Return to list of client alerts
The White House says it wants agencies across the federal government to prioritize disruption campaigns that are “so sustained, coordinated and targeted that they render ransomware no longer profitable.“
This is a great strategy and it could work, but it could also backfire if the targets are not prepared.
Take, for example, Colonial Pipeline. What if, instead of unleashing ransomware, which is pretty fixable even if it is painful, instead North Korea decided to, for example, damage the electric grid on a large scale.
Some people would say that the U.S. would consider this an act of war (which, by the way, if the government says that, might invalidate any cyber insurance coverage that companies have) and that is reasonable. Do we have the will to launch a kinetic response (as in say, dropping bombs) against North Korea? Maybe, but also, maybe not.
What if they did something a little less provocative, such as destroying data instead of holding it hostage.
Or just publishing the data very publicly.
I **assume** that the feds are game playing all of the possible reactions. While the feds have a significant amount of control of federal agencies to get ready for some possible retaliation, they have very limited ability to control what the private sector does. This is especially true since this is mostly about money and inconvenience. We can’t even get people to implement two factor authentication on a wide scale; imagine how hard it would be to get them to really harden things in a way that would stop a targeted attack by, say, North Korea or China.
While the White is asking federal agencies to get started on this, no one is going to force you to start this.
On the other hand, the risk management teams in the insurance underwriting departments might, in the next couple of years, “suggest” that you work on this.
Insurance underwriters, IF THEY CHOOSE TO, have two very effective tools that they can use.
One is that they can refuse to insure you if you don’t have certain security controls in place. I personally have seen that when a very large insurance underwriter sent a client of ours a love note saying they were scanning the client’s public IT infrastructure and found a problem. They said that if the client didn’t fix the problem they found, which they could not force the client to do, they would not renew this client’s insurance. No negotiation here. Fix it or no insurance.
The other is premiums. We have seen cases were premiums went up dramatically according to press reports – sometimes as much as 300% or 400% in one year. On the other hand, we have seen companies where their premium didn’t go up at all. The difference is the risk the underwriter perceives.
In general, cyber insurance has become harder to get, has more exclusions, demands that the customer enhance their security and is more expensive.
You can wait and see what happens. That is one option. Likely, it will not get any simpler.
Or you can become more proactive in fixing your situation.
This is your call and we are here to help. I do not suggest the first option. It likely will not turn out in a way that you like.
Credit: The Record