August 27, 2020
Ransomware attacks are on the rise, and the potential business interruption and remediation costs can be astronomical. Companies often find themselves in a bind because there is no guarantee that paying the ransom will result in getting back stolen data, nor will it guarantee protection from future breaches. On the other hand, companies may conclude that paying off the hackers will ultimately be the least costly option.
And while companies typically fixate on the immediate threat to themselves, they may fail to realize that this kind of attack can have much more far-reaching effects – including shifting terms and costs of coverage.
The Blackbaud Case
The software company Blackbaud provides fundraising technology for a number of businesses and nonprofits. When it was hit by a ransomware attack earlier this year, it had to alert a number of those organizations that hackers had accessed donor data. According to the National Law Review, Blackbaud offered the hackers an undisclosed amount in payment and in return received confirmation that the stolen data had been destroyed. While Blackbaud expressed confidence that no sensitive information, such as Social Security or credit card numbers, was accessed by the hackers, the organizations affected were unsure of what to do. Many of Blackbaud’s customers were unprepared for this type of breach and hadn’t factored it into their insurance purchasing decisions or incident response planning.
This attack and other recent ransomware attacks illustrate the important fact that, even if you have a good cybersecurity in place, outside vendors that hold your data may not. A company like Blackbaud provides services to thousands of businesses, putting all of those organizations and their clients at risk in the event of a cyber breach. In a networked world, the tentacles just reach out further and further.
The Ripples that Challenge the Market
Cybersecurity is still a relatively new, though quickly evolving field, and clients seeking cyber insurance do not necessarily understand the process of incident response and recovery. They may think it’s a case of simply resetting passwords, insurance paying the ransom, and everyone moving on with their lives. Not exactly. Every stage of remediation and recovery comes with costs, and if outside vendors are involved, underwriters have even more regulations to sift through.
Insurers face unexpected costs as well. Instead of covering a policy claim for one company, the insurer could be responsible for paying the claims of thousands of their client’s clients who were all affected by the same breach. This is one of the reasons that the cyber insurance market is experiencing challenges.
Companies need to be looking into partners and vendors with the same due diligence that they would use to scrutinize their own IT infrastructure and cybersecurity providers, to ensure they are well positioned should something happen to an organization with which they’re connected. In this new age of cyberattacks, this level of preparedness is a necessity, especially for smaller businesses that may lack financial resiliency in the aftermath of an attack.
If a vendor is hit by a ransomware attack and loses your data in the process, it’s possible that neither the vendor, nor its insurer, would be obligated to pay for the damages. When you outsource your cybersecurity to firms that access to customers’ or employees’ and personal data, you are not also outsourcing the risk involved – that is increasingly on you, so you should make sure you are not doubling it.
Want to learn more?
Find me on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
Email me directly at rrosenzweig@risk-strategies.com.
The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client.