Insurance footing the bill
Two Florida cities have been recent victims of cyber attacks that have cost their insurance companies collectively more than $1 million in ransom payments to get the seized data and paralyzed computer systems restored. A third town was also attacked but was able to get its computers operating again with no apparent data loss. This is part of a nationwide problem that a rapidly growing cyber insurance market is trying to keep up with.
On June 10, a Lake City employee opened an infected email allowing a ransomware attack that immediately shut down the city’s computer system, including internet access and phones. A ransom demand for $470,000 followed when the computers were rebooted. In exchange, the city would receive a decryption key to regain access to their seized data and make their computer systems operate normally again. The city had insurance and the city council voted in late June to authorize payment, which included the city’s $10,000 deductible.
A month earlier in Riviera Beach, a ransomware attack shut down all of the city’s services, including the 911 center. Police had to write down 911 calls manually on pads of paper. A week later, the ransom demand was made directly to the city’s insurance provider, the Florida League of Cities. It agreed to pay the hackers $600,000, which included Riviera Beach’s $25,000 deductible.
Both cities payouts were made in Bitcoin, a cyber-currency that is difficult to trace and therefore the preferred method of cyber criminals. While the local officials acknowledged it was distasteful to essentially pay extortion, in both cases it was a less costly alternative to losing all of their data and non-printed records. A third town, the village of Key Biscayne, was also hit by a cyber attack in June, but reported that it managed to contain the damage and recover on its own.
The FBI discourages cyber attack victims from paying hackers, saying in a recent release that doing so “encourages continued criminal activity, leads to other victimizations, and can be used to facilitate additional serious crimes.” The FBI says there were 1,493 ransomware attacks last year with victims paying hackers $3.6 million. Attacks against local governments are on the rise, including 200 attacks alone on Newark, N.J. and Atlanta, which together have paid out more than $6 million in ransom payments and suffered $30 million in computer systems damages.
In response, the cyber insurance market is growing rapidly, but still in its infancy. Cyber policies differ as there is no universal standard. The case law governing these policies is still evolving as well. Policyholders and their insurance companies have ended up in court in disputes over what was and wasn’t covered.
Guy Carpenter has published a thoughtful article on the growing exposure organizations face and their resulting challenges, Advancing Cyber Risk Management: From Security to Resilience. The best advice for you and your clients: back up your data using a separate off-site facility. More advice in these recommendations by the Department of Homeland Security.
LMA Newsletter of 7/15/19