Ifedotun Ogundipe

National  Cyber  Security  Seminar  Final  Paper     Re-­‐engineering  Cyber  Insurance  to  combat  Ransomware  attacks.   Test  Case:  American  Colonial  Pipeline  2021   Ifedotun  Ogundipe     4299  Words     Introduction     Ransomware  attacks  and  their  attending  consequences  have  gained  increased   notoriety  over  the  past  few  years.  Newsfeeds  all  over  the  world  are  buzzing  with   various  cases  of  these  attacks  and  the  effect  they  have  in  a  real-­‐world  sense.  From   small-­‐scale  attacks  that  target  businesses  to  attacks  on  critical  infrastructure,  one   thing  is  clear,  these  attacks  are  not  slowing  down  and  are  only  going  to  increase  in   severity.     Ransomware  attacks  increased  485%  in  2020  globally,1  accounting  for  nearly  one-­‐ quarter  of  all  cyber  incidents,  with  total  global  costs  estimated  at  $20  billion.2   Although  this  trend  predates  the  Covid-­‐19  pandemic,  the  spread  of  the  virus  has   emboldened  cybercriminals.  Poor  security  protocols  compounded  by  employees   working  from  home  are  partly  to  blame  for  this  rise  in  attacks.  Ransomware  attacks   that  threaten  to  release  stolen  data  are  rising  and  accounted  for  77%  of  total  attacks   in  1Q21.This  has  driven  up  the  cost  of  ransomware  attacks,  with  the  average   ransom  payment  in  1Q21  being  $220,298,  up  43%  from  4Q19.3     Many  industry  and  policy  experts  have  decried  Cyber  insurance,  claiming  it   incentivizes  attackers  to  be  more  brazen  and  request  higher  ransoms  as  they  are   sure  of  getting  paid  due  to  companies  having  insurance  covers  which  transfers  the   risk  to  the  insurance  companies.  While  this  is  true,  that’s  just  one  side  of  the  coin.   My  focus  in  this  paper  is  how  cyber  insurance  can  be  re-­‐engineered  to  better  deal   with  the  scourge  of  ransomware.                                                                                                                       1  2020  Consumer  Threat  Landscape  Report,   https://www.bitdefender.com/files/News/CaseStudies/study/395/Bitdefender-­‐2020-­‐Consumer-­‐ Threat-­‐Landscape-­‐Report.pdf   2  Global  Ransomeware  Damage  Costs  Predicted  to  Exceed  $265  Billion  by  2031,  David  Braue,  June,  3,   2021.  https://cybersecurityventures.com/global-­‐ransomware-­‐damage-­‐costs-­‐predicted-­‐to-­‐reach-­‐ 250-­‐billion-­‐usd-­‐by-­‐2031/   3  Ransomware  Attack  Vectors  Shift  as  New  Software  Vulnerability  Exploits  Abound,  April  26,  2021.   https://www.coveware.com/blog/ransomware-­‐attack-­‐vectors-­‐shift-­‐as-­‐new-­‐software-­‐vulnerability-­‐ exploits-­‐abound       1   In  this  paper,  I  will  be  discussing  what  ransomware  attacks  are  and  how  they  have   become  an  existential  threat  to  businesses  and  critical  infrastructure,  using  the   Colonial  Pipeline  attack  as  a  case  study.  I’ll  also  discuss  the  ineffectiveness  of    Cyber   Insurance  as  it  is  currently  structured  to  deal  with  the  issue.  Finally  I’ll  be  making   some  business  and  policy  recommendations  on  how  Cyber  Insurance  can  be  re-­‐ engineered  to  provide  Pre-­‐  and  Post-­‐incident  coverage  for  businesses  with  the  aim   of  better  securing  the  Cyberspace.         Theoretical  Part  (Securitization  and  Public-­‐Private  Partnerships)     Ransomware  and  other  Cyber-­‐attacks  have  led  to  the  rapid  Securitization  of  the   Cyberspace  on  government  agendas  worldwide.  The  creation  of  the  Cybersecurity   and  Infrastructure  Security  Agency  (CISA)  on  November  16,  2018  by  then-­‐US   President  Donald  Trump  and  the  creation  of  the  Unified  Israel  National  Cyber   Directorate  (INCD)  in  2017  attest  to  this.  Although  both  the  United  States  and  Israel   are  defined  as  early  adapters  in  the  Cyberspace,  they  had  various  Cyber  units  under   their  respective  established  security  agencies  or  Prime  Minister’s  office,  the  need  for   a  stand  alone  body  to  address  all  Cyber  Security  issues  arose  due  to  growing  threats   and  the  consequences  if  those  threats  are  realized.       