Are businesses covered if their service provider is hit by ransomware?

Last year ransomware targeted more than a dozen managed service providers or cloud-based service providers. The result? Thousands of encrypted endpoints.

Ransomware operators leverage MSPs to access their clients, and short of protective deterrents — multifactor authentication, IP restrictions, remote monitoring and management software updates — the remaining safety net is cyber insurance. It's a post-failure solution.

"For the policies that I work on, supply chain coverage is very, very robust," Matthew McCabe, SVP at Marsh's Cyber Practice, told CIO Dive.

"These aren't necessarily new issues for companies. They're just being reinterpreted in the digital world," he said.

The fallout of supply chain-style ransomware attacks are twofold: data encryption and data exfiltration. Cyber insurance has to reckon with both, especially since a cyberattack's post-mortem analysis can be misleading.

"An absence of evidence of exfiltration should not be construed to be evidence of its absence," according to Emsisoft.

Where are the damages?

Historically, insurance policies wouldn't cover the entire cost of damaged hardware.

"That will catch people by surprise," Scott Godes, partner at Barnes & Thornburg, told CIO Dive. "The industry has finally come around to say, 'Well, we can provide you with an endorsement,'" or bricking endorsements.

Bricking endorsements say that in the event "computers are turned into paperweight servers" because of ransomware, insurance providers will provide coverage for the cost of replacing "equivalent equipment," if deemed reasonable to replace, according to Godes.

Companies need to know what to expect from insurers by asking:

Is the carrier providing the policyholder with the full policy limit?
How will the provider treat the situation?
Will the provider say it's unreasonable for a company to replace equipment?
Will the provider hire a forensics firm that is biased to the insurance carrier?

Damaged hardware is only half the issue. In 2020, 11% of ransomware attacks were "related to attacks by the groups that overtly steal data," according to Emsisoft.

Cyber insurance policies typically provide coverage for data privacy concerns and network security events. However, if a consumer alleges poor network security caused them to send money to a criminal, "isn't that what network security liability coverage is designed to address? I've heard carrier lawyers say, 'That's not what they meant to cover,'" Godes said.

For McCabe, supply chain-style attacks fit two categories:

Intellectual property supply chain
And the more traditional sense of the supply chain, like products and services

"I would say that there's really, really deep coverage from the cyber insurance market in both events," he said. More direct providers of goods and services often have a contractual relationship with the insured and its vendor, "and that's not a bad concession."

For the carrier, appreciation of the scope of coverage is expected. There will always be unknowns between companies that rely on each other that were left out of the underwriting. But in a direct relationship, "you can underwrite and understand their operations and show who are most vital for them to continue operation," said McCabe.

If a subcontractor fails and impacts the contractor and subsequently their customers, it's still a failure of the contractor. If the contractor experiences an outage, it should still pay off on the policy because your direct contractual relationship is still outlined.

In terms of IP, "it really, really matters whether it's considered within the company's footprint, or the general structure of the internet," said McCabe. If it's the infrastructure of the internet, carriers are focusing on aggregated risks.

If an MSP has an outage, with outages cascading down to customers, "you're going to have thousands of outages that can mean catastrophic financial failure for carriers, and therefore, they're getting excluded from an infrastructure perspective," he said.

The language of a policy is integral to complete coverage; broad language could exclude too many claims. The flip side also has to ensure carriers have sufficient protection against widespread aggregated loss.

"Most states, if not all states, say that an insurance policy is a contract of adhesion, which means it's written on a boilerplate basis," said Godes. If a policy is misconstrued, "they're construed in favor of covering and against the insurance carrier," instead of "interpreted as though there was equal bargaining power over the terms and conditions amongst both parties."

A vulnerable industry

In 2019, ransomware preyed on the resource-poor, with organizations falling victim to it every 14 seconds, according to a Cybersecurity Ventures report. Downtime costs mounted five to 10 times the price of the ransom, depending on the type of business and its reputation.

For MSPs, it doesn't matter if their clients are offline, all their files will be locked after an attack. Last fall, more than 100 nursing homes were disrupted by a targeted MSP, unable to access prescription records, Allan Liska, senior security architect at Recorded Future, told CIO Dive. In 2019, about 400 dental offices were unable to access patient records after a cloud management provider was struck.

"If you look at the incidents themselves, they're not actually targeting those smaller organizations, their target audience shared infrastructure that organizations use," said Liska. There's a huge "problem with a lot of the indiscriminate ransomware that's just being kind of sent out in mass quantities."

Last year, bad actors launched ransomware attacks on managed service security providers. The operators behind REvil, or Sodinokibi, accounted for 86% of those attacks, according to a Kivu report.

"Real ransomware threats have hundreds of threat actors behind them. So you have good quality ransomware but you have a whole lot of people deploying it, which means that the ways they're getting in and the vulnerabilities that they're looking for, and the amount of scanning they're able to do essentially becomes a force multiplier," said Liska.

In terms of supply chain-style attacks, larger enterprises typically have a more robust response to cyber events; the same is not true for service providers. Most MSPs (65%) have fewer than 10 full-time employees compared to the companies they service, according to a SolarWinds and The 2112 Group report.

Manufacturers are historically behind in digital transformation and lack sufficient defenses. "We know that there are some ransomware actors that are looking for specific types of manufacturing," said Liska, "they're looking for specific types of infrastructure."

In fact, the manufacturing industry accounted for 62% of the more than $11 million paid in ransoms in 2019, according to Kivu. Paused assembly lines can cost a manufacturer about $22,000 per hour, enticing victims to pay a ransom.

Insurance providers, when consulted, might conclude that paying a ransom is in a company's best interest depending on a company's technological standing.

As companies architect better response efforts, it's "causing them to request to redefine coverage on incident response services," said McCabe. It can even extend to how people work during an event to make sure that they're responding properly.

"Best way to look at it is there's going to be internal costs that are creating efficiencies during the response that are over and above what a company normally spent," said McCabe. But policyholders are asking the cyber insurance industry to pick up those costs now. "I think that's a newer development."

Correction: This article has been updated to correct a citation; Cybersecurity Ventures provided the research about how often organizations fall victim to ransomware.