For many companies, a cyber-breach is just the beginning of their problems. The hackers are demanding their ransom, and law enforcement may already be trampling over the evidence. And the insurance company, not to mention the regulator, will also be expecting a call.
Three experts – a lawyer with experience in corporate reputation management, a digital forensic expert, and a lawyer who specialises in cyber risk – sat down to discuss how cyber security needs to be treated as a critical business issue at this week’s ITWeb Security Summit.
The forensic expert is Danny Myburgh, the MD of Cyanre Digital Forensic Lab, which over its 18 years of existence has been involved in 58 major breaches, he says. The cyber risk lawyer is Christopher MacRoberts, a partner at Clyde & Co, the world’s largest insurance law firm. Chairing the conversation is Marina Bidoli, a former journalist and a partner at Brunswick who leads the firm’s local cyber office.
MacRoberts says there’s been a proliferation of cyber crime, and that cyber insurers are now looking very carefully at how they underwrite risks, who they’re insuring, and on what basis they share risk with their clients. The rise of ransomware in South Africa and globally, has also meant that there has been a significant increase in insurance pricing.
He says he expects that some ‘tough conversations’ with insurers are taking place around boardroom tables at the moment as companies are renewing their insurance.
Despite the heightened risks, Myburgh says companies, by and large, are not prepared. Some of the major banks and listed companies just don’t have the capacity to handle a breach.
“You need extra hands. The IT guys want to repair the environment and get it up and running as quickly as possible. They don’t have the same objective as the board. The board will understand the risk and their liability, but the IT guy (after a breach) will phone the suppliers that he’s working with every day.”
In some cases the supplier, or the IT team, or both, are responsible for the breach or data exfiltration. Once they’re on the scene, they can also muddy the waters, by, say, upgrading firmware post-breach, and it will fall to forensic experts to unpick their lies.
“An IT person might be involved in a breach once or twice in his life. We see it on a daily basis,” he says, adding that his company has attended to four major breaches in as many weeks.
Golden hour
Myburgh says it’s imperative that a cyber breach is dealt with as quickly as possible, and he likens the first 60 minutes to that of the ‘golden hour’ when dealing with trauma patients.
“The hackers compromise so many accounts. You only see one of them; you reset the password and they flood another hundred accounts. You shouldn’t be making a decision about who to approach in a crisis. You should have prepared beforehand, and should have run simulations with your team.”
Bidoli says it’s also best to prepare the board, which were probably not involved with IT every day.
“Once people panic it’s obviously a completely different situation.”
MacRoberts says the insurers are definitely the right people to be speaking to, and who’ll be able to quickly identify which service providers they’re comfortable working with. They also won’t necessarily apply a least-cost approach in hiring these providers.
“Insurers who are underwriting cyber business in South Africa are multinational insurance companies and they will appoint firms which have global reach so they can work across different jurisdictions. They will also trust that those firms can respond competently to an incident.”
He says in the very worst outcomes, a policyholder will try to deal with the breach themselves without involving the insurer.
“The insurers don’t like to be left out of negotiations, particularly if they involve a ransom. Before you know it, the ransom has gone through the roof, and the insurer may not be very happy about paying for it.”
“The curious thing about cyber insurance is that it’s not like any other insurance. If you think about a fire claim, or most other types of loss, it happened long before it gets to the insurer. Then it’s just a question of sorting it out, and paying back the insured for what they’ve lost. In a cyber-event it’s happening in real time, and the advantage of involving the insurer’s team is that the insurer sees what’s happening and guides decisions, and that gets you to the best possible chance of being reimbursed or compensated.”
Ambulance-chasers of the IT sector
Myburgh has particular ire for opportunistic IT companies who choose a breach as a good time to pitch for business.
“We’re trying to stabilise a bleeding client, and they’ve got 20 companies contacting them, and saying: ‘If you had our product, this wouldn’t have happened to you’.”
He also draws attention to the shameful behaviour of local IT firms, which monitor dark web sites for signs of companies that have been compromised, and then follow this up with a sales pitch.
Bidoli calls these companies the ‘ambulance-chasers of the IT sector’.
She also wants to know when it’s worth paying the ransom, and when it’s not.
Myburgh says he’s undertaken 16 negotiations with hackers and taken care of about a dozen crypto payments.
“Nobody can tell you they’re an expert, in this because there’s no training. You’re dealing with a criminal. He’s sitting in East Africa, in Russia, or China.”
Myburgh says if a company has a set of healthy backups, it can recover.
“It becomes a business decision when it’s cheaper to pay the ransom than it is to rebuild your business. Companies can go bankrupt. In 2020 we had two separate clients commit suicide.”
He says it’s been ‘very lucky’ in that the cases where it’s received the decryption key that it’s worked as promised. But it’s still a fraught process: interrupt the encryption process and the firm’s data may be damaged.
“When you do the restore, you can’t restore the encrypted environment because if something goes wrong, that’s your only copy,” he says, and adds that backups need to be made, scanned and decrypted, before a restoration attempt.
And, once ‘they’ve stolen your data, you’ll never get it back’.
He says some hackers have given him an undertaking that the stolen data has been deleted, and that in the case of a client in the healthcare industry, this has held true, or at least seems to be holding true, because the data has not leaked after four years.
“So far we’ve been lucky. But you are dealing with a criminal.”
Is a company bound to inform law enforcement if they’ve paid a ransom?
MacRoberts says the US’ Office of Foreign Assets Control issued advisories in 2019 which required due diligence to be done on any ransomware payments involving US citizens.
This diligence will involve running checks on the bitcoin wallets of known criminal gangs.
“There are a number of listed groups which have been confirmed to be involved with the Kremlin, for example, and where payments cannot be made by US related companies.”
Damage control
MacRoberts says Clyde and Co always advises its clients to report the case to law enforcement, both in terms of South Africa’s Prevention and Combating of Corrupt Activities Act, which has a threshold of a paltry R100 000, as well as “It’s just the right thing to do.”
He says there may be strategic reasons for entering into negotiations, such as buying time, but there were also extreme cases in which the nature of the encrypted data or stolen data is so critical, that if the organisation doesn’t cooperate, there is a ‘threat to life’. In situations such as these, there may be no alternative but to pay.
How to manage the reputation of the organisation if news of the breach, and perhaps payment, leaks to the media?
Bidoli says she’d rather not proactively provide the information, ‘but if it’s out there you can’t deny it’.
“You just need to justify why you’ve done that. If it’s a case of getting a hospital system up and running, patients’ lives are more important.”
Who should firms contact? MacRoberts says with the advent of the Cybercrimes Act last year, there is now a new reporting framework, but it’s not yet in place. He does, however expect the SAPS to provide a dedicated reporting function.
Myburgh says that at the moment, a breach needs to be reported at a local police station, a process which he describes as ‘cumbersome’.
MacRoberts says it’s important to keep the regulator ‘onside’ and that this is one of the first places that a report is likely to be made.
He says that some South African companies have not done the right thing, and this would mean the regulator chooses to become involved.
“Now you’re effectively fighting a breach on two fronts; you’re dealing with the incident and triage and stabilising the patient, and you’re answering questions from the regulator and law enforcement is getting involved.”
Share