INDUSTRY U P DAT E S
RANSOMWARE
ATTACKS RAMP UP WITH RANSOMWARE ATTACKS INCREASINGLY TARGETING CRITICAL INFRASTRUCTURE PROVIDERS, IT’S URGENT FOR BANKS TO BE PREPARED. by Paul Benda
I
n March 2021, CNA Financial Corp.—one of the nation’s largest insurance companies—paid $40 million in the wake of a ransomware attack that crippled its network, according to a Bloomberg report. A few months later, cybercriminals targeted the Colonial
Pipeline, which supplies fuel to much of the East Coast, with a ransomware attack that led to Colonial paying out almost $5 million. These instances are just two high-profile examples of a growing problem: the proliferation of ransomware and extortion-ware. These types of cyberattacks occur when cyber criminals use malware to encrypt files on a device or information on a network, rendering them unusable. Criminals then demand payment in exchange for decryption. Over the past several years, ransomware attacks have grown in scope and scale, and are now targeting critical infrastructure entities, including financial services providers. In fact, it’s estimated that a new ransomware attack is detected every 11 seconds. According to an eWeek security analysis, more than half of companies faced ransomware attacks and of those, 26% paid the
14
•
FALL 2021
requested ransom. Even if companies choose not to pay, ransomware attacks can still be costly and devastating. For example, after the University of Vermont Health Network was compromised by ransomware in June 2021, it lost an estimated $63 million in the process of rebuilding its network infrastructure and restoring compromised hard drives. Unfortunately, even for those that do pay, obtaining a decryption key is not a panacea—firms must still conduct testing on every machine and network endpoint to ensure that the malware has been successfully removed. One global survey of 5,400 IT decision makers found that around half of those who paid ransom recovered just 65 percent of the encrypted data compromised in the attack. Another 29 percent said they only recovered half of the data. The staggering cost and increasing frequency of ransomware attacks would seemingly make the case for cyber insurance—but, surprisingly, anecdotal evidence suggests that a majority of financial institutions are not cyber-insured. And with cyberattacks on the rise, the cost of cyber insurance is also increasing, and ransom payments as an insurable risk may not be sustainable in the long run.
