Recent Ransomware Events Highlight Risks & Your Cyber Insurance Policy May Not Cover Losses
The WannaCry incident has created a unique opportunity to examine the potential catastrophic impact of ransomware on businesses, and in particular, business interruption considerations. The following scenario is provided as a way to create discussion opportunities with your clients, IT team, attorneys, and risk managers.
The Scenario
You’re sitting in your office putting the final touches on a motion that you intend to file in federal court this afternoon when you are suddenly unable to save the changes to your document. You log off and cannot log back in, receiving an error message indicating the third party cloud-hosted service your 20 person law firm uses for all its document management needs is experiencing “technical difficulties”. This is the start to a very bad day.
After a few heated calls with your document management services (let’s call them “CloudFail”, or “CF”), you learn that CF has suffered a ransomware attack. Virtually all of their data (well, actually your data) has been encrypted by hackers that are demanding a bitcoin ransom before they will decrypt the files.
The next five days are incredibly painful as it becomes evident that CF apparently had sloppy information security practices, unreliable data backup systems, and an outdated incident response plan. How could this happen? Didn’t our IT guy check them out? How were the bad guys able to hack CF’s IT systems? A failure to install updated Microsoft security patches on their old Windows server appears to be the root cause. Problem is, the old server is where the data was stored. Ouch.
The Fallout
There is not enough Tylenol on planet earth to mitigate the resulting headaches suffered by your firm…and your clients. Unable to access critical law firm documents, briefs don’t get filed, court dates are continued, and judges and your opponents are incredulous when you try to explain what has happened. An important and very unhappy client tells you he is considering bringing a suit alleging a breach of your firm’s ethical requirement to use a reasonable duty of care in protecting their data.
After four days of drama, CF finally figures out how to pay the bitcoin ransom, but the bad guys break their promise to decrypt your files and demand a higher ransom  (this is not uncommon). The new ransom is paid, but the decryption keys do not work. In the aftermath, you and your firm’s IT team are forced to try to re-create and recover important files and documents from a hodgepodge of sources. Not pretty.
Adding Insult to Injury
The $500K contingent business interruption insurance claim is being challenged by the carrier because you failed to properly vet CF. The cyber insurance policy you purchased last year is full of holes since you did not identify key service providers on your policy’s schedules, as required by the underwriter.  The financial hit and reputational harm to your firm slowly becomes a nightmarish reality.Reality Check
Lest you think this drama is being overplayed, think again. Contingent Business Interruption insurance issues were a major hot topic at Advisen this year and the landmines related to un-vetted subcontractors are significant. You may have world-class information security practices, policies, and technology in place, but what about your key suppliers? Readers will recall some of the recent incidents related to Amazon Web Server vulnerabilities, and the MS Office 365 security risks, (logging feature failures, for example) are well documented.
The Take-Aways
- Vet Your Vendors. Do some due diligence on those suppliers and partners that will be handling your company’s data. Get industry references and review their insurance policies. These key vendors may include cloud storage providers, web developers, employee benefits providers, accountants, and other professionals.
- Solid Service Agreements. Your contracts with service providers should permit you to audit their key systems. Require these contractors to perform an IT risk assessment. Any service agreement must also allow access to their IT systems (to conduct incident response investigations) in the event of an episode.
- Check Your Cyber Policy. The time to review your cyber policy and ensure it is up to speed is not during the heat of battle. Do it before an event occurs, and talk to your carrier about perceived gaps.
- Redundant. I say Redundant. Your company’s most critical data should never be stored in one place. Have solid backup systems in place, including on site and off site storage.
- Have a Plan. Gather your key stakeholders and create a defensible incident response plan. Test your plan with “table top” exercises twice per year.