HIPAA Survival Guide Newsletter May, 2020

Ransomware & Cyber Insurance
HITECH / HIPAA Newsletter
 
Introduction
 
There is no doubt that the number of ransomware attacks has increased dramatically over the last five years (circa 2015-2020). Phishing emails are likely still the preferred vector into your network because even unsophisticated hackers can launch a brute-force campaign sending tens of thousands of phishing emails to your unsuspecting workforce. All it takes is the wrong-click on a link in the email and the bad guys are in your network starting their ransomware and/or phishing reconnaissance activities. Phishing has proven its efficacy. There is no reason to believe that this vector is going to be less favored anytime soon. That said, the bad guys are becoming more sophisticated by the day, using more sophisticated vectors that target remote desktop protocol ports as a gateway to your network. Once the perimeter is penetrated, the bad guys are also becoming much more sophisticated gathering admin credentials and otherwise hardening their attacks so that you elect to pay the ransom instead of opting for a restoration strategy (i.e. from a viable backup).
 
Our forthcoming Ransomware Resilience Framework goes into depth on Prevention, Preparedness, Payment, and Postmortem—the four P’s of resiliency. Here, we want to focus on one aspect of Preparedness: cyber insurance. There is still a lot of confusion in the marketplace as to what insurers are offering, the costs, the policy triggering mechanisms, the conditions of coverage, etc. This topic requires more in-depth treatment than what is provided herein; a newsletter article simply cannot do justice to it. We will revisit this subject matter going forward to keep our readers informed of the changing trends in this space.
 
Coverage
 
Coverage obviously depends on your specific policy. So, we will speak in generalities for this newsletter article. Cyber Insurance (“CI”) generally covers the following:
 
  1. Breach forensic costs; 
  2. Breach data recovery costs;
  3. Breach regulatory fines;
  4. Breach class action lawsuits;
  5. Breach response costs; 
  6. Breach business interruption costs; and
  7. Breach ransom costs. 
This is not an exhaustive list, but it should give you a feel for the kinds of questions that you should be asking your prospective insurer. As you can tell from this list, the actual exposure for many of these items is hard to quantify. Given that there is much uncertainty, it should go without saying that the policies available are not cheap.
 
Conditions
 
Although coverage for cyber extortion (i.e. a ransom payment) is a standard offering in most policies, it comes with some conditions attached (what a surprise). You will almost certainly be required to obtain your insurer’s consent before you pay the ransom. Further, an insurer may not cover the ransom payment if the bad guys are on the Specifically Designated National and Blocked Persons List maintained by the Treasury Department. It should go without saying that you will need to provide the insurer notice within a reasonable period after an intrusion event (generally 30 days). Obviously, you are not required to pay the ransom, and not paying should not jeopardize the coverage enumerated above. Other conditions may apply toward obtaining indemnification for a ransom payment, for example (1) meeting any applicable deductible; and (2) acquiring proof before payment that you have a valid “decryptor” key.
 
Further, you need to take an even closer look at other conditions outlined in the policy. If the policy is conditioned upon the organization implementing the “necessary and proper” security safeguards, then you could be paying thousands of dollars a year for illusory coverage. Most healthcare organizations are not even close to implementing the necessary and proper safeguards.
 
Although coverage for cyber extortion (i.e. a ransom payment) is a standard offering in most policies, it comes with some conditions attached (what a surprise). You will almost certainly be required to obtain your insurer’s consent before you pay and ransom. Further, an insurer may not cover the ransom payment if the bad guys are on the Specifically Designated National and Blocked Persons List maintained by the Treasury Department. It should go without saying that you will need to provide the insurer Notice within a reasonable period after an intrusion event (generally 30 days). Obviously, you are not required to pay the ransom and not paying should not jeopardize the coverage enumerated above. There are other conditions that may apply to obtaining indemnification for a ransom payment, for example: (1) meeting any applicable deductible; and (2) acquiring proof prior to payment that you have a valid “decryptor” key.
 
Facilitation
 
Insurers will vary as to the degree of involvement in the process. For example, some insurers elect to stay out of the ransom payment decisions altogether. They will not advise you either way. They will not make the ransom payment for you. Others will want to take a more hands-on approach. You should be aware that paying the ransom involves knowledge of crypto-currencies, access to a crypto-wallet, and (at times) access to the “dark web.” If your insurer does not provide these services for you, you will need to seek help elsewhere.
 
Caveat Emptor
 
Insurance companies are generally not your friends. The reason for all the "fine print" and convoluted language is to avoid covering you if you fail to comply with all the minutia. For example, as discussed above, your policy is certain to include a "notice requirement." This means that within so many days after a breach or attempted breach you must notify your insurer. However, you are not likely going to notify until you have investigated sufficiently, and perhaps by then, the notification period may have expired. While this warning may appear to be nothing more than “common sense,” you will be surprised how little “sense” remains when you are in the middle of responding to a significant attack.