The hidden risks and costs of ransomware

Ransomware is on the rise. Organisations of all sizes are at risk, and finance departments are at the forefront of identifying and mitigating ransomware risks. However, that diligence comes with its own challenges. To help organisations identify the growing risks and cost of ransomware, we talk with Gerry Glombicki, CPA, director with Fitch Ratings insurance group, about how finance professionals should be approaching ransomware.

What you’ll learn from this episode:

• How organisations should be assessing their ransomware risk.
• How accountants and finance professionals should be preparing for ransomware attacks.
• How the growing risk of ransomware can cost organisations in unexpected ways.
• Why organisations should be thinking about cybersecurity across the organisation.
• The value of ransomware insurance.

Play the episode below or read the edited transcript:

To comment on this podcast episode or to suggest an idea for another episode, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.

---

Transcript:

Drew Adamek: Ransomware is on the rise. Every month seems to bring new headlines of massive attacks on businesses and governments. In May, a ransomware attack shut down America's largest fuel pipeline. In June, another crippled the world's largest meat processor. And in July, a single coordinated attack could impact over 1,000 businesses.

Finance departments need to prioritise preparing for and mitigating the significant risks of ransomware as it grows in scale and menace. Gerry Glombicki, a CPA and director in the insurance group at Fitch Ratings, recently co-authored a report on the growing risks and costs of ransomware.

I'm FM magazine senior editor Drew Adamek, and I recently spoke to Gerry about why accounting and finance professionals should care about ransomware, why internal communication and collaboration are key to managing cyber risk, and how CFOs and finance professionals should be thinking differently about cyber risk.

Gerry, thank you so much for joining us.

Gerry Glombicki: Thank you for having me.

Adamek: How significant is the threat of ransomware, and why should finance departments be paying attention to that threat?

Glombicki: So ransomware has grown quite significantly over the past year. In our Fitch Wire we cite that it's grown almost 500% year over year and that was according to Bitdefender. So it's definitely a growing financial risk and it's across all sectors and geographies. Basically, if you're connected to a network, you are at risk of being attacked, so it's really up to your network security to kind of prevent all attacks.

One of the interesting things too about ransomware or just cyber risk in general is the information security team has to be right all the time, 24 hours a day, seven days a week. If you just have one flaw, it just needs that one flaw for that bad guy to find it and exploit it and basically get you a very bad day.

Adamek: When you talk about IT departments needing to be prepared at all times, when you look out at the threat landscape, how prepared are organisations to deal not just with the threat of ransomware but cyberthreats in general?

Glombicki: It varies by company and it varies even within the companies. Information technology is what a lot of people associate with dealing with this risk, but information technology is a very broad department of which information security is a subsegment of that. So one of the things that's very important is something called endpoint security.

Endpoint security is basically all the devices that connect to the internet. That's my laptop. That's my cellphone that can actually connect in via its VPN to the actual company's email systems. It's the VPN on my laptop connecting to the systems. All of these things create entry points to the network, which is convenient to me, but also is a security risk to the company.

These are things that have to be secured, and they're secured by different people within the IT department. Within the IT departments and the company as a whole, they really need to talk to each other. Again, they just have to be wrong once for an attacker to actually find a way in.

And then just broadly speaking too, when you look at the risks of IT, it used to be done by someone who was kind of an overworked person in the IT department, and they just gave them the information security title. You started to see with some regulations increasing that you actually had to have a CISO — a chief information security officer — on staff and that you met certain requirements.

Now it's actually a dedicated response, and you're starting to see the boards starting to have dedicated information security and dedicated IT segments to themselves as well. So you're starting to see a lot more pickup and interest on this at both the corporate and executive level.

Adamek: Ransomware has been in the news a lot lately because of the recent pipeline shutdown, but are there other risks — not just business disruption — that ransomware poses?