Governments  cannot  solve  these  problems  alone,  this  brings  into  focus  public-­‐ private  partnerships  in  further  securing  the  Cyberspace.  As  in  the  case  of  Colonial   Pipeline  Inc.,  a  private  business  entity  controlling  critical  infrastructure,  we  see  that   a  public-­‐private  partnership  helped  to  mitigate  the  consequences  of  the   ransomware  attack  on  the  business  entity  and  society  itself.  The  FBI  recovered  a   significant  sum  from  the  ransom  paid,  the  Department  of  Energy  coordinated  with   other  agencies  to  mitigate  the  effect  of  the  attack,  and  Mandiant,  Dragos  and   Blackhill  Infosec  worked  on  investigating  and  recovering  lost  data  due  to  the  attack.     The  structure  of  Public-­‐Private  partnerships  in  dealing  with  cybersecurity  still   needs  to  be  fully  developed,  as  the  case  of  Colonial  pipeline  showed  there  is  no   agreement  on  who  takes  the  lead  after  a  Cyber-­‐attack  has  been  discovered.  Brandon   Wales,  Acting  Director  of  CISA,  said  he  didn’t  think  Colonial  would  have  reached  out   to  CISA  if  the  FBI  hadn’t  alerted  his  agency  in  a  testimony  before  the  Homeland   Security  and  Governmental  Affairs  Committee.  Joseph  Blount,  CEO  of  Colonial   Pipelines,  in  his  testimony  before  the  same  Committee  said  he  didn’t  see  the  need  to   as  the  FBI  had  informed  Colonial  that  CISA  and  other  agencies  would  be  briefed  and   put  on  a  call  to  discuss  a  response.       2     There  needs  to  be  a  playbook  on  how  to  deal  with  these  issues,  what  agency  takes   the  lead  and  bears  responsibility  for  accurate  and  timely  information  dissemination   in  response  to  a  Cyber-­‐attack.  As  it  stands  in  Israel,  the  National  Cyber  Directorate   takes  the  lead  on  Cyber-­‐attacks  and  even  has  a  24/7/365  toll-­‐free  number  to  report   these  attacks.         Definitions     Ransomware  is  an  ever-­‐evolving  form  of  malware  designed  to  encrypt  files  on  a   device,  rendering  any  files  and  the  systems  that  rely  on  them  unusable.  Malicious   actors  then  demand  ransom  in  exchange  for  decryption.  Ransomware  actors  often   target  and  threaten  to  sell  or  leak  exfiltrated  data  or  authentication  information  if   the  ransom  is  not  paid.  Users  are  shown  instructions  for  how  to  pay  a  fee  to  get  the   decryption  key.  The  costs  can  range  from  a  few  hundred  dollars  to  thousands,  and   now  even  millions  payable  to  cybercriminals  in  cryptocurrency.     In  recent  years,  ransomware  incidents  have  become  increasingly  prevalent  among   the  Nation’s  state,  local,  tribal,  and  territorial  (SLTT)  government  entities  and   critical  infrastructure  organizations.4  The  modern  ransomware  craze  began  with  the   WannaCry  outbreak  of  2017.5  This  large-­‐scale  and  highly  publicized  attack   demonstrated  that  ransomware  attacks  were  possible  and  potentially  profitable.   Since  then,  dozens  of  ransomware  variants  have  been  developed  and  used  in  a   variety  of  attacks.     In  previous  ransomware  attacks,  individual  companies  may  have  lost  data,  but  the   greater  public  was  largely  immune  to  the  effects.  In  some  cases,  customer  data  may   have  been  compromised,  some  people  would  have  had  to  change  their  passwords,   and  victim  companies  may  have  taken  a  financial  loss,  but  that  was  the  extent  of  the   impact.     The  Colonial  Pipeline  ransomware  attack  has  shot  up  the  issue  on  the  securitization   agenda  of  the  US  government  and  other  western  nations  as  it  shows  how  such   attacks  have  real  world  consequences  and  can  destabilize  a  society,  with  a  state  of   emergency  declared  to  contain  the  fall  out  of  the  attack.                                                                                                                       4  https://www.cisa.gov/stopransomware/ransomware-­‐101   5  https://www.kaspersky.com/resource-­‐center/threats/ransomware-­‐wannacry     3   In  order  to  be  successful,  ransomware  needs  to  gain  access  to  a  target  system,   encrypt  the  files  there,  and  demand  a  ransom  from  the  victim.  