Article | Cyber Extortion Attack on JBS
6th July 2021
The recent cyber extortion of the JBS S.A., by sales the world’s largest meat processing company controlling approximately 20% of the slaughtering capacity for U.S. cattle and hogs alone, has again highlighted the growing financial and security threat posed by cybercrime, but also the potential for cyber insurance to protect companies against associated losses.
Typically, the perpetrators of cyber extortion take control of a target’s systems and then demand the payment of a substantial fee to restore access. The specifics of the wide-ranging cyber attack on JBS remain largely unreported, however it is known that the attack took control of multiple IT systems, greatly affecting the company’s ability to function and forcing the shutdown of some U.S. and Australian operations. The attack also threatened to cause wider disruption to the meat market, as livestock futures slumped while pork prices rose. JBS subsequently paid a $11m ransom to restore access to the systems.
It has not been revealed how hackers were able to gain control of JBS’ systems, however commonly this involves the exploitation of insufficiently protected legacy systems or other systems without security measures like two-factor verification, essentially meaning the hackers can gain access through a password without a second step such as a text message. Other common forms of cyber attack include phishing, where fraudulent communications are disguised to appear to come from reputable sources in order to steal data or install malware, and a Structured Query Language injection where an attacker inserts malicious code into a server in order to reveal information, such as passwords.
In recent years, cyber extortion has evolved not only to lock up data, but also to threaten the release of price-sensitive information, personal data or incriminating material, posing additional reputational, legal and compliance risks to businesses. According to research conducted by Palo Alto Networks, the average ransom payment demanded has also increased significantly in recent years, from $115,123 in 2019 to $312,493 in 2020.
The common demand by cyber extortionists to be paid in cryptocurrencies may pose a further risk to extorted organisations and their insurers, especially given the volatility in cryptocurrency values. Although security services such as the FBI have enjoyed success in seizing bitcoin paid as ransom payments, by making use of such cryptocurrencies, the victims of cyber extortion attacks are still exposed to the significant fluctuations in their value during the period of the attack. Although insurers will likely bear that loss under the terms of a cyber insurance policy, even with recovery of part of the ransom paid, insureds may still be adversely affected because of the risks inherent in dealing with unreliable cryptocurrency infrastructure.
It remains unknown whether JBS benefited from a cyber insurance policy, however on the basis of the known facts it is likely that such a policy would have responded to cover some of the losses incurred.
How can cyber insurance help protect businesses and organisations in the consumer sector?
Cyber insurance is designed to provide protection to businesses against threats in the digital age, indemnifying them against operational, reputational, legal and compliance costs incurred as a result of cybercrime or mishandling of data.
Cyberattacks can impact all businesses, although large consumer businesses are perhaps especially tempting targets for cyber criminals seeking to extort money, typically being complex, multi-national businesses. Most businesses operating in the consumer sector will be acutely aware of cyber security risks and of the benefits of risk sharing with insurers even though comparatively few businesses generally procure cyber insurance. A 2017 OECD paper estimated the take up of stand-alone cyber at around 30% in most countries.
Paying ransoms is rarely advisable, but ransom payments can be covered by insurance. Even those organisations which pay ransoms still need to incur the costs of forensically isolating and remediating the vulnerability, completely cleaning the systems of malware before restoring the data, and any costs of notifying regulators and individuals in the event personal data is impacted. Cyber insurance can significantly help defray those costs.
Coverage under cyber insurance policies is typically triggered by data loss or unauthorised access to an insured’s systems, or systems hosted by third parties. Unlike traditional business interruption policies, it is not necessary to establish physical damage to property in order to trigger the payment of an indemnity. The types of loss insurable under a cyber policy include:
- revenue lost as a result of a cyber attack. Even after systems are restored the victims of cyber extortion may continue to suffer business interruption losses due to the wider ramifications of an attack, for instance ongoing reputational damage can continue to affect profitability;
- the value of any ransom payment paid (and associated costs incurred negotiating with hackers). Payment of ransom may be legally permissible in certain circumstances (and it is important to check whether any payments would be to sanctioned entities or would result in payments to designated terrorist organisations), but it is contrary to government advice, and controversial as it may encourage further criminal activity and may not lead to return of information allowing restoration of systems;
- the restoration of hacked systems;
- any compensation paid to third parties for loss or exposure of their data;
- reputational damage; and
- to the extent insurable, the costs of dealing with regulatory and compliance costs.
For any questions concerning cyber insurance or cyber security generally, please do get in touch.