Author: John Doernberg
A recent attack on a life sciences company demonstrates how the evolution of data security exposures and expectations affects companies previously thought to have modest risk.
In early May 2020, a California pharmaceutical company was the victim of a ransomware attack. Initially, its strong preparation and swift response seemed to contain the matter well. It did not pay ransom; instead, it was able to promptly resume business by using recent and uncorrupted backups. At the time, the company believed that none of its data had been stolen in the attack.
More than two months later, however, the company learned that some of its data, including personally identifiable information (PII) of current and former employees, had been posted on the Internet. Its investigation determined that the data, which included names and Social Security numbers, had been exfiltrated during the May ransomware attack. The posting of that information by the attacker forced the company to notify both the California attorney general and the affected individuals. In addition to the cost the company will incur in providing notification and identity theft services to the affected individuals, the company may find itself under regulatory scrutiny as well.
Background: A New Wrinkle to a Common Attack
What had happened? The company had been victimized by a variant of the DoppelPaymer ransomware—a strain of virus reflecting the recent marriage of the two principal, traditional types of cyber extortion.
According to a leading ransomware response firm, until late 2019 ransomware attacks were designed to lock down data access—the attackers encrypted a victim’s network and demanded a ransom payment in order to decrypt it.
Starting in late 2019, new variants arose that first extracted sensitive data, then encrypted the victim’s network. Using this approach, the attackers could seek two ransoms: one for decrypting the victim’s network, the other for not publishing the exfiltrated data. The attackers’ can then leverage the potential cost to the victim of dealing with the data breach (notice, credit monitoring, risk of privacy claims, etc.), plus the potential reputational hit.
It is often the potential reputational loss that causes the victim to pay. Some attackers even seek to shame a victim into paying by publicly leaking some of the stolen data.
In the second quarter of 2020, the ransomware response firm referred to above reported that in 30% of ransomware attacks the hackers threatened to release stolen data (without demonstrating that data was actually stolen), and in 22% of attacks the hackers demonstrated that they had in fact exfiltrated data—a 152% increase from the previous quarter.1 The most publicized versions of these dual attacks are Maze, Sodinokibi and DoppelPaymer—names that have, unfortunately, become familiar to cybersecurity professionals.
What seemed unusual about the case of the California pharmaceutical company was its apparent unawareness of the data exfiltration until months after the ransomware attack. Theft of data provides no leverage to the attackers if the victim doesn’t know about it.2
After the company declared that it had resolved the ransomware attack without paying, the attackers may have leaked the data to monetize the stolen information or to retaliate against the victim’s refusal to pay, with an implicit threat to future victims of what could befall them if they failed to comply with the attackers’ demands.
Professional Services Firms Are Popular Targets
New cyber threat variants have done more than just increase the size of the potential ransom pot. Thieves have targeted certain industry sectors that they consider particularly susceptible to those attacks. The most common victims are professional services firms, such as outsourced IT service providers, because they often have access to the confidential data of their clients. In the second quarter of 2020, more than 30% of ransomware attacks targeted professional services firms.3
It is not hard to see why. When professional services firms are victimized by ransomware, their clients are victims too, as the clients’ data is being held captive. The interests of the attacked professional services firm can easily diverge from the interests of its affected clients. The professional services firm may not want to pay the demanded ransom for practical reasons (it feels it can adequately restore its network and information from uncorrupted backups) or philosophical reasons (it doesn’t want to further encourage ransomware attacks).
Its clients, however, may fervently wish to avoid the public disclosure of their confidential information. Even if the clients have the right to indemnification from the professional services firm for their damages, the indemnification process would be time-consuming and disputatious—and almost certainly would not adequately address the impact on their clients’ reputations. The clients might not even have a chance to exert pressure on the targeted firm to pay the ransom. While the clients may know of the attack due to the unavailability of the targeted firm’s website or platform, and therefore of the clients’ own data, they may not be made aware of the actual or threatened disclosure of their data until it’s too late for them to do anything about it.
Some Insurance Implications
This new kind of ransomware attack increases the exposure of cyber insurers along with their insureds.
A regular ransomware attack can trigger multiple insuring clauses in a well-negotiated cyber policy, including those addressing incident response (such as the engagement of breach counsel and its hiring of a forensic investigation firm), cyber extortion, business interruption, data recovery and possibly regulatory investigations or proceedings.
A ransomware attack that also involves data theft is likely to trigger additional incident response expenses, such as the costs to notify affected individuals and regulatory authorities, provide credit monitoring or identity theft protection, engage a call center, or hire a PR firm to reduce reputational harm.4
With increasingly stringent government privacy laws being enacted in many jurisdictions, a ransomware attack involving a data breach may also expose organizations to significant additional costs: responding to a regulatory investigations, taking remedial actions and possibly paying regulatory fines. Often it’s not the initial data theft that creates the greatest financial and reputational exposure, it’s the regulators’ after-the-fact determination that the affected company had not been doing enough to protect sensitive personal information.
A recent incident5 provides an unfortunate window into the potential extent of the exposure to both the victims and to cyber insurers. In May 2020, a publicly traded, cloud-based software company was hit with a ransomware attack. It paid a ransom in exchange for the cybercriminal’s destruction of the client data it had exfiltrated before the attack. But the data was leaked, exposing the affected company to millions of dollars in liability.
This incident has echoes of the attack on the pharmaceutical company described above: in each incident the attack target was apparently not aware when they paid the ransom that data had been publicly disclosed.6 According to reports describing the attack on the software company, there have been more than 170 reported breaches – affecting more than 2.6M individuals – related to the data theft. The affected clients included healthcare organizations, universities and various other nonprofits. With so much PHI and PII compromised by the incident, significant regulatory scrutiny (with its associated costs) is more than likely.7
Professional services firms, especially those providing cybersecurity services to their clients, can face additional hurdles. If they are stricken by a ransomware attack, they will be unable to provide promised services and may face E&O claims from affected customers. In light of these heightened exposures, in recent months cyber insurers have become more cautious in both their underwriting process and in the terms they offer to those companies.
The combination of data theft and ransomware attacks on professional and technology service providers complicates an already challenging claims process. A targeted service firm, scrambling to get back up and running, may feel extra pressure to pay the demanded ransom(s) to prevent the public disclosure of its clients’ sensitive data.
Some in the insurance industry believe that if an affected firm’s client contracts have strong limitations of liability, it’s possible that the ransom payments may exceed those liability caps and arguably be uncovered. Even if the customer contracts at issue have separate indemnification limits for disclosure of confidential information than for failure to provide services, the insured will almost certainly find it harder to satisfactorily navigate that claim with its insurers.
Professional services and technology companies should make sure that their incident response teams have ready access to relevant customer contract provisions before an incident occurs. Some companies may want to revise their indemnification obligations going forward to reflect the current risk landscape and exposures.
As the incident with the pharmaceutical company demonstrates, even companies that do not possess a lot of PII may face significant additional costs if this information is breached in connection with a ransomware attack. Newer privacy laws focus on many aspects of the affected company’s data security practices throughout the entire lifecycle of PII, from collection through destruction.
Even a modest breach may invite sharp regulatory scrutiny of a company’s cybersecurity risk management and impose significant additional costs. Companies should take a fresh look at both their cyber defenses and their incident response plans to ensure that both are appropriate for today’s exposures.
Talk to Gallagher about how to defend yourself against ransomware attacks and how to reduce their costs. You can also watch Gallagher’s webinar on “Managing the Ransomware Crisis: Critical Steps to Take Right Now,” here.