While  the   implementation  details  vary  from  one  ransomware  variant  to  another,  all  share  the   same  core  three  stages.     -­‐  Step  1.  Infection  and  Distribution  Vectors     Ransomware,  like  any  malware,  can  gain  access  to  an  organization’s  systems  in  a   number  of  different  ways.  However,  ransomware  operators  tend  to  prefer  a  few   specific  infection  vectors.  One  of  these  is  phishing  emails.  A  malicious  email  may   contain  a  link  to  a  website  hosting  a  malicious  download  or  an  attachment  that  has   downloader  functionality  built  in.  If  the  email  recipient  falls  for  the  phish,  then  the   ransomware  is  downloaded  and  executed  on  their  computer.     Another  popular  ransomware  infection  vector  takes  advantage  of  services  such  as   the  Remote  Desktop  Protocol  (RDP).  With  RDP,  an  attacker  who  has  stolen  or   guessed  an  employee’s  login  credentials  via  social  engineering  can  use  them  to   authenticate  and  remotely  access  a  computer  within  the  enterprise  network.  With   this  access,  the  attacker  can  directly  download  the  malware  and  execute  it  on  the   machine  under  their  control.     Others  may  attempt  to  infect  systems  directly,  like  how  WannaCry  exploited  the   EternalBlue  vulnerability.  Most  ransomware  variants  have  multiple  infection   vectors.     -­‐  Step  2.  Data  Encryption      Upon  gaining  access  to  a  system,  it  can  begin  encrypting  its  files.  Since  encryption   functionality  is  built  into  an  operating  system,  this  simply  involves  accessing  files,   encrypting  them  with  an  attacker-­‐controlled  key,  and  replacing  the  originals  with   the  encrypted  versions.  Most  ransomware  variants  are  cautious  in  their  selection  of   files  to  encrypt  to  ensure  system  stability.  Some  variants  will  also  take  steps  to   delete  backup  and  shadow  copies  of  files  to  make  recovery  without  the  decryption   key  more  difficult.     -­‐  Step  3.  Ransom  Demand     Once  file  encryption  is  complete,  the  ransomware  is  prepared  to  make  a  ransom   demand.  Different  ransomware  variants  implement  this  in  numerous  ways,  but  it  is   not  uncommon  to  have  a  display  background  changed  to  a  ransom  note  or  text  files     4   placed  in  each  encrypted  directory  containing  the  ransom  note.  Typically,  these   notes  demand  a  set  amount  of  cryptocurrency  in  exchange  for  access  to  the  victim’s   files.  If  the  ransom  is  paid,  the  ransomware  operator  will  either  provide  a  copy  of   the  private  key  used  to  protect  the  symmetric  encryption  key  or  a  copy  of  the   symmetric  encryption  key  itself.  This  information  can  be  entered  into  a  decryptor   program  (also  provided  by  the  cybercriminal)  that  can  use  it  to  reverse  the   encryption  and  restore  access  to  the  user’s  files.     While  these  three  core  steps  exist  in  all  ransomware  variants,  different  ransomware   can  include  different  implementations  or  additional  steps.  For  example,   ransomware  variants  like  Maze6  perform  file  scanning,  registry  information,  and   data  theft  before  data  encryption,  and  the  WannaCry  ransomware  scans  for  other   vulnerable  devices  to  infect  and  encrypt.       TEST  CASE:  COLONIAL  PIPELINE  ATTACK.   What  happened  to  Colonial  Pipeline?     On  Friday,  May  7,  2021  Colonial  Pipeline  reported  that  a  cyber  attack  forced  it  to   proactively  close  down  operations  and  freeze  IT  systems  after  becoming  the  victim   of  a  ransomware  attack  from  a  group  identified  as  DarkSide.  It  was  a  significant   event  and  one  that  affected  gas  availability  and  prices  on  the  entire  east  coast  of  the   U.S,  if  not  larger  parts  of  America.  This  attack  led  to  about  16,000  gas  stations   without  fuel.     The  Colonial  Pipeline  is  the  largest  pipeline  system  for  refined  oil  products  in  the   U.S.,consisting  of  two  massive  pipelines  that  are  5,500  miles  long.  Colonial  Pipeline   is  capable  of  transporting  three  million  barrels  of  fuel  per  day  between  Texas  and   New  York  and  supplies  nearly  half  of  the  East  Coast’s  fuel  –  more  than  the  entire  fuel   consumption  of  Germany.       