Answering the WannaCry wake-up call
Credit to Author: Selena J. Linde, T. Markus Funk, Todd M. Hinnen and Jonathan G. Hardin| Date: Tue, 30 May 2017 04:35:00 -0700
The widespread WannaCry attack demonstrated the acute vulnerability of computer systems to ransomware attacks. There is no reason to think that larger, more sophisticated attacks aren’t already being planned — the perpetrators of WannaCry reportedly profited handsomely — and companies that have not assessed and addressed the risk posed to their systems by such attacks may remain vulnerable.
Companies can take prophylactic steps to protect their systems against ransomware, focusing on improving data security hygiene, establishing effective governance and raising employees’ awareness of the threat.
Patched systems have a better chance of avoiding the consequences of an attack. Before WannaCry struck, Microsoft had released a security update in March that addressed the Windows vulnerability exploited by the ransomware in May, and it released additional security patches after the attack. In a statement released on May 12, Microsoft said, “Those who are running Microsoft’s free antivirus software or have Windows Update enabled are protected. Given the potential impact to customers and their businesses, Microsoft released updates for Windows XP, Windows 8, and Windows Server 2003.”
Companies can improve their security posture tremendously if they review their in-service software and replace out-of-date software that is no longer supported by the developer.
They should also implement strong IT policies and procedures, including:
As the U.S. Department of Homeland Security stated on May 12: “Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school.”
Many people are simply not aware of the ubiquity of threats. IBM estimates that ransomware is present in 40% of spam emails. A study done by Nuix showed that 84% of hackers utilize social engineering while carrying out their attacks. Ransomware is most commonly spread through attachments in emails (.pdf, .doc, etc.).
Education of company personnel — impressing on them the importance of not clicking on unfamiliar links, continually reviewing security policies with all employees and training employees on how to recognize and prevent phishing — goes a long way toward preventing breaches.
Of course, even companies that have taken all of these precautions can still be hit by a ransomware attack. What do you do if that happens?
If you have not identified a law enforcement point of contact in your incident-response plan, contact your local FBI field office directly (www.fbi.gov/contact-us/field provides a list of office by location) or file an online complaint with the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov. Regardless of the option you choose, be prepared to provide the following information:
Many policies within your company’s insurance portfolio may respond to a ransomware attack. Below are examples of insurance coverage your company may have to help with ransomware losses and tips for policyholders to maximize all available insurance:
Policyholders should not be discouraged when policy exclusions initially appear to preclude coverage. The case law in this area is still in its infancy, insurance case law varies by state, and many policies contain ambiguous language that should ultimately be construed in favor of coverage. If in doubt, notify your carriers.
Once you have determined which policies will respond to your loss, provide the carrier with prompt notice in accordance with the requirements of the language in the particular insurance policy. Each policy’s notice section may require different information or method of delivery. If the information you are required to disclose is sensitive, you can provide broad notice, explaining the sensitivity of the information and requesting the carrier to sign a nondisclosure agreement prior to sending the sensitive details.
Every policyholder needs to be careful in explaining how the ransomware attack occurred, what happened in the aftermath, and what steps the company is taking to prevent future attacks. What is communicated to the carrier may be the difference between having a claim covered versus having it denied.
Maintain a single cohesive message with insurers and your broker by identifying a single point of contact in your company who will communicate with the insurance companies and broker, along with outside counsel, throughout the life of the claim. This is usually the risk manager or in-house counsel.
One mistake companies often make is not carefully managing the forensic consultant’s scope of work. The work should be limited to determining how the attack occurred, restoring the computer system and files, and, if necessary, how your company’s computer system was breached. Expanding the forensic consultant’s work beyond specific details of the current fraud could provide information your insurance carrier could use to deny your claim or even rescind your policy.
Maximizing your insurance coverage is not easy. Taking the steps above is a great start, but in complex or expensive claims, your company should hire outside insurance recovery counsel to help navigate the coverage. Outside coverage counsel works with risk managers and in-house legal counsel to ensure that a policyholder meets its reporting obligations without compromising any potential coverage. When multiple policies respond, the policyholder may be faced with strategic decisions. Are there applicable “other insurance” provisions within the potentially responsive polices that dictate which policy is primary and which is excess? Do the policies allow the policyholder to choose which policy responds first? Experienced coverage counsel can assist your company in parsing out which coverage exists and your company’s best path to obtaining a total recovery.
Selena Linde is a partner in Perkins Coie’s Insurance Recovery Practice. She can be reached at slinde@perkinscoie.com. Markus Funk, who served with the U.S. Attorney’s Office in Chicago and the U.S. State Department in Kosovo, is the firmwide chair of Perkins Coie’s White Collar & Investigations Practice. He can be reached at mfunk@perkinscoie.com. Todd Hinnen, who served as the acting assistant attorney general for National Security at the U.S. Department of Justice, is a partner in Perkins Coie’s Privacy & Security Practice. He can be reached at thinnen@perkinscoie.com. Jonathan Hardin is a counsel in Perkins Coie’s Insurance Recovery Practice. He can be reached at jhardin@perkinscoie.com. This article was adapted from a May 15, 2017, Perkins Coie Update, “Ransomware: How to Avoid It and What to Do If You Have Been Hit.”