August 9, 2021
Collective Response to Data Resiliency
by Glen Shok
Collective action will shield all organizations from infection and mitigate the damage of ransomware on the global economic landscape.
Ransomware cyber insurance policies are perceived as having high deductibles and low ceilings. In other words, costs are seen as misaligned with the risks and coverage needs of insureds.
Many insurance companies have adopted a conservative approach toward ransomware premiums out of fear of a cyber insurance “hurricane” where, due to correlated risks and virtually unlimited liability, insurers could be overwhelmed by claims covering cyber-extortion payments, forensics, recovery and data loss and legal expenses.
Exposure has led to premium increases, and some carriers now sub-limit policies with fixed caps on recompense. Mechanisms such as co-insurance demonstrate a mindset of risk-sharing, but a more efficient cyber insurance marketplace demands a broader understanding of shared risk.
Ransomware attacks are felt beyond the targets, with pain spread across the global economy. Cyber insurance offers financial stability. Brokers, actuaries, auditors and other stakeholders should expect reasonable, documented assurances that insureds are making rational investment decisions concerning risk management.
This requires greater cooperation among insurance companies, policyholders and private industry — including technology vendors. Disclosure and documentation, internal network and ransomware data resilience controls and information sharing are areas where we can and should work more closely. This is the way to ensure individual pricing suits the size and scale of risk for both insurers and insureds.
Shared responsibility for data resiliency
An aggressive cybersecurity posture must include forward-thinking strategies toward ransomware. It is in the interests of each of us to disrupt the cyber-extortion business model and eliminate its source of profits.
Ransomware variants are not monolithic. A cooperative response requires a joint analysis of both new and emerging threats, as well as the technologies that ensure security controls are in place and effectively applied.
Altogether, technology is shifting the paradigm. It is effective at early ransomware detection, and software can automatically shut down attacks to minimize the damage. However, while historical capital expenditures have been focused on perimeter and endpoint protection, effectiveness has proven incomplete.
See also: Premiums Climb as Ransomware Bites
Data immutability provides a more complete resiliency model. Maintaining clean datasets that are more readily restored, minimizing loss and preserving data probity, means making data resilient to malicious encryption.
Global file systems, as an example, which in advanced applications offer wider unstructured data management capabilities, in some cases use immutable data architectures.
While immutable repositories resist tampering with data contents, that does not necessarily mean that the host platform cannot be compromised separately. Cybercriminals are adept at finding ways to disable data protection software and systems.
Conducting backups on a daily or weekly basis can help organizations better respond to a ransomware strike, but restoring from a backup almost always involves data loss. Strict data-backup procedures do not ensure that files cannot be encrypted, and moving backups offline results in an operational gap.
Additionally, even where backups are readily available, the time that such restoration will take is frequently underestimated. Because backups are a complete and incrementally produced copy of data, the size of the dataset is substantial, and it may take days or even weeks for clean copies to be restored.
Insurers, policyholders and technology makers should be aware that immutable approaches to data storage are particularly effective even in cases where ransomware can lie dormant in an IT environment, leading to backup of files containing malicious code, because they preserve a pristine data set.
Cloud-based immutable storage repositories, such as Panzura on Amazon AWS S3, which operates with an object-lock feature irrespective of whether the data is accessed, may not necessarily prevent an attack but maintain an unadulterated copy of data for use in a restore scenario.
Best practices say that, should a primary object store be attacked through a security vulnerability, insureds should consider a split-write, or cloud mirror, to a second object store to ensure guaranteed data accessibility.
Collectively documenting data resilience
Research by the University of Kent and the Royal United Services Institute for Defence and Security Studies (RUSI) indicates the insurance sector is struggling to collect and share reliable cyber risk data that can inform underwriting. The report posits that more regulatory intervention may be necessary.
While there is a legitimate role for public agencies in the fight against ransomware, the time is now to take collective steps that will avoid the blunt lattice of regulation. Frameworks of agreement and cooperation among private industry are really the best cure.
The cyber-ecosystem is only as strong as its weakest link, and insurers can more thoroughly underwrite cyber insurance if they better understand the precautions that insureds must take to fend off ransomware attacks and back up their data resources.
Providing brokers and underwriters with better information calls for standardized certifications, enabling all parties to have a holistic view of what constitutes secure data. This should be based on a clear mapping of agreed protocols for defense and acceptable recovery parameters.
See also: Cyber Risk Impact of Working From Home
The insurance purchasing process itself requires an inward evaluation of security controls, and results in better understanding of the value and nature of data. For example, Panzura works with customers to provide a Statement of Ransomware Resilience, along with other types of documentation, which insurers can consider when determining premium pricing and coverage limits.
Consensus among insurers and technology vendors is necessary to define the form and function of the documentation. Acceptance should be a basis for negotiating rates that appropriately balance risk with the immutability and resilience of insured data and networks.
Sharing risk more equitably, we can build on responsible efforts by insurers to avoid a cyber insurance “hurricane.” Collective action will shield all organizations from infection and mitigate the damage of ransomware on the global economic landscape.