RANSOMWARE ON THE RISE
by Nick Fortuna
Good insurance agents never rub it in by saying, “I told you so,” when a client is struck by preventable misfortune, but there surely are times when they must be thinking it to themselves. Jon C. Nordin experienced just such a moment late last year when a client in the trucking industry got an expensive lesson in the value of cyber security insurance.
Nordin, executive vice president and principal of the commercial lines division of Atlanta-based insurance brokerage firm Pritchard & Jerden, had offered the client $1 million worth of coverage against ransomware and other cyber attacks for an annual insurance premium of $2,000. The client declined to purchase the policy, and several months later, his company’s operations were abruptly shut down by a cyber attack.
The client then hired a forensic IT team to recreate his computer files and restore the company’s internal systems, but the three-week process came with a big price tag: more than $200,000 in losses when the disruption to business operations was factored in. Since then, that client has purchased a robust cybersecurity policy, but the initial damage was wholly avoidable.
“He didn’t think he had exposure to ransomware attacks, but no one is immune, and it’s very scary when it’s your business that gets attacked,” Nordin said. “Many GMTA members are really focused on the rising cost of insurance, and rightfully so, but I encourage them not to neglect this exposure as well.”
Cyber attacks and ransomware cost U.S. businesses and private citizens more than $7.5 billion last year, according to Emsisoft, a provider of antimalware and antivirus software. In a recent report, the company described the “unprecedented and unrelenting barrage” of attacks in 2019, with ransomware hitting 103 federal, state and municipal agencies, 759 health care providers and 86 schools and universities.
In just the past few years, major cities such as New Orleans, Las Vegas, Atlanta, Dallas and Baltimore have had their systems breached by hackers. David Riggleman, a spokesman for the city of Las Vegas, said that the city encounters about 279,000 attempted cyber attacks each month, illustrating the enormous scope of the problem.
INADEQUATE INSURANCE POLICIES
While some business executives have been slow to acknowledge the growing threat of cyber attacks, others erroneously believe they have addressed it, Nordin said. In many cases, companies do have some form of cybersecurity insurance among their portfolio of policies, but they frequently are inadequate and contain exclusionary language allowing the insurance company to avoid paying claims, he said.
The cyber policy often is embedded within a general-liability or executive-line policy as a throw-in, and it fails to account for the wide range of possible cyber attacks and their repercussions, Nordin said.
“We typically start by reviewing a prospective client’s policy coverage, and when we inform them that they don’t have coverage for dozens of exposures to loss, their jaws drop,” Nordin said. “Many of them have a false sense of security because they believe they have a good cyber policy, but the intent of a lot of these carriers is not necessarily to pay claims. Unfortunately, most people find out what their policy actually covers after a loss, which is never a good feeling.
“Unlike general liability, auto and workers’ comp – policies that members have had to purchase for years – cyber liability is the Wild West. There is no standard policy form. Right now, there are probably 170 insurance companies offering some form of cyber liability coverage, and I would say there are fewer than 10 that do it well.”
Ransomware and other cyber attacks are constantly evolving in response to upgraded cybersecurity software and business practices, so Nordin, speaking at the GMTA Leadership Conference last November, urged members to ask their insurance carriers how they know their policies are keeping up with the threats. If an insurance carrier isn’t partnering with a highly reputable cyber expert, then the policies it offers likely are inadequate, he said.
“Hackers are always coming up with new ways to steal your money, and the policies can’t adapt quickly enough,” Nordin said. “So, I encourage members not to wait until an insurance renewal year to look at their coverage. This is one line of coverage that you don’t want to wait on because the exposures to loss are different today than they were even four or five months ago.”
A DOUBLE DOSE OF RANSOMWARE
Harold Sumerford Jr., chairman and chief executive of Birmingham, Ala.-based J&M Tank Lines, said his company was hit by ransomware in April and June last year, but thanks to precautions put in place after the first attack, the second one caused only a minimal disruption.
Sumerford, second vice chairman of the American Trucking Associations, said he got a call early one morning from his chief financial officer saying that hackers had penetrated his company’s internal systems and were demanding $250,000 in bitcoin as ransom.
J&M Tank Lines chose not to pay, which is in keeping with advice from the FBI. The federal agency says paying hackers only encourages future attacks, and there is no guarantee that companies will get all of their data back after paying, or that they won’t be hit again by the same group in the future.
J&M Tank Lines quickly was able to get its internet, email and phone systems back up, and executives initially expected to have fully recovered within a day, but the ransomware had corrupted the company’s backup systems, so the road back turned into a slog. Since the company’s automated systems were down, it was unable to bill customers for a week, and in order to pay its drivers and other workers, it had to duplicate its most recent payroll checks instead of using up-to-date information.
Sumerford said that since the company hadn’t expected to be a victim of ransomware, it had done away with manual backup systems, such as timecards for employees to clock in and clock out with, but those systems are back in place now.
“It took about a week to get the main system back up and running, and it took another three or four days to get all the systems up and running,” Sumerford said. “When you have a heavily automated company like ours, you’re especially vulnerable. Fortunately, we were financially strong enough to front a week’s pay to employees even though we didn’t have any freight bills to back it up. Some companies may not be in a position to do that, and they’d be in really bad shape.”
Two months after the first ransomware attack, a leftover piece of malware shut down the company’s systems once again, but this time, J&M Tank Lines was well prepared. The company had hired the noted cybersecurity technology company CrowdStrike to beef up its defenses, and J&M Tank Lines was back to full strength about 12 hours later.
AN OUNCE OF PREVENTION
In addition to upgrading companies’ firewalls and cybersecurity software, there are steps that cybersecurity experts can take to bring clients up to speed. One key strategy is to educate employees about how ransomware gains access to a company’s system and to perform penetration testing to determine the likelihood that an attack will succeed.
A single employee can create a security breach by clicking on a link or downloading an attachment from a fake email address, and hackers have grown increasingly sophisticated at making these emails look authentic. Cyber experts can help a company identify which employees are most likely to fall for a so-called phishing attack and therefore are in need of more computer training.
“Most companies don’t spend any time on employee cyber-awareness training, but it’s extremely important, and you want to encourage employees to alert IT when they see something suspicious,” Nordin said. “Some companies are doing internal phishing, where fake emails will be sent to employees so they can see how many actually click on it. Interestingly, in many scenarios, you find that those in leadership positions are the most susceptible. More often than not, people in the C Suite are the ones who click on it.”
For insurance companies, helping clients harden their defenses against ransomware is much cheaper than paying claims, so many are connecting their clients to cybersecurity experts as part of their policies, Nordin said.
“More and more, there are value-added services offered at no additional charge,” he said. “If we can prevent claims, it’s good for all of us.”
Sumerford said he’s given half a dozen presentations to trucking industry stakeholders since his company was first attacked, outlining the ordeal and encouraging them to take action.
“I tell people it’s not a one-time deal,” he said. “It’s a continued investment. If you haven’t been struck by it, you probably will be, so you have to be ready. That’s the big thing. You have to keep working at it to make sure you have the right measures in place to stop it. Spend the money now and be wise about it. And since cybersecurity insurance is so new, make sure that your policy covers everything. Some insurance may not even be worth the paper it’s written on.”