Glombicki: Ransomware in particular is interesting because basically what happens is one day, you'll wake up to find that you don't have access to your systems. There's variance to this as well. As a matter of fact, I was reading from Emsisoft today. They were talking about how some of the threat actors are double encrypting your system. So they'll actually encrypt in once and then they might — they may encrypt half the system with one method and they may encrypt the other half with a different method.

They might actually encrypt it with the same method twice and make you pay twice. They could be just after certain files. They might just do a certain subsegment of your network. It causes basically a big business interruption and continuity risks, but also it matters if it's a risk to your supply chain.

So, for example, if you're looking for a vendor to supply you with something but their businesses are interrupted, that could impact you so you also have to pay attention not only to your risks, but the risks throughout the cyberattacks throughout your entire supply chain. That's something that a lot of organisations are really starting to realise.

Adamek: Where, in your opinion, should organisations be investing financially to help protect against cyber risk and things like ransomware?

Glombicki: One of the questions we often ask companies is, how much money do you spend from your IT budget in information security? It's a little bit of a tricky question to ask and answer because more dollars doesn't necessarily mean better. Conversely, least dollars doesn't mean worse.

What really matters is companies really have to take a holistic view. A lot of companies, quote unquote, best practices will involve a security audit from an independent firm. They'll assess your vulnerabilities, your postures, your current procedures, and they'll come up with recommendations.

And I think a lot of companies do that, and then the question is just how much money are you willing to spend to try to fix these holes. At the end of the day, it often comes down to a benefit cost analysis. You don't want to put a $10 lock on a $1 bicycle.

The question is you're just valuing what those assets are to the company and doing these things is becoming a really big risk management problem. Particularly, as you mentioned, with a lot of these increase in ransomware attacks, it's really getting the eye and the attention and the time of senior management and senior leadership.

Adamek: If you're an organisation that has been the victim of a ransomware attack, it's not just paying the ransom that causes problems for your organisation, is it?

Glombicki: That's correct. There's several problems. One of the first problems you have is it's possible that the decryption device they give you isn't accurate or isn't complete. I think that was one of the things you saw with the recent Colonial Pipeline, the company did mention that they actually had restored most of the systems backup as the decryption device wasn't necessarily all that helpful.

The other problems you have when you actually pay a ransom is there are perhaps legal ramifications to it. Here in the United States, the US Treasury Department maintains a list of entities that you cannot pay on the OFAC [Office of Foreign Assets Control] list. There's a strict liability policy to that so perhaps you might not have known or could not have known at that time, but there are legal ramifications to paying this.

You're starting to see other countries starting to scrutinise payments more. This is definitely something you're getting a lot more press on is should you pay a ransom, and by just paying a ransom, does that create a moral hazard of basically perpetuating the industry? That's not something that Fitch gets involved in when we talk about that stuff because that's not our job to do such, but it is interesting that some companies are responding to this.

In particular, we mentioned two companies in our press release. AXA, which is a very large French insurance company, has stopped paying ransomware payouts in France for actual payments to the ransomware threat actors. They haven't done it to any other countries yet, but actually have done it in France itself.

We also cite in there Beazley, which is a specialty insurance company which is affiliated with Lloyd's of London. Their CEO stated that they do not exclude extortion payments from their policies currently, but they did call on governments to legislate whether such payments do align with public policy or not.

Adamek: That gets me to something that is of deep concern to my audience. That's cyber risk insurance, cyber insurance. What are you seeing in that market as ransomware attacks increase, and what should finance departments be thinking about when it comes to approaching cyber insurance?

Glombicki: Cyber insurance is a very broad term that a lot of people — a lot of companies seek to use some type of risk transfer. At the end of the day, you really have a couple of ways to look at risks. You can avoid the risks. You can try to mitigate the risks. You can accept the risk. Or you can try to transfer the risk. Those are the four traditional risk metrics that we often talk about in the risk world.

What you're trying to do with insurance, you're trying to transfer it to a third party. Each contract can be bespoke. It can be different for your company than it is for my company. It can be part of a package policy. One of the things you're starting to see in the US is the growth of the standalone product.

