Cyber extortion is a growing threat across industries, and particularly health care organizations, as criminals cast their nets wider using increasingly sophisticated malicious code.
Ransomware attacks spiked this year, with costs to businesses and individuals jumping to $209 million in the first quarter compared with $24 million for all of 2015, according to the FBI.
While individual ransom demands may be small, total costs — including forensic investigation, system restoration and business interruption — can be significant. Insurance for cyber-extortion is available under a variety of policies, so risk managers need to be aware of gaps and overlaps that could cause trouble in the event of a claim, experts warn.
“There's definitely a growing awareness on the part of companies large and small that ransomware and cyber extortion generally are a growing threat,” said William Boeck, senior vice president at Lockton Cos. L.L.C. in Kansas City, Missouri.
Cyber extortion schemes can take various forms, but the most common is ransomware, malicious software that encrypts a company's vital files and delivers a demand for payment — typically in bitcoin — in exchange for a decryption key. Target computers often are infected via email attachments and compromised websites that redirect a user to the cyber-criminals' site, which downloads the ransomware.
Malware — such as CryptoWall, Locky and Cerber — keeps evolving to evade detection and is readily available to aspiring cyber-criminals. Another one, Tox, is offered free in exchange for 20% of any ransom collected, according to the McAfee Inc. software security unit of Intel Corp. in Santa Clara, California.
Ransoms range from several hundred dollars for small targets to $10,000 or more for larger businesses, kept low intentionally to increase the odds they'll be paid, experts say.
“They aren't trying to break into the world's largest bank and extort billions of dollars,” said Robert Parisi, cyber practice leader at Marsh L.L.C. in New York, describing the problem as a “low-grade fever” rather than a deadly infection.
While the FBI advises against paying a cyber ransom, Daniel Twersky, assistant vice president and claims advocate with the FINEX unit of Willis Towers Watson P.L.C. in New York, said deciding whether to pay it can depend on its size, the sophistication and ease of removing the ransomware, and the importance of the encrypted data and cost of its inaccessibility.
“If it's critical to be up and running, one lost hour may be worth more than the ransom demand,” Mr. Twersky said. “I've really seen it go both ways.”
A 2015 survey of cyber security officials at 250 midsize companies, defined as 500 to 2,500 employees, found that 30% would negotiate with extortionists to recover lost data, according to Clearwater, Florida-based ThreatTrack Security Inc.
However, “those organizations that do pay find themselves being hacked again rather soon,” warned Jerry Irvine, chief information officer at Prescient Solutions, a Schaumburg, Illinois, information technology consultant.
While cyber extortionists generally have targeted health care companies, which depend on patient data and have been slow to adopt security measures, the threat is “industry-agnostic,” said Zach Scheublein, a vice president at Aon Risk Solutions in New York.
“I think it's only a matter of time before hackers focus on what will seem to be more lucrative targets — financial institutions and manufacturers,” Mr. Twersky said.
To prepare, a company's most important step is to have backups to restore systems and encrypted data: “It all hinges on having that backup,” said Larry Ponemon, chairman and founder of Ponemon Institute L.L.C., a cyber research firm in Traverse City, Michigan.
At least one backup should be off-site and outside the company's network. One of the most serious threats, experts say, is an infection that is dormant while it identifies critical files and deletes on-site backups before launching the attack.
Since most infections result from email phishing and visits to hacked websites, educating employees on how to avoid infections is key, experts add.
For reasons of convenience, most companies balk at what Mr. Irvine said is the best solution: blocking email attachments until they've been checked for malware.
Experts also advise companies to deploy third-party network security products, which identify and quarantine suspicious files, but these systems typically catch only known malware and may miss “zero day” attacks by previously unknown malware.
“There's no way to know it exists until it attacks you,” Mr. Ponemon said of such infections.
Insurance coverage for ransomware attacks is generally available under cyber risk policies. American International Group Inc.'s CyberEdge product, for instance, covers losses from threats to attack a computer system or disclose confidential information.
Kidnap and ransom and other polices also may include coverage: The K&R policy offered by a unit of Liberty Mutual Insurance Co., for example, covers ransom and costs from several types of cyber extortion, including ransomware.
Another Liberty unit offers a cyber-extortion endorsement to its product contamination policy, aimed partly at food manufacturers, for ransom and consulting costs.
Sophisticated foodmakers' highly automated and interconnected supply and delivery systems make them especially vulnerable to cyber extortion threats, said Jane McCarthy, senior vice president at Liberty International Underwriters in New York.
While cyber ransoms may be small enough to fall within many companies' retentions, the costs of forensic investigation, restoring lost or corrupted data, legal expenses and business interruption “are likely to be greater than the amount of the ransom,” Mr. Twersky said.
The range of policies including cyber extortion coverage should alert risk managers to examine their programs for gaps and overlaps, Aon's Mr. Scheublein said.
K&R policies, he said, might cover only threats to personally identifiable information when a company needs broader cyber extortion coverage.
Conversely, cyber and K&R policies may cover the same extortion event, leaving a company with two insurers claiming to be excess of the other one's coverage, Mr. Scheublein said.