becomes increasingly sophisticated, risk professionals must work in conjunction
with their company’s chief information security officer, general counsel,
CFO/treasurer, operations managers and human resources department to adopt a
comprehensive approach to manage and respond to cyber-related exposures.
Effective preparation is vital and typically involves carefully coordinated and
integrated activities, including measures to safeguard technology; insurance
that provides adequate risk transfer; and sound forensic, investigative and
claims management to facilitate timely and complete recoveries.
Over the past year, organized crime rings around the world
have launched a new wave of cyberattacks to shut down companies’ technology
infrastructure, websites, operations, and access to funds, records and bank
accounts. These criminals then demand immediate ransoms and can cause
substantial downtime, reputational damage and, ultimately, business
interruption losses. These attacks have targeted institutions and enterprises
in all economic sectors and many victims remain in a perpetual state of
Along with testing and securing your technology
infrastructure and diligently evaluating the information security practices of
the enterprise’s trading partners and customers, the following five measures
can jumpstart your efforts to deal with these serious threats:
1. Form a multi-disciplinary team to deal with
Even if you already have a team to deal with potential
cyberrisk issues and employee theft/occupational fraud, you still may have to
add a few new members to address ransomware and cyberextortion issues. In
addition to risk management, the team should include at least one key executive
from finance, information technology, security, legal, human resources,
operations, compliance and communications.
Be sure to also include representatives from the company’s
insurance broker and carrier providing cyber, fidelity and property coverage,
claims consultants, outside counsel, and external information security or
forensic specialists. Further, develop a rapport with local federal
investigative agencies, such as the FBI or Secret Service.
Your external assets should be ready to respond to a threat
with an agreement, contract and/or retainer for immediate delivery and action.
In examining the firm’s potential vulnerabilities to
attacks, revisit technology-related exposures and logistical risks, including
any and all mobile phone, tablet and laptop usage and password protection
protocols and measures to monitor employee compliance. In addition,
double-check restrictions on employee access to financial funds, bank and
credit accounts, and customer, client and employee personal identifiable
2. Review your insurance coverages.
Conduct a detailed assessment of your insurance protection
for ransomware and cyberextortion incidents before attackers strike. Depending
on your industry and the nature of your business, different insurance policies
may apply to these types of incidents, including commercial crime policies,
bankers blanket bonds, computer crime endorsements, cyber and network security
policies, kidnap, ransom and extortion insurance, and commercial property
Selectively communicate those coverage lines within your
team of business stakeholders so that they are already aware of risk transfer
and possible financial remedies when an incident occurs or a threat is
Work with your broker, claims professional and legal
advisors to determine if and how your coverage might respond to any ransomware
or cyberextortion incident, as well as whether the protection levels are
adequate. Your broker may have to revisit this topic with your insurers to
determine if coverage extensions or higher limits may be needed.
Check if your policies offer panel experts, such as law
firms, public relations firms, cyber forensics and forensic accountants. Only
choose those firms that act on behalf of victims (i.e., the insured). Under
these high-stakes circumstances, it is critical that their primary interests
are fully aligned with yours.
3. Create an incident response plan.
If you receive a cyberextortion threat or suffer a
ransomware attack, your firm will not have time to start figuring out how it
might respond. You need to be prepared and know exactly what you want to do.
Cyber criminals typically insist a ransom be paid in
bitcoin, often within hours of the request. If it is not paid, the ransom price
can go up exponentially. This is where common-sense planning is effective.
Before an event, make the decision about whether or not to pay a ransom. If the
plan is to pay, consider your limits—and this is where your carrier comes into
the discussion. Consider pre-determined input from your trusted cyber experts
and law enforcement agents, who likely will be familiar with the criminal
actors and the track records of extortion and results.
In addition, be sure to check with your insurers regarding
any protocols, guidelines or specific requirements they have established for an
insured to respond to a ransom/extortion demand. You should have in place a
forensic computer expert, an effective negotiator and a firm with bitcoin
4. Understand your role in an incident investigation.
This is another area where advance planning is critical, not
only to minimize potential damage from an active attack or system breach, but
also to avoid repeated attacks. If criminals perceive an entity to be
vulnerable, they will often attack in waves.
Your team should know whether, when and how to notify law
enforcement as well as which law enforcement agencies to contact in the event
of certain cyberattack scenarios.
If internal espionage is suspected, once law enforcement is
involved, your enterprise needs to understand and be prepared for all potential
implications, including the impact of such investigations on your employees and
day-to-day operations. Remember, if a criminal investigation occurs,
information flows one way toward law enforcement, which typically cannot share
any evidence or information they uncover.
5. Coordinate claims management.
Depending on the type of ransomware attack and whether
internal employee involvement is suspected, a number of different insurance
policies could respond. While vital, insurance recovery will not be on the
minds of those in the “heat of battle.” That is yet another reason advance
planning and communication with management and internal team leaders will make
the risk professional’s job more manageable and recovery from claims more
In any of these situations, your team must be prepared to
triage the incident and prioritize the order in which to contact insurance
companies regarding claim notification. Cyber, extra expense, crime and theft,
ransom, and business interruption are all possibilities.
You can expedite this process and potential recovery by
working with a claims professional to review potential incident scenarios and
assess whether and how different insurance policies will respond.
Along with the initial carrier notifications, you should
understand fully what documentation each insurer will require and recognize the
corresponding sources for specific information within your organization,
including accounting/finance, operations, technology and marketing.
Christopher J. Giovino is managing director of
forensic investigation, crime and cyber evaluation risk quantification at Aon
Global Risk Consulting. J. Christopher Dineen is director of claims
preparation, advocacy and valuation at Aon Global Risk Consulting.