Canadian Underwriter

Why brokers need to talk about ransomware

November 28, 2018   by Jason Contant

Print this page Share

Ransomware attacks are increasing, and as a result, there will likely be a shift in brokers and clients alike starting to recognize the value of the business interruption component of a cyber insurance policy, a specialist insurer said Monday.

“Cybercrime and theft of funds is still largely our largest source of claims by frequency on the business interruption side as a result of ransomware,” said Lindsey Nelson, international cyber team leader with CFC Underwriting. Privacy breaches as a result of a hack constitute only 12% of the insurer’s claims activity.

While cyber discussions often revolve around privacy, ransomware attacks appear to be on the upswing. Think about the cyberattacks on the Ontario municipalities of Wasaga Beach and Midland earlier this year, and the recent one in Mekinac, Que. in which the region’s servers were reportedly disabled for about two weeks.

“So, the costs that are incurred with municipalities are things that people don’t actually spend too much time selling cyber on,” Nelson said in an interview. “It’s all those system damage and rectification costs when systems go down and people have to wipe their servers completely clean as a result of ransomware. It’s the cost to rebuild those systems from scratch.”

Nelson calls ransomware the exact opposite of a privacy breach because it locks data so that nobody can see it rather than accidentally disclosing it to somebody who should not be viewing it. “Municipalities who historically have poor IT systems and risk management in place because of their constrained IT budgets, are now experiencing falling victim to these ransomware attempts.”

Professional firms – law, accounting, property management and engineering – are about 60% of cyber buyers in CFC’s portfolio. One of the insurer’s property management firm clients fell victim to a ransomware attack. The firm was creating financial reports for their clients on a monthly basis. But due to the attack, they had to manually create the reports, creating errors. “That ended up experiencing a drop-off in their customers over a 12-month indemnity period.”

It used to be a ransomware attack was more financially motivated, but “we’re seeing a shift away from the financial motivation towards just destructive in their nature so that even when people do pay the ransom, they’re not able to get the decryption key back,” Nelson reported. “The intent is solely to ensure their systems go down and they suffer system damage loss.”

Criminals are even taking a “spray-and-play” approach whereby they don’t know who they are targeting. “They are targeting everybody en masse and, as a result, they are not able to specifically correspond with the victims.”

Some criminals are not even aware of how to properly conduct a ransomware attack. “So, what happens is they end up conducting ransomware incorrectly, or they forget about it altogether once they’ve encrypted somebody’s files,” Nelson said. “So, when somebody does go to pay the ransomware amount, they don’t know how to give the decryption key back or the ransomware simply doesn’t work. That’s where we get systems damage losses as well, where… clients ultimately end up having to wipe their serves completely clean in order to get rid of that ransomware and restore their operations and getting running as a business again.”