Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

March 2019
A webinar takes a close look at a large and growing area of cyber crime.
Some of the victims of data breaches in recent years
By David Hechler
THINK RANSOMWARE IS ANOTHER COMPANY'S PROBLEM? Or an urban legend designed to sell Bitcoin? Maybe it’s time to think again.
     Consider a few statistics. Ransomware is the fastest growing malware threat out there—to the tune of 4,000 attacks a day. By the end of this year, these attacks are expected to occur every 14 seconds. The resulting damages totaled $8 billion last year. That number is expected to rise by 50 percent to a whopping $12 billion this year.
     Those were some of the numbers Karen Painter Randall reeled off at the beginning of a webinar hosted in February by the University of South Carolina School of Law. Randall is chair of the cybersecurity and privacy practice group of Connell Foley LLP in New Jersey, and she and her three fellow panelists had a lot more scary statistics at their disposal.  
     One widely cited number that the panelists mentioned is from the Ponemon Institute, which says that responding to a data breach costs a company, on average, $3.9 million. That isn’t limited to ransomware attacks, but ransomware is the most popular method, they said.
     Panelist James Jaeger told the audience that the Ponemon statistic doesn’t even tell the whole story. Beyond any ransom a company pays, it suffers the loss of business during the time its systems are shut down, which costs another $500,000 to $1 million a day.
     And the reputational hit can be devastating, said Jaeger, the chief cyber strategist and a partner at Arete Advisors. Not only can the attack shut down a business, he continued, it may cut off customer and even employee communication, leaving all parties frustrated and angry.

It Doesn’t Take Much to Be a Victim
There’s something else that makes ransomware even scarier. Some companies feel immune to cyberattacks because they don’t have “crown jewels” that would make them attractive targets. As one CEO told Randall, “We don’t have the stuff they’re looking for.” But ransomware is an equalizer. Even if a company doesn’t have valuable data or IP, it can still find itself the victim of extortion. Any company can.
     Having made a convincing case that ransomware should be taken seriously, the panelists offered advice on how companies can prepare.
     Since hackers frequently exploit employees who click on emailed links, employee training is commonly recommended as a countermeasure. And it can be effective, said panelist Douglas Hemminghaus, assistant special agent in charge of the FBI’s National Security Branch. “The best way to stop this is education and training,” he emphasized.
     Randall noted that this shouldn’t be viewed as a short-term proposition. A study found that before training, 80 percent of a group of employees opened a suspicious email. After about six months of training, only 40 percent did. Without additional training, however, it jumped back to 80 percent by the end of the year. The lesson? “It’s not just a box you check off,” she said. “It’s something that you incorporate as part of a whole approach to cybersecurity.”

A Popular Alternative to Stealing Personal Information
What makes ransomware so popular? It’s easy and effective. It doesn’t require great technical skill to send phishing emails, Hemminghaus noted. Tools can easily be purchased on the dark web. And nationwide, 70 percent of the victim companies pay between $20,000 and $40,000 to recover their data.
     There is one way a company can avoid the ransomware trap, even if its employees are vulnerable. In a word: backups. If a company has its data backed up on a system that is not accessible to hackers, it can simply refuse to pay.
     “I expect the percentage of people paying ransomware hopefully goes down,” Hemminghaus said, “because people become more aware of it, and they’re setting up their systems so that they can reset them, even to the prior day of business, if they have to.” 
     For those who decide to pay, the required currency is often Bitcoin. Randall wondered how many companies actually have the cryptocurrency on hand, just in case they need it.
     Jaeger said that cyber insurance companies have taken a real interest in this subject. They have recognized that if clients don’t set up a Bitcoin wallet in advance, the time it takes increases the danger. He added that some carriers have asked incident response firms like his company to step in to help. “They virtually insist that we have a Bitcoin wallet,” he said, “and we negotiate those payments and make them on behalf of the clients.” 
     There’s a paradox here. Not only do the victims and their insurance companies want to see their operations restored. So do the hackers. “One of the issues we really wrestled with,” said Hemminghuas, who acknowledged that the FBI doesn’t encourage companies to pay, “is, from a business standpoint, generally the ransomers do want you to get back in operation. Because if you don’t, you’re probably not going to pay for the key—if that word gets out there.”
     So it’s actually in the attackers’ interest to see that their victims are able to come through the experience lighter in the wallet, but otherwise unscathed. It’s good for business—the company’s, and when word spreads, the criminals’ as well.  

Enter the Breach Coach
One of the most important lines of defense, of course, is insurance. Cyber insurance has been common for several years now, noted panelist Abigail Oliver, assistant vice president at insurer Axis Capital, but recently carriers have added language that specifically covers ransomware as well. 
     Insurance companies have added a new player on the team that defends clients that suffer a breach. When her company’s clients report one,  Oliver said, Axis assigns them a “breach coach”—an external vendor the carrier has contracted with to help clients navigate next steps.
     “They’re the ones that are really going to lead the charge,” she said. They investigate the loss and do their best to “mitigate the risk as much as possible. Because we don’t want you to experience a large loss,” Oliver said. “And additionally, we want to keep expenses down as well.”
     It’s also important, she said near the end of the webinar, to ensure that your company has the right kind of insurance. And by that she meant cyber insurance.
     For companies convinced that commercial general liability and property policies are sufficient to cover cyberattacks, now is the time to make the switch, Oliver urged. And this is a great time to do it, she said, because there’s enormous competition in the marketplace. You can buy $1 million of insurance for $1000 right now. But make sure you’re dealing with brokers who are knowledgeable about these policies, she warned.
     After Oliver had said her piece, Randall rolled out a few last statistics, in case anyone remained skeptical about the dangers she’d described. For those hoping that it’s a waning fad: “Eighty-one percent of cybersecurity experts believe there will be a record number of ransomware attacks in 2019.”