The  shutdown  caused  millions  of  people  to  scramble  to  quickly  fill  their  tanks.  In   some  places  gas  prices  experienced  a  significant  increase,  in  many  locations  well   over  the  $3  threshold,  and  many  stations  were  running  low,  or  ran  completely  out  of   gas.  As  we’ve  seen  before,  this  type  of  incident  could  be  the  first  domino  to  fall  and   could  potentially  impact  consumer  confidence  and  even  the  entire  U.S.  economy.                                                                                                                       6  https://www.kaspersky.com/resource-­‐center/definitions/what-­‐is-­‐maze-­‐ ransomware     5   There  are  few  concrete  details  on  how  the  cyber  attack  took  place,  and  it  is  likely   that  this  will  not  change  until  Colonial  Pipeline  and  its  investigative  partners  and   experts  have  concluded  their  analysis  and  make  their  findings  public.  Speculation  in   the  cyber  world  suggests  that  the  company’s  network  was  accessed  due  to  a   compromised  Virtual  Private  Network  (VPN)  password.       According  to  cyber  security  firm  Mandiant,  which  is  leading  the  investigation,  the   VPN  account  did  not  use  multi-­‐factor  authentication,  which  allowed  the  hackers  to   access  Colonial’s  network  with  a  compromised  username  and  password.  It’s  unclear   how  the  hackers  discovered  the  username  or  were  able  to  figure  it  out   independently.  The  password  was  discovered  among  a  batch  of  passwords  leaked   on  the  dark  web,  Bloomberg  reported.       This  attack  happened  at  the  intersection  of  two  trends.  The  first  is  the  digitization  of   industrial  monitoring  and  control  systems,  using  software  and  hardware  falling   under  the  umbrella  term,  “operational  technology”  (OT).    This  highlights  the  ever   more  interconnected  nature  of  IT  systems  and  OT  networks.  The  same  connectivity   that  gives  organizations  access  to  telemetry,  safety,  and  productivity  data  also   provides  a  vector  for  cyber  attacks.     The  second  trend  is  the  growing  realization  among  cybercriminals  that  ransomware   can  result  in  a  quick  payoff.  Instead  of  long-­‐term  malware  campaigns  where  hackers   may  have  to  sell  customer  data  to  a  third  party  after  months  of  mucking  around  in  a   corporate  network,  a  successful  ransomware  attack  can  pay  off  in  a  matter  of  days.     In  his  testimony  to  the  Homeland  Security  and  Government  Affairs  Committee  of  the   United  States  Congress,  Joseph  Blount,  CEO  of  Colonial  Pipeline  Co.,  said  he   authorized  the  ransom  payment  of  $4.4  million  due  to  the  societal  consequences  of   the  attack.  In  his  defense,  he  told  the  Wall  Street  Journal  that  company  executives   were  unsure  how  badly  the  cyber  attack  had  breached  its  systems  and  consequently,   how  long  it  would  take  to  bring  the  pipeline  back  online.  He  further  reiterated  that  it   was  an  option  he  felt  he  had  to  exercise,  given  the  stakes  involved  in  a  shutdown  of   such  critical  energy  infrastructure.       In  return  for  the  payment,  made  in  Bitcoin,  the  company  received  a  decryption  tool   to  unlock  the  systems  that  hackers  penetrated.  While  it  proved  to  be  of  some  use,  it   wasn’t  enough  to  immediately  restore  the  pipeline’s  systems.  The  pipeline  wound   up  being  shut  down  for  six  days,  and  this  increased  gas  prices  to  the  highest  levels  in   close  to  7  years  and  left  16,000  gas  stations  without  fuel.         6   This  attack  was  attributed  to  DarkSide,  an  Eastern  European  group  of   cybercriminals  who  first  surfaced  on  Russian-­‐language  hacking  forums  in  August   2020.  DarkSide  is  a  ransomware-­‐as-­‐a-­‐service  platform  that  vetted  cybercriminals   can  use  to  infect  companies  with  ransomware  and  carry  out  negotiations  and   payments  with  victims.  