RealTime Information Technology

View Original

Dealing with a Cyber Insurance Claim

BY TODD SWARTZMAN, REALTIME CISO

At RealTime, we highly recommend setting up an appointment with a breach coach through the insurance carrier. Use this call to better understand the process in case you do need to make a claim. Having a reasonable expectation on what the process looks like will take some of the stress off of you in the event you have to make a claim. 

PAYING THE RANSOM

Paying the ransom does not guarantee you’ll get your data back. These are criminals after all; some are very professional, and some are careless. It may be that the attacker corrupted the data during the encryption process, or they never intended for you to be able to recover because hey, they are criminals. To mitigate some of the risk, use a professional negotiator and Incident Response firm - these are usually part of your cyber insurance coverage. The pros generally know which gangs and ransomware variants are reputable and recoverable and which are not. DO NOT TRY AND DO THIS YOURSELF

Even if you do pay the ransom and you get the decryptor keys, and they work, the process to decrypt is pretty slow. This slow process is exacerbated by having to juggle multiple decryptors; the standard is one decryptor per machine, so if you have 500 computers and 20 servers, that is 520 unique decryptors. Some ransomware events have used unique decryptors per file share, or even worse, per file (probably due to mistakes during the encryption process.) Can you imagine dealing with a tens of thousand individual keys? That is basically impossible without serious automation and expertise on the part of the incident response firm.

Even if you manage to recover, you still are at risk of the criminals exposing your private data online, as an additional bite at that extortion apple. Why? The past 18 months has seen the threat of exposing your data online become commonplace.

A step everyone needs to take in any cyber incident is to have a professional confirm that the criminals no longer have presence on your information systems before you try and go live again. It’s a common tactic that the criminals will wait until you recover everything (whether you paid the ransom or were able to recover on your own from good backups) and then they hit you again, but this time they nuke your backups first.  

If you do get to the point where you need to make a ransom payment in order to recover your data, make sure that you understand what the policy covers and how the process is supposed to work. In the past, the insurer paid the ransom directly, now some policies are requiring that the policy holder pay the ransom and then the insurance will reimburse the policy holder.

This opens up some questions such as: If the ransom is $500k and I have to pay it, where am I going to come up with $500k? And, since they want payment in bitcoins, how the heck do I buy $500k worth of bitcoins?

Coming up with the money might be on you, but the insurance breach coach and incident response team should be able to provide guidance on the whole payment process and bitcoin subject. Be sure to ask before you ever need to use that policy! Another thing to ask is about ransom negotiations: Will the insurer help with that? On this note, it may even be illegal to pay certain ransomware gangs – see OFAC advisory (PDF Warning). 

CLOSING

What this should help you realize is that you want to take reasonable steps to reduce your risks of becoming a victim in the first place. Solid cybersecurity and a good backup strategy that will allow you to recover your data in a reasonable amount of time is a necessity these days. Not only is this generally a much faster way to recover than leveraging your cyber insurance (which can take weeks or months to fully recover from) you will save yourself a lot of stress. Questions? Let us know…