It used to be historically part of a package policy, but now companies are trying to separate that out and actually make a cyber standalone policy be the ultimate goal of what they're trying to do because you can basically price for that better, you can capture the risks better, you can underwrite it better, you can see the claims associated with it better.

As that evolves and unfolds, you're starting to see losses increase. Fitch actually just put out a preliminary estimate for the 2020 losses for cyber insurance, and you can see that those numbers have increased quite a bit over the previous five years that they were available.

Adamek: What are some of the increased costs that organisations are seeing in this sort of landscape of increased cyberthreat?

Glombicki: Several things. The first is actually once an attack occurs, you usually have to do some form of forensics. The forensic departments themselves are just increasing as they are growing in demand. One of the other things is what they call an instant response plan, so once something does happen, what is your plan to actually do this? Often this involves having some type of law firm that specialises in negotiations or handles public relations as well. As this increases in demand, those prices are also increasing in demand.

The other is actually just payments, for example, in ransomware. Ransomware actually kind of started out actually going after individuals, and then it's kind of morphed into going after companies. So the payouts for ransomware themselves have increased dramatically. As most costs in business, everything in cyber seems to be going up as well.

Adamek: In this increased threat landscape, how should CFOs and finance departments and finance professionals be thinking differently about cyber risk, particularly post-COVID?

Glombicki: One of the things that's evolving is the risk in cyber risk. As you mentioned earlier, there was roughly almost a 500% increase in ransomware tax year over year. I think when companies look at their risk posture, their risk appetites, they have to do a risk register and see all the risks that are available to them subject to and try to see again those four pillars if they're going to accept it, if they're going to mitigate it, if they're going to transfer it, they're going to avoid it, and what they do.

As you're seeing, as more companies go on to the internet, as more companies just give employees access to the emails, as more companies can actually work from home — all of these are extra nodes onto the network. These nodes could work perfectly fine for you whether they're secure or not, but if they're not secure, it's also a possibility for a threat actor to enter into your landscape and then to possibly do harm and perhaps immense harm.

What you have to do is a business impact analysis as a company and see what your assets are, what those risks are, and ultimately how they line up with your risk appetites and whether you're willing to accept these risks or try to transfer them or try to hire some third party to lower them. Ultimately, this is the actions that the company's management has to do.

Adamek: Who within an organisation should be most responsible for protecting against these kinds of risks and the potential costs attached to these risks?

Glombicki: At the end of the day, the person who is ultimately responsible for accepting all risks is the chief executive officer of the company. The chief executive officer uses their executive team to kind of help manage and mitigate those, and the board ultimately has oversight of those risks as well as ultimately the overseers of the chief executive staff. But in the end, it's a collaboration of all of them.

Risk needs to not be kept into a silo. It really needs to be a very collaborative effort, a group effort with a lot of talking and communicating between everybody because the IT function — the risks of the internet within a company, it expands on every single section of a business usually. Anyone of those could be the entry point for the threat actor, and it can also be the downfall of the company in terms of they don't have access to that.

If 80% of your business is working but that 20% isn't, can you handle being out of that 20% and for how long? What are the backup plans associated with that? What other risks are you thinking to perhaps — in terms of business continuity, disaster recovery for that function and again, even your third-party supply chain of this as well.

So to put it on just one person is a bit of a daunting task. It really is an amalgamation of all of these. Usually it flows through some type of risk management initiative, so the chief risk officer or the chief information security officer, but it's just a very broad topic and it has to be approached in a very comprehensive manner.

Adamek: Gerry, thank you so much for joining us.

Glombicki: Thank you.

Adamek: I'm FM magazine senior editor Drew Adamek, and you've been listening to my conversation with Gerry Glombicki, a director in the insurance group at Fitch Ratings, about the hidden costs and risks of ransomware.

Please visit the FM magazine website for more of our cybersecurity coverage.