On November 16, 2021, the U.S. House of Representatives Committee on Oversight and Reform issued a memo to members that outlines the investigation results associated with the CNA Financial Corporation (CNA), Colonial Pipeline Company (Colonial) and JBS Foods USA (JBS) ransomware incidents that occurred in 2021. Ultimately, the memo will support the development of legislative and policy responses to counter the threat of ransomware.
According to the memo, CNA (an insurance company) paid $40 million, Colonial (a fuel pipeline operator) paid $4.4 million and JBS (a meat processor) paid $11 million in Bitcoin ransoms to their respective incidents’ threat actors.
The Committee’s findings highlighted three key observations:
1. “Small lapses led to major breaches.”
2. “Some companies lacked clear initial points of contact with the general government.”
3. “Companies faced pressure to quickly pay the ransom.”
All three incidents resulted from threat actors exploiting what could be considered minor security program oversights. Colonial’s incident involved access to the company’s systems due to a stolen password linked to an old user profile. JBS’ attackers gained access via compromise of a weak password associated with an old network administrator account. CNA’s incident was caused by an employee installing a malicious file (via a fake web browser update).
Consistent with the Committee’s intention to aid the development of legislative and policy responses, the memo highlights various “challenges” that occurred while reporting the companies’ incidents to federal regulatory and law enforcement authorities.
The memo continues by highlighting the significant pressure these three companies faced to pay the ransom quickly due to the potential impact on their reputation, stock price or ability to meet their customers’ needs.
Two key takeaways from this report:
1. Organizations need to adhere to Cybersecurity Best Practices.
During the cyber insurance policy negotiation process, insurance carriers ask many questions in the form of applications and application supplements. This information is an attempt to understand how closely a company follows a best practices approach to cybersecurity risk management. These discussions often end up as conversations about a company’s implementation of cybersecurity tools with minimal thought given to the organization’s overall cybersecurity governance and health. Tools are intended to assist companies with adherence to best practices, not be the entirety of the best practices discussion. The incidents detailed in the Committee’s memo may have been avoided if adherence to best practices for password management, account and access management, and security training and awareness were strictly followed.
2. Organizations need a Cyber Incident Response Plan.
A Cyber Incident Response Plan needs to be a proactive and iterative process that includes planning exercises and revisions regularly (annually, at minimum) and customization to address ransomware events specifically. A cybersecurity incident can happen to any organization. Companies must have a formal, repeatable approach to cyber incident response that includes both internal action items as well as coordination with external parties (such as a cyber insurance carrier, pre-appointed legal counsel, federal regulatory and law enforcement agencies and more). Most importantly, incident response plan development should take place prior to an incident.
A Way Forward
The cyber insurance market continues to harden with a significantly more detailed underwriting approach becoming the norm. Pursuing and maintaining cybersecurity best practices may not only reduce the likelihood and severity of a cyber incident, but it may also make cyber insurance more accessible to more organizations.
About the Author
Director of Risk Control
Travis Wong is the director of risk control at Resilience. Prior to joining Resilience in 2021, Wong served in cyber and general risk consultant capacities at CNA Insurance, Travelers and Liberty Mutual Insurance. Wong holds a BS in bioengineering from the University of California, San Diego.