Buyer beware: Ransomware-as-a-Service is about to bite

This article is brought to you by Retail Technology Review: Buyer beware: Ransomware-as-a-Service is about to bite.

The insurance market is making a series of fundamental changes to existing policies as they aim to address the potential losses they face as a result of the dramatic rise in ransomware-as-a-Service attacks. This is according to Kevin Timms, CEO of managed services provider eacs.

With the number of high-profile ransomware attacks increasing as a direct result of the Covid pandemic, organisations will continue to be at a higher risk with their employees continuing to work remotely.

Kevin Timms, CEO, eacs, stated: “Business email is very often the route into an organisation. It is an easy target, and criminals are exploiting email security vulnerabilities such as misconfigured sender policy framework (SPF), Domain Keys Identified Mail (DKIM), and Domain Message Authentication Reporting & Conformance (DMARC) to enact phishing and email spoofing attacks, which could result in the deployment of ransomware.”

“Sophos recently released its Ransomware Report 2021 which found that the average recovery cost for businesses has doubled in the past year. Sophos quote a staggering and eye-watering figure of $1.85m in 2021 up from $761,106 last year.  These costs include the ransom as well as the hidden costs such as downtime, people costs, device, network costs and the loss of opportunity.”

Timms continued: “The insurance industry itself is now reacting to this trend in a number of ways and we would urge any CFO, CISO or compliance officer to get on top of the changes now and check the small print on all and any Terms & Conditions.”

Many are now offering - in some cases insisting - policyholders submit a ransomware supplemental application, which asks additional questions around data back-ups, segmentations, and whether or not multi-factor authentication is on the corporate networks. 

“Let’s be clear the purpose of these ransomware supplemental applications is to mitigate the impact of ransomware once it has been deployed, and therefore reduce the severity of claims,” continued Timms.

“In some cases policies are being refused if a product is at end-of-life so again we would urge all end user organisations to discuss product migration strategies with their service provider if they have one, or upgrade as soon as possible.  The reality is that if you fail to do so the chances of rolling over your standard professional indemnity insurance policy are slim to nothing.”

“We are urging corporate Britain to take a close, long, hard look at any future insurance policy you receive as this is a legal contract. It must be the responsibility of either your insurance broker or risk teams to assess the relevant changes being made to your policies and highlight those changes to senior management.

“At the end of the day this is simply something that business leaders cannot stick their head in the sand on. If you are being asked detailed questions on your estate as to how you can handle a potential breech you must be able to demonstrate you have addressed this. If you don’t the picture is pretty straight forward.  You policy is invalidated and if you are hit with a ransomware demand then it really will be ‘game over’,” concluded Timms.

Founded in 1994, eacs supplies practical, innovative and cost-effective IT products, solutions and services to businesses.