Whether your company or organization should pay a ransom depends on the circumstances. Your first step should be to contact law enforcement. Your local FBI field office will take such notifications and your local police department can also refer you to the right law enforcement agency. If your business has taken care of preventative measures as suggested here, and a good, accessible backup is available you may not be forced to negotiate with the attackers. Be aware that paying the ransom does not guarantee you will get access to your data despite any promises the perpetrators might make.
It is particularly important to be aware that paying a ransom can violate federal law and place the victim company in legal jeopardy. The Office of Foreign Asset Control (OFAC) has issued recent warnings that paying a ransom could potentially fund criminal enterprises in violation of the law, causing you to be fined for paying such a ransom to sanctioned countries or regions of the globe (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).
Attackers also frequently attack city and municipal governments. For both public and private sector victims, the issue of whether to pay a ransom can be even more complex than whether the OFAC will issue a fine or whether the ransom is affordable. Many municipalities (and private sector businesses as well) choose not to pay ransoms simply because of the principle involved and instead decide to restore systems regardless of cost. A decision such as this can have impacts on the viability of the business entity, its shareholders, and the public at large.
Should I Invest in Cyber Insurance?
As a business owner, or a person with an obligation of fiduciary duty to others, the decision to carry ransomware protection insurance is an important one. Many feel cyber insurance is a vitally important tool in protecting your company against the damage wrought by cyber criminals causing ransomware attacks. The financial burden of a serious ransomware attack placed on a company can be a “bet the farm” proposition. Cyber insurance can help, but such coverage often does not come with any guarantees and does not provide 100 percent protection.
Much depends on the diligence of the company purchasing the coverage, and on the market’s ability to provide defensive tools to defend against ever-evolving technologies deployed by ransomware attackers. Cyber insurance typically covers privacy, data, and network exposures. This includes lost business revenue and data recovery costs due to a breach or extortion threat, money lost due to a fraudulent instruction by a third party (phishing), defense against privacy lawsuits and regulatory fines which may be imposed upon the company that falls victim to these crimes. This insurance can also provide breach response resources if an attack occurs.
It is estimated in various reports that cyber insurance premiums, which now total about $5 billion annually, will increase 20 percent to 50 percent per year on average in the near future.
The continual development and businesses’ reliance on technology such as the Internet of Things (IoT) leads to growing use of internet resources and, therefore, increased exposure to cyber risk. The predictions are that the market will continue to see ongoing demand and increased growth in premiums. As more devices connect to the Internet, and more and more personally identifiable information is collected and stored, the financial incentives for these attacks grow. As more businesses are attacked, media coverage increases which raises awareness and drives market demand for cyber risk insurance.
One additional consideration about cyber insurance is that it is not a particularly profitable business line for insurance companies because ransomware payment demands are very high. Therefore, we can expect that fewer carriers will remain competitive and ultimately drop out of this line of business. Such moves will raise premiums and have a direct impact on companies’ bottom lines. Low premiums and high risk are a poor combination and do not bode well for the future of cyber insurance. The balancing act between risk and mitigation will demand prevention. Preventive measures can go a long way to precluding the need for, and therefore the demand for, such insurance protection.
Corporate data breaches and privacy have been the primary concerns for businesses up until recently, but future cyber issues will reportedly include intellectual property theft, cyber extortion, and the impact of business interruption following a cyber attack. Companies may want to consider business interruption insurance as a significant component of its cyber protection plan, but prevention in the first instance is key.