The recent Colonial Pipeline cyber attack should act as a ‘wake-up call’ for businesses to better prepare for this emerging risk – and brokers are fundamental in laying risk mitigation groundwork

By Editor Katie Scott

The tug of war between cyber criminals and the corporate world has once again gained media attention this week as US fuel pipeline network Colonial Pipeline fell victim to a cyber attack last Friday.

As a result of the attack, which saw cyber criminal gang DarkSide breach the organisation’s computer networks, 5,500 miles of pipeline was shut down, according to The Guardian and the BBC – this carries 45% of the east coast’s fuel supplies, such as gasoline, diesel and jet fuel, and travels through 14 southern and eastern US states.

The Washington Post reported that the attack included ransomware – this is a form of malware used by cyber criminals to encrypt their target’s data. They typically then demand a ransom payment in exchange for restoring access to the data.

The payment of these types of ransoms is a thorny issue for those in the insurance industry dealing in cyber cover – many insurance businesses find themselves between a rock and a hard place for wanting to put customers back in the position they were in prior to attack by paying the ransom, yet not wanting to perpetuate and boost cyber crime.

Shannan Fort, head of cyber at broker McGill and Partners, said cyber ransoms can often run into “tens of millions of dollars”.

Speaking on the Colonial Pipeline case, she said: “While Colonial will be working around the clock to remove this ransomware from their systems, the organisation will likely be left with two options.

“Either work to clear this ransomware from all their systems - a complex, costly process which could take weeks. Or pay the ransom – however with payment, there is no guarantee that the systems, including their data, will be fully restored.

“While we don’t know what [the criminals are] demanding, cyber ransoms can run into the tens of millions of dollars - and they are often paid.”

With the pipeline still out of action at time of writing (11 May 2021), it is understandable that simply paying the ransom may be becoming an increasingly attractive option, especially considering the scale of the attack’s impact.

The debate around paying cyber ransoms arose during an Insurance Times webinar back in March, sponsored by CGI.

Here, Neil Arklie, head of cyber insurance at Aviva, said the payment of cyber-related ransoms by insurers is often considered “contentious” and poses “a very difficult dilemma” for cyber insurance firms.

This is because failing to pay cyber criminals’ ransoms could potentially lead to the targeted business closing, which contradicts insurers’ main ambition of putting their policyholders back in the position they were in prior to the insured event or incident.

In the aforementioned webinar, Mark Hawksworth, global technology specialist practice group leader at Sedgwick, explained: “I’ve had businesses where if that ransom isn’t paid, the business will go under and therefore the owners of that business, if there’s no cover under the policy, have still taken that decision to make that ransom payment.”

Arklie added: “It’s a real tough one and I’m not saying it’s not a hard decision but we’re trying to make sure our customers survive after a particularly unpleasant incident.”

There’s no easy answer here. Business owners themselves as well as the cyber criminals could be pushing for the ransom payment to be made, leaving insurers providing cyber cover in the tight spot of deciding whether to pay up or not.

Arklie noted that this process requires due diligence and checking whether the cyber gang in question are “honourable thieves” who will keep to their side of the bargain.

Better safe than sorry

The main issues as I see them are that cyber insurance penetration is still relatively low, meaning the majority of businesses are unable to benefit from the cover’s risk management and response services – CFC Underwriting’s cyber development leader Lindsey Nelson said “only 15% of businesses are actually buying the coverage”, for example.

Secondly, it comes down to how seriously businesses are taking cyber risks and the associated recommended risk mitigation steps. Never has the adage ‘better safe than sorry’ been more true, especially as the uptick in digital and remote services since the onset of the Covid-19 pandemic could make the cyber attack scene more lucrative and opportunistic for criminals.

It comes down to education – something brokers have a fundamental role in. Cyber is undoubtedly an emerging, non-tangible risk that is not going to go away – it can only grow as we become more technologically advanced and adopt more digital practices across our workplaces and businesses.

In relation to cyber attacks, prevention is definitely better than cure and this should be something that brokers are tackling head on with their commercial clients. Better risk management should lead to a reduced number of successful cyber attacks, which in turn should mean less insurers stressing over the ethics of paying cyber ransoms.

Fort continued: “[Colonial Pipeline] should be a wake-up call to organisations all over the world, many of whom are not prepared enough for a similar event.

“Cyber attacks aren’t going away. Cyber criminals keep evolving and this means organisations will keep facing huge disruption unless they take real preventative and mitigative measures.

“There is a clear correlation between being prepared for these sorts of attacks and having to pay ransoms. The more prepared a company, for example with detailed data back-up and continuity measures, the less likely they are to be forced into paying.”