A 4-Point Checklist for Assessing Your Client's Ransomware Risk

This trend means that no company or organization is safe from a ransomware attack.

Ransomware attacks work exactly as they sound: Once hackers control essential data or systems, they hold these systems for ransom, refusing to relinquish control until the company pays a sum.

But often, paying the ransom doesn't result in the hacking group returning the ransomed data, and some experts have even called for a moratorium on paying ransoms outright.² While there's much discussion about the best way to deal with the current ransomware crisis, one thing is clear: Companies of all sizes are looking to expand their cybersecurity protocols and insure themselves against these kinds of attacks.

But because all organizations have differing levels of preexisting security and exist in fields with different levels of inherent exposure or risk to ransomware attacks, it can be difficult as an agent to quantify overall risk. Ransomware risk assessment may be complicated, but it breaks down into several key factors to help you get a baseline for overall risk.

1. Industry Vulnerability to Ransomware Attack

Some industries are more vulnerable to ransomware attacks, both because of inherent vulnerabilities in some industries and because hackers historically have targeted these industries more often.

From a top-down risk perspective, the result is an increase in risk if your client works in certain fields. The industries subject to ransomware attacks the most in 2021³ (in descending order) were:

1. Government
2. Education
3. Healthcare
4. Technology
5. Services
6. Manufacturing
7. Retail
8. Utility
9. Finance

This list can give a general idea of where your client may fall for big-picture risk, depending on which field they operate in. It's also important to note that hackers currently seem to be targeting larger organizations at a higher rate than smaller companies. Because hackers can ask much higher ransoms of larger companies without a significant increase in incidence-based risk of being caught, larger companies may fall into a higher risk bracket.

2. Location-Based Cyber Risk

Over the past few years, different parts of the world have seen different incidence rates of ransomware attacks. The U.S. had by far the highest rate of ransomware attacks in 2020, with no sign of this trend shifting. While this may not affect your risk assessment dramatically if you only serve clients based in a single country, it's worth looking at these numbers to get an idea of just how much ransomware attacks are correlated to location³:

3. Potential Damage

Every organization has different valuable data or systems, the loss of which could cause significant stress or pain to daily function. The goal is to ascertain which types of data hackers would likely want to break into and assess the worst-case scenario for a successful ransomware attack.

Companies that work in different fields generally have different types of data for which they would be loath to lose access. Medical companies might store large amounts of extremely personal patient data, while tech companies store an entirely different type of customer data. Different government organizations often have widely variable types of data, some caches of which might be extremely valuable, while other might be entirely uninteresting to hackers. It can be useful to consider how valuable the data in question might be to hackers, and how much data a client has that they couldn't operate without.

Once you have an idea of how much valuable data a prospective client has, consider how damaging a breach of any part of that data would be. Would a successful attack immobilize the entire company or just some departments? Would the data be so valuable that the shareholders would force the organization to pay the ransom, even if the chance of getting the data back was slim? All of these factors may play into your overall risk assessment.

4. Technical and Response Analysis

It's also important to take a look at how prepared an organization is for an attack. Look at their detection, response and prevention systems to get an idea of how they may react. Looking at the level of employee security training can be a great indicator of overall security. As many ransomware attacks start with employee phishing,⁴ training can be an important metric for understanding a company's risk level.

Another useful thing to look for is redundancy, or cross-pollination, of essential data. Is an organization's most essential data stored in multiple locations, possibly at multiple security levels? Decentralized data can be a sign of oversights or weakness in the overall level of preparedness.

Hacks are happening at such a high rate that it's not unlikely that a prospective client has been attacked with ransomware before. If so, you probably want to do a detailed assessment of their previous response to the situation and how — or if — they improved their procedures since the attack. If you don't see signs of heightened security after a past attack, there's no question that their risk will increase.

Determining an organization's ransomware risk is an extremely complicated task that takes a great deal of data collection, analysis and time. While many insurance companies have advanced procedures for assessing ransomware risk levels, these steps are a good surface-level starting point for agents who are looking to make some simple determinations at a glance.

Sources

¹Hancock, Joe, "Assessing Ransomware Risks," Mishcon de Reya, accessed 25 Aug 2022.

²Schiappa, Daniel. "The Ransomware Crisis Is Getting Worse," Forbes, 12 Apr 2021.

³"The State of Ransomware in 2021," Blackfog, 4 Jan 2022.

⁴"Phishing attacks," Imperva, accessed 26 Aug 2022.