DarkSide  has  claimed  to  be  apolitical  targeting  only  wealthy   organizations  and  forbids  affiliates  from  carrying  out  ransomware  attacks  on   organizations  in  several  industries,  including  healthcare,  funeral  services,  education,   public  sector  and  non-­‐profits.       Like  other  ransomware  platforms,  DarkSide  adheres  to  the  cybercriminals’  best   practice  of  double  extortion,  which  involves  demanding  separate  sums  for  both  a   digital  key  needed  to  unlock  any  files  and  serves,  and  a  separate  ransom  in  exchange   for  a  promise  to  destroy  and  not  sell  any  data  stolen  from  the  victims  on  the  dark   web.       The  group  exudes  a  high  level  of  sophistication,  introducing  a  “call  service”   innovation  that  was  integrated  into  the  affiliate’s  management  panel,  which  enabled   the  affiliates  to  arrange  calls  pressuring  victims  into  paying  ransoms  directly.  It  also   announced  new  capability  for  affiliates  in  mid-­‐April  to  launch  distributed  denial-­‐of-­‐ service  (DDoS)  attacks  against  targets  whenever  added  pressure  is  needed  during   ransom  negotiations.     Fortunately,  due  to  the  hard  work  of  the  FBI  and  Department  of  Justice,  $2.3  million   worth  of  bitcoin  out  of  the  $4.4  million  ransom  was  recovered.  According  to  reports   by  Business  Insider,  the  FBI  had  what  was  effectively  the  password  to  a  bitcoin   wallet  that  Darkside  had  sent  the  money  to,  allowing  the  FBI  to  simply  seize  the   funds.7  This  shows  that  collaboration  with  law  enforcement  agencies  is  vital  to   dealing  with  ransomware  as  this  might  have  being  impossible  by  a  private  entity   due  to  the  opaque  nature  of  Bitcoin  operations.       Discussion.     As  seen  in  this  case,  most  companies  hit  with  ransomware  attacks  usually  inform   private  cybersecurity  firms  first  rather  than  law  enforcement.  These  firms  are                                                                                                                   7  The  FBI  recovered  a  huge  chunk  of  the  Colonial  Pipeline  ransom  by  secretly  gaining  access  to   DarkSide's  bitcoin  wallet  password,  Tyler  Sonnemaker,  June  8,  2021  6:34  AM.   https://www.businessinsider.com/fbi-­‐used-­‐hackers-­‐bitcoin-­‐password-­‐to-­‐recover-­‐colonial-­‐pipeline-­‐ ransom-­‐2021-­‐6       7   usually  hired  to  try  to  break  the  decryption  code,  carry  out  hack-­‐backs  (offensive   cyber-­‐attacks)  against  the  perpetrators  and  try  to  salvage  or  recover  data.  It’s  a   popular  practice  that’s  gaining  more  prominence  with  two  members  of  the  Senate   Finance  Committee  introducing  a  bipartisan  bill  that  instructs  the  Department  of   Homeland  Security  (DHS)  to  study  the  “potential  consequences  and  benefits”  of   allowing  private  companies  to  hack  back  following  cyberattacks.     The  draft  Study  on  Cyber-­‐Attack  Response  Options  Act8  tells  DHS  to  study   “amend[ing]  section  1030  of  title  18,  United  States  Code  (commonly  known  as  the   Computer  Fraud  and  Abuse  Act),  to  allow  private  entities  to  take  proportional   actions  in  response  to  an  unlawful  network  breach,  subject  to  oversight  and   regulation  by  a  designated  Federal  agency.”  But  this  is  neither  the  solution  nor  an   appropriate  response  as  it  only  deals  with  the  post-­‐incident  side  of  cyber-­‐attacks.       According  to  a  report  by  Reuters,  Colonial  Pipeline  had  cyber-­‐insurance  arranged  by   broker  Aon  (AON.N),  with  Lloyd's  of  London  insurers  AXA  XL  (AXAF.PA)  and   Beazley  (BEZG.L)  among  the  underwriters,  estimating  that  the  cover  was  at  least   $15  million.9  The  costs  associated  with  recovery  from  a  ransomware  attacks  are   enormous.  They  include  direct  costs  such  as  ransom  payment,  ransomware   negotiator,  hiring  a  cybersecurity  firm  to  recover  data  &  systems,  hiring  a  PR  firm,   legal  fees  to  deal  with  liabilities  and  indirect  costs  such  as  enforced  downtime   (business  interruption  costs  are  often  five  to  ten  times  higher  than  direct  costs),   reputation  loss,  liability,  collateral  damage,  and  data  loss.       