Insure Your Future: The Ransomware Response Playbook

Oct. 8, 2021
Five steps integrators and their clients should take in response to a breach as part of an insurance claim

This article originally appeared in the October 2021 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.

Everywhere you look today, ransomware is at the top of the news cycle. Earlier this year, major cities on the Eastern seaboard ran out of gas when a ransomware attack took Colonial Pipeline offline. JBS Foods, Quanta Computer and CNA Financial are just a few other examples of attacks that have had severe financial consequences.

While these attacks grab headlines, 37% of attacks are perpetrated on companies with less than 100 employees and 39% on companies with 101-1,000 employees, according to research by ransomware mitigation provider Coveware. That means every company needs to be prepared to deal with ransomware – including integrators. This means understanding the elements and timeline of a claim.

Step One: Navigating the Initial Response Internally

The first and most important element of successfully navigating a ransomware attack is having a defined and tested incident response plan. Knowing who to call internally, how to escalate an issue, and what parties need to be involved can reduce headaches on the day of an attack.

The plan should be formalized, written, and practiced, just as one would for a fire drill. An essential aspect of any good incident response plan is the timeline and communication between an IT group and upper management. This should include clear instructions for contacting the insurance carrier and the appropriate outside vendors to help manage the incident.

If a company has cyber insurance, it is critical to contact the insurance provider immediately. Certain carriers may disclaim coverage if their pre-approved vendors are not used for incident response. In addition, nearly all insurance companies have a 24/7 phone number allowing for instantaneous notice, even during off-hours.

Step Two: Bring in Third Parties

Once an insurance carrier has been notified, the engagement of third parties should follow an established roadmap. The first vendor is a law firm, commonly referred to as a breach coach. The firm will act as a quarterback, directing the response, hiring the other vendors, and providing legal advice to ensure that the rights of the integrator (their client), are protected throughout the process. Finally, the law firm will hire the rest of the response vendors to protect the work done in response to the attack under the attorney-client privilege. From here, let’s investigate the role of each vendor in the process.

The law firm's first call will be to a digital forensic incident response (DFIR) company. The forensic investigator assists the integrator in the technical answer to the attack. This means liaising with the internal or external IT team to figure out what the attackers have encrypted, how viable the backups are, and assisting with any attempts to get the network back up and running. The ability of a company to restore from its backups is generally the leading factor in determining whether to pay a ransom.

Step Three: Pay or Refuse to Pay

Paying a ransom is not a decision made – or paid – overnight. The forensic vendor will open a line of communication with the attacker if and when needed. A company's resiliency drives the timeline for negotiation in the event of a cyber-attack. The more operational a company is offline, the longer the negotiation can go on, and a lower payment can generally be achieved.

When it comes time to pay a ransom demand in cryptocurrency, it is not expected that an integrator would have access to something like Bitcoin. Instead, a cryptocurrency broker will be engaged to make this payment to the attacker. Before any payment is made, the experts will perform KYC (know your customer) and AML (anti-money laundering) checks to ensure that any payments made do not risk any fine or penalty under applicable laws.

Specifically for ransomware attacks, there is a focus on the OFAC watch list. If the attacker is on the list, no payment can be made without the significant risk of a fine by the Treasury Department. In these circumstances, cryptocurrency brokers are not willing to accept the risk; thus, no payments can be made.

Step Four: Bring the Data Back

If payment is made, the decryption process begins, and the forensic vendor leads the efforts to bring the company back online. This is not an immediate process and can take days or weeks. Data and systems are often damaged or corrupted during the attack, leading to the need to rebuild the system, even when a ransom is paid. Of course, if the ransom is not paid, there is a need for a full restore from backups or a rebuild of the network and data from scratch.

While the integrator is offline and unable to operate, business interruption insurance is available to cover lost revenues and extra expenses. This coverage is similar to property insurance business interruption, but the trigger is a network outage instead of damage to a building. Currently, Coveware estimates the average downtime from an attack as more than three weeks – making this coverage crucial to a business's insurance policy.

Step Five: Deal with Data Loss/Breach

Alongside the investigation into backups and the need to pay, the forensic investigator looks into whether any sensitive data was accessed during the attack. While this was infrequent in the past, as of the end of Q2 2021, 81% of attacks involved data exfiltration, according to Coveware.

Should sensitive information be compromised or potentially compromised, state and federal privacy laws require that potentially affected individuals be provided notice within specific timeframes. The breach coach will help draft the letters and facilitate postal correspondence with the appropriate individuals.

There is also a growing trend of allowing for electronic notification (via e-mail), which obviously will reduce the associated claims costs. An offer for a year (or more) of credit monitoring can be provided along with the notification letter, and an outsourced call center stood up to help individuals enroll.

The Aftermath: Liability Claims and Coverage

The last area of coverage and response to consider is when the incident develops into a liability claim against the integrator. There are three common claims resulting from a ransomware attack – a regulatory investigation, a single plaintiff claim, and a class-action lawsuit.

For a regulatory claim, companies can be charged with violations of privacy statutes or wrongful disclosure of data resulting in fines and penalties covered under a well-placed cyber policy. If clients of the integrator were to sue them due to the attack, coverage would also respond to defend the company.

There is a possibility an integrator could see an overlap between a cyber claim and a standard errors and omission (E&O) claim. For example, if a job were to be delayed because of downtime due to an attack, the claim could come in either form. Because of this, it is vital to either place the two policies together or understand if there is a cyber exclusion on the E&O policy. This exclusion could unintentionally preclude E&O coverage for the integrator in the event of a cyber incident.

Hunter Maskill is Managing Director at Insuretrust (, where he co-manages the brokering team, drives innovation by creating insurance products, and manages the firm’s claims capabilities. Prior to Insuretrust, he spent 13 years at AIG as a claims adjuster, underwriter and most recently an underwriting manager.