Madison County, Indiana, was the victim of ransomware last week. There is no public information on what malware was used, how the authority was infected, nor how much was demanded by the attackers — but it does seem as if the ransom has been paid, and systems are now coming back on line.
There is considerable confusion over what actually happened. Fox News called Saturday Nov. 5 as ‘Day 4’ of the attack and quoted Lisa Cannon, Director of the County’s IT Department, as saying that paying the ransom was still ‘very much on the table’. “We are in the discretion of the insurance company,” she said. “That’s a decision they’re going to make.”
Later, the Herald Bulletin reported: “County officials are hoping the problem will be resolved by Wednesday once the encryption code is received from the hackers. ‘We’re following the directions of our insurance carrier,’ Madison County Commissioner John Richwine said Monday.”
It does not appear as if the County was very well prepared. It is ‘preparing’ to upgrade its anti-malware defense, and ‘in the process’ of adding a backup system. These are the two fundamental and necessary systems to prevent ransomware, or to recover from it without having to pay the price. The Barnstable Police Department, for example, recovered from ransomware entirely through its disaster recovery back up system with minimal loss and no payment. Without anti-malware and backup, the decision on whether to pay the ransom largely comes down to one of cost and reputation.
All official and security industry advice is not to pay. The argument is that paying the criminals maintains the ransom attack as a profitable venture for criminals, and helps fund other ransom attacks elsewhere. But the reality is that sometimes the victim has no choice. It is not clear whether Madison County did, or did not have any choice. That would probably depend on which of the County’s services were affected — and there is confusion even here. Fox News references the Herald Bulletin and says “The attack has left police, fire and other government staff locked out of their computers.” The Herald Bulletin makes no mention of the fire service.
Of wider interest is the role of the insurance company in the decision on whether to pay the ransom. With more organizations taking up some form of cyber insurance, this could have a negative impact on the official advice not to pay. SecurityWeek spoke to Honigman Miller Schwartz and Cohn LLP, an insurance recovery and advisory practice, to understand the role of the insurer in such circumstances.
While different insurers will use different language, the first point to note is that extortion coverage is not generally automatically included in cyber insurance. “The insured has to be an advocate for coverage and confirm that it has this coverage if it wants it,” Paula Litt, a partner with the firm, told SecurityWeek. It is probable, then, that Madison County was sufficiently aware of the ransomware threat to specify coverage.
The next issue is simply how much influence does the insurer have over the insured in the event of a claim. Again, it will depend on the precise terms of the individual policy, but in general, said Litt, “The insured should retain control of the response to the attack and it will typically be the insured’s obligation to investigate the threat and limit its exposure.”
Nevertheless, the insurer will retain some control after an incident. It may require use of an approved counsel and service providers, or include an incentive to use an insurer-approved data breach team. The reason for this, said Litt, “is to control cost and provide the insured access to experienced service providers in a crisis, not to control the specific message or strategy.” The policy may also require the insured’s cooperation and allow the insurer to make any investigation it deems necessary.
The key question is unclear. Can the insurer insist rather than advise that the insured pays the ransom in order to minimize its own future liability to repair damage? “I have not seen a clause that explicitly allows the insurer to do this,” said Litt, adding, that’s “not to say it doesn’t exist. An insurer can accomplish this indirectly. For example, a policy might provide coverage for an extortion payment in an amount that does not exceed the covered damages and claims expenses that would have been incurred had the extortion payment not been made.”
The reality is that we do not know exactly what happened at Madison County. The indication, however, is that its insurer recommended and may even have insisted on payment. And the implication of this is that there may be an unknown number of ransomware victims who have simply paid the ransom, funded by the insurance, with little fuss or publicity.