When hackers paralysed the 5,500 mile Colonial Pipeline in the United States last month, the potential disruption and damage threatened by ransomware attacks was brought into sharp relief even at domestic level. As a result of the cyber-attack, the largest fuel transport network serving tens of millions of Americans on the east coast of America was taken offline. The knock-on effects were literally brought home over the following week, from Texas to New Jersey, as gas prices spiked, motorists queued for fuel, and hospitals, emergency services and airports faced fear of a gas shortage. This was the largest ever cyberattack on the US infrastructure and a stark reminder that as businesses in all sectors adopt latest technologies, the risk and liabilities arising from ransomware attacks are ever greater.

Increasing digitisation and cyber risk

Many organisations are now becoming increasingly "digitised" as technological solutions improve business efficiencies, particularly in light of the COVID-19 pandemic and the consequent necessity for the fast facilitation of new working practices. Those digitised solutions often bring a need to electronically store larger quantities of data and also to transmit data. These new systems, whilst necessary for business progression and efficiency, create lucrative targets for cyber-attacks.

What is a ransomware attack?

Ransomware attacks often use encryption to block access to a system or file until a ransom payment in cryptocurrency is made. The most common method of infiltration into a business is usually a spear-phishing attack. Ransomware attacks tend to be well planned and specifically aimed to cause the widest disruption possible over the data affected. In addition to imposing ransomware on a target, the hackers will often exfiltrate personal or commercial data, or encrypt files containing employee data, or commercially sensitive data such as details of customers or suppliers. After the threat actors have encrypted particular key files, a ransom demand is sent with payment deadlines. This ransom demand tends to require a payment in cryptocurrency in exchange for a decryption key and a promise to the target from the attackers that they will not leak the data that has been exfiltrated.

What are the financial impacts of a cyber-attack?

The financial impact on a business following a cyber-attack might be felt through any of the following:

  • payment of contractual penalties for late delivery of goods;
  • losses caused by operational slowdown or shutdown;
  • contractual claims arising out of the loss of commercially sensitive/confidential data;
  • costs in responding to the cyber incident, including from a regulatory perspective where there is a requirement for organisations to report the incident to the data privacy regulator and/or all individuals affected if personal data is compromised; and
  • potential payment of penalties imposed by regulatory bodies.

In the aftermath of a cyber-attack, there will also follow costs to invest further in IT infrastructure, cyber security and cyber risk training.

How can you manage vulnerabilities?

Although increased adoption of technology brings increased vulnerability to a cyber-attack, human error and a lack of human oversight will contribute to the potential onset of a cyber-attack. Key factors that increase the vulnerability of an organisation to cyber threats include human error, such as accidental loss of passwords or USB drives containing data; poor "cyber health" such as insufficient controls around user accounts and auditing of user accounts (which it has been reported may have been a factor in the cyber-attack on the Colonial Pipeline) lack of encryption devices or outdated firewalls; and poor risk awareness, such as insufficient IT training, which, for example, could leave staff and management vulnerable to phishing emails.

How to respond to a cyber incident

Businesses can put themselves in the best position to respond to cyber incidents by preparing and implementing a detailed cyber incident response plan. The response plan must be subject to regular review to ensure that it remains robust in an ever-changing cyber threat landscape. An effective plan should cover every aspect of the incident from detection and containment through to evaluating the implications, notifying the relevant parties and finally taking remedial steps to ensure further incidents do not occur in future. The potential for needing to take decisions as to when to report to a regulator and when to respond to a ransom demand should be planned for at board level and not reacted to ad lib at the critical point when the business is faced with an attack.

Risk management and the importance of cyber insurance

Cyber risk management can be further fortified by the effective procurement of cyber insurance. The coverage position in respect of cyber risk from traditional insurance offerings alone can be less than comprehensive. Bespoke cyber insurance policies not only provide cover for those risks that would otherwise have fallen between the gaps of traditional insurance offerings, but also help to contain the costs associated with responding to an adverse cyber incident.

It has been reported that the Colonial Pipeline attack has generated a surge in energy companies taking out cyber insurance, particularly in the US. However, the decision as to whether and what cyber insurance to take out is not necessarily straightforward. As the cyber threat, and the use of ransomware in particular, continues to escalate, premiums are substantially on the rise and insurers' expectations of the cyber defences that potential insureds should have in place are increasing. Where insufficient defences to ransomware attacks in particular are identified, then some insurers are reducing the limits of cover available for such attacks by a half and/or increasing the deductibles.

The former head of the NCSC recently called for a dialogue as to whether or not insurers should be banned from covering ransomware payments to try to address the issue more at source. AXA has announced that it will no longer cover ransomware payments in new cyber policies issued to French policyholders. The issue of ransom payments is also being looked at in the US, driven by events such as the Colonial Pipeline attack. If insurers did not cover ransomware payments, cyber insurance would potentially still provide cover for other losses arising out of the incident. However, ransomware demands can be significant. Colonial Pipeline apparently paid $4.4m to the hackers and whilst in that case it appears the FBI may have been able to recover a significant amount of that sum, organisations that have been a victim of successful ransomware attacks will be able to testify that is an, unfortunately, unusual outcome.

A ransom payment can be a substantial expense for an organisation who chooses to pay in circumstances where it doesn't have cyber insurance that covers ransoms, or has insufficient limits in its policy covering ransoms or doesn’t have any cyber insurance at all. The ongoing debate on this issue will therefore be an area for organisations to watch going forward.