal incident response team is trying to determine the best communication strategy to the affected individuals. Complicating matters further, the information exposed on each individual is not uniform. Some had their prescription information exposed; for others, it was x-ray or diagnostic data.
What would you do?
You know you have to notify the patients somehow. Do you mail out letters? Do you send out emails? How will you handle phone calls? And how much will all of this cost? A dedicated cyber liability policy includes first-party coverage for notification costs that cover the expenses associated with customer and regulatory notification. This includes the cost to set up and operate a call center, which can be very costly without coverage.
Conclusion: Cyber Insurance Is Key to Cyber Security
From the moment the ransomware attack was discovered in our scenario, cyber liability insurance played a crucial role. At every decision point, coverage was vital to navigating and surviving the fallout of the breach.
No cyber security plan is complete without dedicated cyber insurance coverage. Cyber policies are more comprehensive than ever before and include coverage for things like IT forensics and investigations, public relations and crisis management, regulatory fines and penalties, and notification costs.
Not all cyber policies are the same; in fact, cyber insurance is a complex product in an evolving market. A cyber expert should always be consulted whenever considering a policy for you or your clients. At ProWriters, we have 25 years of experience that combines both cyber and insurance expertise to deliver tailored policies that meet a wide range of needs. To learn more about what ProWriters can do for you, speak with a cyber expert today.