Companies must interface with insurers immediately and request consent or authorization to engage incident response firms and other consultants. Most cyber liability policies require such notification and approval.
Some observe that cybercriminals are preferentially targeting companies with insurance, leveraging the fact that they know the company has coverage to drive up demand and extortion settlement amounts.
Know Your Limits
If you ask cybersecurity experts like Fortinet, ransomware settlements should be avoided but in certain cases they may be unavoidable, which is where insurance comes into play. If you have a good cyber insurance policy, your carrier will be involved in the ransomware settlement discussions from the outset. As soon as your cyber extortion incident is formally reported, the insurer will schedule a call to discuss the event and start coordinating the incident response team.
Many cyber policies have separate limits for different types of losses, with some overlapping to cover more significant events. If you disclose any information about available cyber insurance limits to your attackers, they may use that as leverage to demand a higher payment or even void your coverage.
Furthermore, disclosure of your policy details could trigger the infamous “investigation” clause in many cyber insurance policies, which can delay and potentially derail your claim by demanding invasive examinations under the oath of critical employees. Not only does this sour the relationship with your insurer, but it also impedes your ability to resolve the dispute quickly and smoothly. Hiring an experienced and qualified ransomware negotiator to represent your interests is essential.
Keep Your Insurance Information Secret
With many organizations relying on cyber insurance to mitigate losses, insurers assess companies’ risk in more ways than the usual underwriting and claims process. For example, insurers consider a company’s ability to limit damage through controls like frequent backups, disk-based backup systems kept off-site and multi-factor authentication for access to cloud-based backup systems.
In addition, savvy executives understand that cooperating or engaging in dialogue with attackers – particularly divulging policy limits – violates the insurance company’s duty to mitigate its losses and opens the door for attackers to escalate their demands. In one case, an attacker demanded that the policyholder reveal its insurance coverage as part of the ransom demand extortion process.
To minimize exposures, a company should review all insurance policies that may respond to a ransomware event, including commercial general liability, fidelity, and crime policies, and put them on notice as part of a documented incident response plan. Also, it is worth considering whether paying a ransom to an entity on a sanctions list may create additional exposure or trigger a sanction exclusion in the insurance policy.
Do not Be Afraid to Ask Questions.
The inability to communicate directly with insurers during ransomware crises can create delays and friction. Insurers can use the appearance of impropriety as justification for invasive investigations — examinations under oath, requests for susceptible information, and other investigative measures that can delay or even derail recovery efforts.
As a result, some companies cannot recover the total cost of their losses because they cannot reach their insurance carrier. In addition, some insurance carriers contract with massive teams of lawyers, technical and forensic experts, and negotiators to manage and resolve cyber insurance claims.
Those firms are often used to working with insurance companies to negotiate a settlement for a lawsuit and need to prepare when dealing with a ransomware demand. Those firms should seek advice from a cyber insurance broker or attorney to determine the fastest path to resolution and recovery. They should also review their insurance policies and note the amount of available insurance and any notification or consent requirements that need to be met.
Keep a Cool Even Tone
Cybercriminals are becoming increasingly aware that many of their victims have cyber insurance policies that will cover a ransom payment. As a result, they preferentially target organizations with cyber insurance, as their chances of a successful extortion settlement increase.
As a result, negotiators need to keep calm and not get emotional during conversations with threat actors. If they show less emotion, they could be perceived as desperate, and the threat actor may be less likely to offer a lower demand.
In addition, negotiators should also avoid using sarcasm during negotiations with threat actors. These tactics can often be interpreted as threats and may lead to a hostile negotiation environment.
While negotiating with ransomware threats was not commonplace just a few years ago, some say it has become more of a regular occurrence thanks to the rising number of data theft and exposure incidents. They add that referring clients to negotiators is usually a no-brainer, as hotheaded executives and IT teams can make things worse by trying to handle negotiations themselves.
Do not Get Emotional.
Keeping your emotions in check will help you avoid costly mistakes that can undermine the value of your insurance policies.
Many cyber liability policies offer coverage for ransom payments. Still, they are unlike other types of insurance, such as auto, where the other driver does not hit you on purpose. Cyber attacks are deliberate and targeted. A successful and quick recovery requires advanced preparation, knowing, and avoiding potential pitfalls.
For example, if your company pays a ransom, you’ll likely need to hire incident response and restoration firms and purchase crypto to replace the lost data. These services can cost millions of dollars. In addition, it may fine companies that pay hackers on its sanctions lists for facilitating crime.
Some warn his clients that cybercriminals march to a timeline, and they must understand that, even if they buy crypto, it will not quickly bring their systems back online. The negotiating process can also take weeks. In the meantime, your reputation is at risk in the eyes of your customers, employees, investors, and the media.
