Ransomware cyber insurance collection: “It was really horrible”
So you have conscientiously taken out cyber insurance against ransomware, you have been affected, you have lost money and now you want compensation from your insurer. Good luck.
Unsurprisingly, like all insurance companies, your salesperson will go out of their way under the sun to find a way not to pay. It’s all in the “fine print,” and insurers start from the ground up, requiring organizations to follow specific practices around security, reporting and more. They demand that your systems be audited and pass every last metric. If something changes in your IT environment and you find yourself in non-compliance after an attack, well …
But all is not bad.
“The good news is that most of the cyber insurance policy providers I’ve worked with have actually paid in case this should happen,” says Dave kawula, Senior Management Consultant at TriCon Elite Consulting. It was addressed to an audience of hundreds of people who attended the three-part half-day online summit last week titled “Best Practices for Cloud Storage, Backup and Restore,” presented by Virtualization and Cloud Review and RedmondMag.com.
He presented with John O’Neill Sr., Chief Technology Officer, AWS Solutions, who worked with Kawula on ransomware cases. Presenting as a team, they shared their expert knowledge on a plethora of topics, but it is the ransomware that is currently the priority for many companies that are hoping to survive the current deluge of attacks, hoping not to become a victim taken. held hostage until they pay to get their business back on track.
“I’m not going to lie, it’s not really pretty. I could say it was really horrible because cyber insurance salespeople are so hammered with claims that it takes a long time for them to react.”
Dave kawula, Senior Management Consultant, TriCon Elite Consulting
“There is a whole process for that,” Kawula continued after saying most insurers pay. “I’m not going to lie, it’s not really pretty. I could say it was really horrible, because cyber insurance salespeople are so hammered with claims that it takes a long time for them to react. But usually they do. will have their own SecOps, security operations teams, and cyber threat analysis experts who will assist your organization. ”
Noting that some insurers require organizations to use security practices such as multi-factor authentication (MFA) and pass the aforementioned cyber audits, he asked O’Neill Sr. if he had encountered any such requirements.
He had done so, making three main points:
The NIST 800 series
It is a collection of policies, procedures and guidelines of the United States federal government relating to computer security. “If you are not familiar with the NIST 800 series policies, familiarize yourself because many cyber insurance companies conduct reviews entirely based on these standards and recommendations, ”said O’Neill Sr.“ So familiarize yourself with them, and not just the 800 -53, but the new 100 and 200 series documents. “
Spread the risk
“The second thing is… cybersecurity insurance is based on the ability of carriers to spread risk. Okay, it’s kind of like hurricane insurance, that sort of thing. No individual insurance company. can’t absorb the risk of a large scale event like that. They can take something that’s spread across so many organizations, so many companies, they just couldn’t pay all of those claims. So they spread that risk. And for them to do that, and get these underwriters and other companies that and things like that, of course, they have to mitigate their risk, and they’re doing it by asking more and more pointed questions and getting you evaluated. And I can’t recommend you enough, don’t just lip-service your answers. Because Dave, like you mentioned, when something happens, and you have to have this conversation, and you’re like, ” Alright, well, no Our cyber insurance company is coming, they’re going to help us offset some of those costs, “they’re going to scrutinize every answer you give them with a fine tooth comb. And if something was wrong, you are going to be refused, end of story.
“So if you tell them that, yes, we have MFA in place, and they come in and find out that in reality you only have MFA for your IT group – you don’t. haven’t implemented it across the rest of your organization – well, that’s the basis for them to deny you. If you tell them that you haven’t implemented things like Android devices on your network, and they come in and they find – and I’m using the example in the previous session, that’s why I’m talking about it – they find out you have time clocks, or what’s very common right now, it’s those COVID scanners that do temperature scans when you walk in and out, and a lot of them are Android based and you get them plug into your network. Now, now that flies in the face of a certification you made, and it’s a basis for denial. Even though your current incident might have nothing to do with these things, understand that they have a right to watch everyone and make a decision about paying a claim for them. ”
“The other thing I’m going to throw up about insurance is to be very specific when you look at them. The carriers, again to mitigate the risk, are increasing the deductible. So if you think that ‘they’re going to absorb the cost of paying that ransom, or if you’re down for six weeks or whatever in full, you’re probably going to be disappointed. In fact, most of them, you take the first million dollars in risk sometimes just having that, so you know, watch out for that stuff. “
To this list, Kawula added two points:
- Prepayments: Kawula and O’Neill Sr. have experienced this. Kawula noted that in a recent case, the victim organization had to pay $ 55,000 per server, prepaid by the organization. “So I really hope you have a working slush fund, because I don’t know a lot of banks that are going to lend you money to pay off threat actors.”
- Refund: “So that’s number one. And number two is kind of a repayment base.” Money is therefore required in advance even if an organization receives a claim reimbursement.
Along with MFA, Kawula said cyber insurance providers often ask customers to install advanced persistent threat protection on systems so that investigators can find and shut down command and control servers, isolating them at the network level to protect the infrastructure. “No recovery will take place until you can really understand what is going on where the root cause is, because there is absolutely no point in recovering an environment while you still have an active attack in progress.”
Another delicate point can be obsolete, perhaps forgotten systems. To illustrate this, O’Neill Sr. used the Android clock example mentioned above.
“Very recently we found employee clocks … used to point and record today’s date. Of course, they are built on an Android operating system, they were plugged into the network, and no one has been careful to fix this operating system or do anything with it. So you have Android, which is one of the most statistically targeted operating systems, by malware, is And it’s implemented, it’s fully connected to your network. Okay, it’s enabled the same VLAN in this case that the servers live on. So your production ERP system, your metering system, your HR system, your quality system, and nobody’s paying attention, nobody’s tracking the application of security updates, or any of those kinds of things.
“How did you, as a paid IT resource, paid IT professional, manage to leave the backdoor open for so long that someone finally found it and took advantage of it?” ”
John O’Neill Sr., Chief Technologist, AWS Solutions
“You know, it’s serious when you are the victim of a malicious event. It’s worse when you are the victim of a malicious event that compromised a system using a breach that was patched by the vendor months and months and months before. I can tell you as an IT professional, this is one of the most difficult to explain to your bosses, isn’t it? How did you, as a paid IT resource, paid IT professional, manage to leave the backdoor open for so long that someone finally found it and took advantage of it? ”
A question certainly to be avoided. Which you can help do by watching the above summit on demand and attending the upcoming security focused live summits, which can be found here. New features coming next month include: