If you’ve noticed that cyberinsurance rates are on the rise, you can “thank” the growing threat of ransomware — when hackers use malicious software to take charge of a company’s computers and systems. In a true attack, the perpetrators only stop once they have received an anonymous payment, usually in Bitcoin, that can be huge.
In fact, hackers have been steadily demanding bigger and bigger sums from all types of companies, often without regard to company size or what the company might actually be able to pay. Ransom demands of up to $16 million have been reported — and as many organizations choose not to reveal any details of ransomware attacks unless they make the nightly news, this may not be the peak. Coveware, an industry leader in ransomware incident handling, reports that the average payment in 2020 has increased by 33%, now averaging $111,605.
These bad actors took full advantage of the workplace disruptions caused by COVID-19. Hastily-cobbled work from home systems were most often targeted, with the expectation that security measures would often be lax at best. And cannabis companies were on their radar, along with healthcare organizations, given the presence of sensitive customer data.
A recent typical attack grounded the Albany County Airport Authority’s administrative computers, causing them to make a Bitcoin payment of just under $100,000 to unlock their system. On a larger scale, the foreign exchange company Travelex was down for weeks, resorting to pen-and-paper transactions, until a ransom of $2.3 million (about 228 Bitcoins) was paid — negotiated down from an original ransom request of $6 million. Incidents like these have caused cyber insurance premiums to rise nearly 25% this year.
Downtime is also a troublesome effect of dealing with a ransomware demand. The average business interruption is two weeks, making this a significant pain point especially for smaller cannabis businesses..
So to pay or not to pay: that is the question, and law enforcement continues to discourage payment. As the FBI warns, cybercriminals can linger in networks for months before and after specific ransomware attacks, and payment is no guarantee of having the data returned undamaged, or that the perpetrators won’t keep a backup copy for later use. Remember that many big enterprises like Disney and Netflix are known for their refusal to cooperate with such requests, no matter what.
Insurers are shifting gears in response. Some are lowering the amounts they will pay for ransomware attacks against vulnerable companies, instituting copays, and/or requiring data backup and other security measures be in place. There is also a move to make ransomware coverage a separate product from general cyber, so realize that when seeking coverage one size no longer fits all.