High  net  worth  companies  are  usually  on  the  radar  of  cyber  attackers  as  it  almost   certainly  guarantees  them  a  huge  pay  day,  this  is  not  to  say  that  Small  and  Medium   scale  enterprises  (SMEs)  are  left  out  of  such  malicious  attacks.  Most  of  these   businesses  do  not  have  the  required  technical  and  financial  capacity  to  bounce  back   from  the  effect  of  such  attacks,  thereby  rendering  them  bankrupt.       An  Arkansas-­‐based  telemarketing  firm  sent  home  more  than  300  employees  and   told  them  to  find  new  jobs  after  IT  recovery  efforts  didn't  go  according  to  plan   following  a  ransomware  incident  that  took  place  at  the  start  of  October  2019.10                                                                                                                     8  https://www.daines.senate.gov/imo/media/doc/ALB21A63.pdf   9  Colonial  Pipeline  has  cyber  insurance  policy  -­‐  Reporting  by  Carolyn  Cohn;  editing  by  David  Evans,   May  13,  2021  4:54PM  https://www.reuters.com/business/energy/colonial-­‐pipeline-­‐has-­‐cyber-­‐ insurance-­‐policy-­‐sources-­‐2021-­‐05-­‐13/   10  Company  shuts  down  because  of  ransomware,  leaves  300  without  jobs  just  before  holidays.   Catalin  Cimpanu,  January  3,  2020,  14:42  GMT.  https://www.zdnet.com/article/company-­‐shuts-­‐ down-­‐because-­‐of-­‐ransomware-­‐leaves-­‐300-­‐without-­‐jobs-­‐just-­‐before-­‐holidays/     8   Employees  of  Sherwood-­‐based  telemarketing  firm  The  Heritage  Company  were   notified  of  the  decision  just  days  before  Christmas,  via  a  letter  sent  by  the  company's   CEO.  Incidents  like  this  rarely  make  the  news  due  to  the  size  of  the  firm.       The  rapid  digitalization  of  public  and  private  entities  and  the  automation  of   operations  have  further  exposed  them  to  cyber  risks,  one  of  which  is  ransomware.   Cybersecurity  capabilities  of  most  of  these  entities  have  failed  to  keep  pace  with  the   accelerated  digital  transformation  and  increased  remote  working  trends,  thereby   leaving  them  more  susceptible  to  cyber  attacks.  Cybersecurity  technology  is   changing  rapidly  to  meet  today’s  cyber  threats;  effective  cybersecurity  now  typically   uses  AI-­‐infused  solutions  and  extensive  cyber-­‐expertise.  But  there  is  a  worldwide   skills  shortage  in  cybersecurity  with  4.1  million  unfilled  positions  in  November   2019  according  to  the  International  Information  System  Security  Certification   Consortium).       The  Covid-­‐19  pandemic  has  also  highlighted  how  cyber-­‐naïve  remote  workers  need   security  awareness  training  in  order  to  thwart  attacks.  Attackers  often  consider  the   interface  between  the  system  and  the  user  to  be  the  weakest  point  in  a  company’s   security.  93%  of  data  breaches  in  2020  were  caused  by  employee  negligence   according  to  an  Egress  Insider  survey.  About  a  third  of  the  involved  employees   shared  work  data  with  personal  systems,  usually  through  attempts  to  work  from   home.       Rapid  digitalization  must  be  accompanied  by  strong  security.  Cybersecurity  might   be  expensive,  but  entities  should  recognize  that  the  financial  and  reputational  risks   and  costs  of  data  breaches  are  far  worse.  Legal  risks  abound  as  well.  On  October  1,   2020  the  US  Department  of  Treasury’s  Office  of  Foreign  Assets  Control  (OFAC)   issued  an  advisory11  informing  of  potential  sanctions  risks  for  making  ransomware   payments.           Cyber  Insurance  and  Ransomware     Cyber  Insurance  has  been  derided  as  contributing  to  the  ransomware  scourge.   Ironically  the  largest  reported  ransomware  payout  was  from  an  insurance  company,                                                                                                                                                                                                                                                                                                                                               11https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_-_1.pdf     9   CAN  Financials,  according  to  a  Business  Insider  report,  this  was  estimated  to  be  a   whopping  $40  million  pay  day  for  the  cybercriminals.12       Cyber  Insurance  in  its  current  form  is  unsustainable,  as  it  only  provides  post-­‐ incident  cover.  