The recent proliferation of well-publicized cyberattacks has revealed ransomware to be a serious national security threat. Still largely hidden from public view, however, are the attacks on small businesses, including many within the industrial, specialty and advanced textile industry, that don’t make the headlines.
Surprisingly, while ransomware attacks have become a multibillion-dollar threat, the average payment demanded was only $310,000 in 2020, with many payments in the $25,000 to $30,000 range. So, what can a business do to reduce the risk of becoming a ransomware victim?
What is ransomware?
Ransomware is a type of malicious software, or malware, that prevents a business from accessing its computer files, systems or networks and demands payment of a ransom for their return. Ransomware can be unknowingly downloaded onto a computer by opening an email attachment, clicking an ad, following a link or even visiting a website that’s embedded with malware.
Once the code is loaded on a computer, it will lock access to the computer itself or to data and files stored there. More menacing versions can encrypt files and folders on local drives, attached drives and even networked computers. Obviously, ransomware attacks can cause costly disruptions to operations and the loss of critical information and data.
In many situations, the targeted business is unaware its computers have been infected. It is usually discovered only when data can no longer be accessed, or a computer message pops up alerting users to the attack and the attacker demands ransom payments.
Paying the piper—or not
Top U.S. law enforcement officials discourage meeting ransomware demands. The FBI is reportedly doubling down on its guidance to affected businesses and its message remains: don’t pay the cybercriminals.
Ransomware attackers usually demand that businesses send cryptocurrency in order to unlock data, with amounts ranging from a few hundred dollars to millions of dollars. The ethics and morality of making these payments aside, there is the question of how to make a ransomware payment and how to use the cybercurrency market.
Surprisingly, small-scale ransomware attackers often demand payment to be wired through Western Union or paid through a specialized text message. In fact, some demand payment in the form of gift cards such as Amazon or iTunes gift cards. But the majority of ransomware payments involve cryptocurrencies.
Bitcoin is the most popular currency demanded by ransomware attackers, but other cryptocurrencies such as Ethereum, Zcash and Monero are also frequently demanded. Although traditional financial institutions have their hands tied when it comes to ransomware payments under the money-laundering and know-your-customer regulations, the first step in any ransomware attack should be to contact the business’s bank to determine if it transfers funds to a cryptocurrency exchange.
The attacked business then sets up an account with one of the many cryptocurrency exchanges—where U.S. dollars are exchanged for digital currency.
Unfortunately, paying ransom does not guarantee that a business will get the decryption key or unlocking code needed to regain access to the infected computer system or files. Successful or not, the government offers a little-noticed incentive for those who do pay: the ransom may be tax deductible.
Taxes to the rescue
While the government warns that ransom payments fund criminal gangs and could encourage even more attacks, failing to pay a ransomware demand can have devastating consequences for any business. Fortunately, a business that pays ransomware may be entitled to claim a tax deduction on its federal tax returns.
Naturally, there are limits to the deduction. Because there may also be insurance payments to cover both business disruption and the ransomware payment, if the loss to the business is covered by insurance, the operation can’t claim a deduction for a payment made by an insurer.
The question of whether traditional insurance policies provide coverage for losses due to cyberattacks and cybersecurity breaches is, at least temporarily, yes. A federal court in Maryland recently ruled that an insurance company must cover the costs of software, data, computers and servers that were lost or damaged by ransomware under the property insurance coverage of one business owner’s insurance policy.
However, business interruption insurance can help the business regain only some of the financial loss resulting from a security breach. Yet, without business interruption insurance an operation could not make up any income lost due to the disaster—the ransomware attack.
To protect against cyber risks, many businesses are beginning to add cyber or cyber liability coverage to their business insurance policies. So-called data breach insurance helps a business respond to breaches and usually offers sufficient protection for most small businesses.
Cyber liability insurance, on the other hand, is typically used by larger businesses and offers more coverage to help prepare for, respond to and recover from cyberattacks.
It should be noted that most cyber policies require that a business receive permission from the insurance company before any ransom amounts are paid. And remember, although most cyber-related insurance policies provide reimbursement for a ransom payment and related expenses, they don’t pay these costs up-front.
The cost of ransomware
Since payment of a ransom does not guarantee the operation’s computers or data will be unchanged after their release, expenditures to restore, replace or reconstruct programs, software and data are often necessary. And don’t forget there are other extortion-related expenses including the cost of hiring a security expert for advice on responding to these threats to ensure they don’t happen again.
Avoiding the inevitable
While it is frightening to think that nothing can be done when faced with a cyberattack, being prepared for the potential lost revenue/income during downtime due to an attack is as important as preemptively assessing what cybersecurity measures are already in place.
Ransomware attackers, indeed all malware distributors, have grown increasingly savvy, requiring users to exercise extreme caution about what is downloaded or clicked on. Other measures for reducing the risk of potential ransomware attacks include keeping operating systems, software and antivirus programs up to date, and backing up data regularly.
Since it is virtually impossible to completely eliminate the risk of a ransomware attack, ransom payments are often the best option. Targeted businesses, organizations and even governments may feel paying the ransom is the most cost-effective way to get their data back.
Preparedness only goes so far in protecting against these sophisticated attacks. Tax deductions can offset a portion of the cost of ransomware attacks while insurance is available to help ease the pain.
Bottom line is the question of what is the most cost-effective strategy? Does funding these cybercriminal organizations, in essence helping them proliferate and grow increasingly more sophisticated, outweigh paying ransom for the promise of restored computer systems and unlocked data? This is something to consider before an actual ransomware attack affects your company.
Mark E. Battersby writes extensively on business, financial and tax-related topics.
Ransomware protection for IFAI members
According to Marsh McLennan Agency, IFAI’s preferred business insurance broker and risk management consultant, ransomware attacks have increased by 146 percent since the start of the pandemic. With more employees working remotely, businesses have been exposed to more risk than ever. For more information about business insurance and risk management options, contact Andrew Burt at Andrew.Burt@MarshMMA.com or Kory Eastenson at Kory.Eastenson@MarshMMA.com.