It  is  not  a  silver  bullet  that  will  bring  an  end  to  ransomware  or  other   cyber  threats,  but  if  well  re-­‐engineered  with  proper  regulatory  and  government   policies  in  place,  it  can  go  a  long  way  to  mitigate  the  resulting  fall  out  that  business   and  government  entities  face  after  suffering  an  attack.       Cyber  Insurance  is  a  form  of  insurance  designed  to  protect  a  company  against   damages  caused  by  cybersecurity  threats.  Among  these  threats  are  data  breaches,   hacks,  DDoS,  malware  and  ransomware.  Cyber  insurance  is  also  referred  to  as  cyber   risk  insurance,  cyber  liability  insurance,  or  cybersecurity  insurance.  Dedicated  cyber   insurance  policies  first  emerged  in  the  1990s  to  fill  gaps  in  traditional  property  and   casualty  products.  They  grew  as  businesses  became  dependent  on  computer   networks  and  the  internet,  they  have  evolved  but  not  fast  enough  to  keep  up  with   the  cyber  threats  out  there.  Although  products  lack  standardization,  common   futures  include:  coverage  for  first-­‐  and  third-­‐party  exposures;  business  interruption’   third-­‐party  liabilities;  data  and  software  loss;  cyber  extortion;  and  regulatory   notification  costs.13       Cyber  Insurance  market  challenges  persist  and  some  include:     -­‐ Pricing  of  products:  to  effectively  put  a  market  worthy  price  on  this,   insurance  companies  have  to  be  able  to  quantify  the  risk  emerging  from  a   ransomware  attack  and  that’s  difficult  due  to  a  few  reasons  e.g.    level  of   uncertainty  in  estimating  expected  losses  (quantifiability),  the  size  of   expected  losses  (economic  viability)  and  the  diversity  of  the  pool  of  risks   covered  (limited  correlation).  The  difficulties  in  quantifying  a  relatively  new   (and  fast  evolving)  risk,  and  the  potential  for  significant  correlation  across   insureds  (accumulation  risk)  are  the  most  critical  challenges  in  underwriting   cyber  risk.                                                                                                                     12  https://www.businessinsider.com/cna-­‐financial-­‐hackers-­‐40-­‐million-­‐ransom-­‐cyberattack-­‐2021-­‐5,   Brittany Chang May 22, 2021, 6:47 PM   13  Cyber Insurance and the Cyber Security Challenge, Jamie MacColl, Jason R C Nurse and James Sullivan, Royal United Services Institute for Defence and Security Studies     10   -­‐ -­‐ Limited  availability  or  uncertainty  in  the  availability  of  reinsurance  coverage:   this  is  also  a  factor  leading  to  a  higher  cost  for  coverage  as  primary  insurers   may  face  limits  on  their  ability  to  transfer  risk  to  reinsurance  markets   (reinsurance  companies  face  the  same  challenges  in  underwriting  coverage)   Limited  availability  of  historical  data:  ransomware  is  a  relatively  new  threat,   and  there  is  insufficient  historical  data  to  allow  for  accurate  pricing  of   insurance  premiums.  This  lack  of  data  is  exacerbated  by  the  general   unwillingness  of  victims  of  ransomware  attacks  to  share  information  on   these  events  and  their  impacts  due  to  a  myriad  of  reasons.  Also  as   ransomware  attacks  evolve  at  an  alarming  rate  information  shared  becomes   obsolete  faster  than  other  insurance  related  information.  A  number  of   insurance  companies  also  identified  the  lack  of  transparency  about  security   practices,  volume  of  information  required  and  inconsistencies  in  information   provided  to  effectively  provide  coverage.  This  creates  a  risk  of  assymetric   information  and  adverse  selection.       In  combating  ransomware,  cyber  insurance  should  not  only  be  about  ransom   payment  and  helping  companies  recover  after  the  fact.  It  should  also  include  pre-­‐ incident  services  that  helps  to  shore  up  defenses  and  reduce  the  risks  of  entities   seeking  cover.    Proper  cyber  security  measures  should  be  put  in  place  and   incentivized  by  reduced  premiums,  some  ways  in  which  Cyber  insurance  can  help   with  ransomware  pre-­‐incident  includes.       -­‐ Cyber  Security  Operating  Centers  (SOC):  Risk  rating  services  and   vulnerability  scanning,  large  entities  should  be  required  to  have  a  24/7/365   cyber  security  operations  center  (SOC),  this  will  rate  its  preparedness  for  a   ransomware  event  and  upgrade  it’s  systems  accordingly  if  any  deficiency  is   found.  This  SOC  can  also  carry  out  cyber  threat  intelligence  services  and  open   an  information  sharing  line  with  law  enforcement  services  to  get  up  to  date   informations  on  the  threats  out  there.  For  SMEs,  they  can  sign  on  to  a  SOC-­‐as-­‐ a-­‐Service.     -­‐ Staff  Training:  Human  errors  accounts  for  about  93%  of  cyber  attacks,  staffs   should  be  trained  and  retrained  to  always  be  security  conscious  and  take   proactive  steps  to  avoid  phishing  and  others  means  of  infections,  carrying   out  scenario-­‐based  exercises,  which  can  be  led  by  the  SOC  and  reports  should   be  kept,  this  should  also  include  password  management  solutions.   -­‐ Creating  awareness  on  ransomware:  ransomware  thrives  when  there’s  no   awareness  on  the  level  of  damage  it  can  cause,  insurance  firms  should  create   awareness  on  this  with  collaboration  from  cyber  security  firms  and     11   government  agencies  as  insurers  bear  the  financial  exposure  if  an  attack  is   successfully  carried  out.       Some  policy  recommendations  governments  can  carry  out  to  further  aid  the   protection  of  the  cyberspace  from  ransomware  includes,  but  are  not  limited  to,  the   following:       -­‐ Creation  of  standalone  agencies  to  deal  with  cyber  security  issues:  this  of   course  will  include  the  ransomware  threat,  countries  like  USA  have  done  this   with  CISA  and  Israel  with  INCD.  These  agencies  will  take  the  lead  in   monitoring  the  cyber  threat  arena  and  disseminate  information  to  law   enforcement,  policy  makers,  and  private  businesses  and  entities,  they  will   also  develop  incident  response  plans  and  monitor  simulation  reports  carried   out.   -­‐ Governments  should  work  with  their  respective  Finance  or  treasury   departments  to  provide  and  monitor  robust  reinsurance  funds  for  cyber   risks,  this  will  be  done  with  other  policies  to  strengthen  the  sector  since  it’s   relatively  new.   -­‐ Legislation  should  be  enacted  to  mandate  companies  take  up  cyber   insurance,  especially  government  contractors  and  entities  who  operate   Critical  infrastructure.     -­‐ Legislation  should  also  be  carried  out  to  enforce  mandatory  incident   notifications  to  the  agencies  in  charge  of  cyber  security  and  law  enforcement,   this  will  help  to  reduce  the  low  information  levels  that’s  currently   experienced  and  such  information  should  be  used  to  create  awareness  on   ransomware.  This  will  help  reduce  the  PR  liabilities  of  entities.     -­‐ Publicity  campaigns  on  the  ills  of  poor  cyber  hygiene  should  be  carried  out   by  the  government,  this  will  help  reduce  vulnerabilities  in  the  cyber  space.     -­‐ Diplomatic  pressure  should  be  put  on  countries  who  grant  safe  havens  to   cyber  criminals  and  the  intelligence  services  should  be  active  on  the  dark   web  in  carrying  out  operations  to  bring  down  their  servers  and  take  down   their  pages  especially  for  those  who  operate  Ransomware-­‐as-­‐a-­‐service.       These  measures  will  not  lead  to  the  complete  eradication  of  ransomware  as  a  cyber   security  threat  but  it  can  help  the  general  public,  business  entities,  government   agencies  to  better  prepare  for  and  recover  from  attacks  when  they  do  occur.  The   cyber  insurance  market  is  relatively  new  and  with  time  will  come  to  maturity  to  deal   with  these  threats  but  it  cannot  be  left  alone  to  mature  by  itself,  as  cyber  threats     12   evolve  daily  the  market  must  also  be  boosted  by  such  policies  and  initiatives  to  be   ahead  of  the  threat  curve  and  even  catch  up  if  possible.         13