In September 2022, the FBI and the CISA (Cybersecurity and Infrastructure Security Agency) warned of ransomware attacks “disproportionately targeting the [K-12] education sector.” In the same month, the Los Angeles Unified School District was attacked by cyber criminals. When the district refused to pay a ransom, the criminals released more than 248,000 files containing Social Security numbers, contract and legal documents, bank account details, health information including COVID-19 test data, previous conviction reports, and psychological assessments of students. Before these warnings and recent attacks, the Las Cruces Public School District (LCPS) of New Mexico survived a ransomware attack in the fall of 2019. This article uses LCPS as a case study to show how good planning and cyber insurance can help organizations survive a ransomware attack.
The Attack
In the early morning of October 29th, 2019, cybercriminals froze LCPS servers, financial systems, and student and employee information. How did the criminals gain access? According to Matt Dawkins, LCPS Director of Information Technology, an early investigation determined that the attackers gained access to the LCPS computer systems in June of that year through phishing emails asking LCPS staff members to log in using their LCPS credentials. Once the attackers gained administrative login rights, they “released malware to control their computer network remotely. From that point, they could log into the servers and start installing their encryption software.”
The attackers then waited until the middle of the fall semester—days before Halloween—to lock the LCPS system and demand a ransom paid in bitcoin. Instead of paying the ransom, LCPS activated their crisis response team, contacted their cyber insurers, and chose to rebuild their data systems from scratch using a recent system-wide backup. The success of LCPS can be traced to their advanced planning, hard work, and coordination with cyber insurance policy professionals.
LCPS’s advanced planning included backing up their entire system within weeks before the attack, having a crisis response team ready to activate, and purchasing a cyber insurance policy. Purchasing the policy gave LCPS access to cyber professionals with experience in ransomware attacks. Dawkins could not give specific information about the policy, but he did disclose that the cyber liability policy provided an independent IT forensic group that did a full investigation to track the attack from its inception to the end.
Businesses and cyber insurance professionals are often forced to determine which is worse: paying the ransom or not paying the ransom. Paying the ransom obviously costs the price of the ransom, but it may also cost insurers and other businesses more in the future if successful attacks encourage more attacks. Not paying a ransom also has its cost: in the case of LCPS, it required 18 people in the LCPS information technology department working hard for two and a half months over their holiday break to fully “wipe and restore close to 20,000 devices throughout the entire district,” according to Dawkins. The district updated their hardware, updated their systems, and purchased an upgraded firewall that would help detect similar attacks in the future.
Cyber Insurance
Cyber insurance is usually divided into two types of coverage: first-party and third-party. First-party coverage helps the business with expenses arising from a security breach that directly impacts the business. This can include a forensic investigation, recovery of lost or stolen data, paying a ransom, fixing a website, and notifying others if their data is affected. The cost to notify others should not be overlooked: “All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses, and in most states, governmental entities as well, to notify individuals of security breaches of information involving personally identifiable information.”3 If you are a business that holds the personal information of millions—or in the case of the Yahoo breach, billions—of customers, the notification costs alone can be substantial.4 First-party insurance may also pay costs to help minimize the business interruption and the loss of income that results from the security breach. In the case of LCPS, the cost to minimize the disruption could mean assistance with the extra cost for the 18 people in the IT department working overtime for months to correct the problem.
Whereas first-party coverage helps with losses suffered directly by the insured, third-party coverage provides the insured with financial relief for any legal action taken against the insured by someone else. For example, if hackers freeze a payroll processing website, it may not be only the payroll processing company that suffers, but the customers who cannot access their payroll as well. The insured payroll processing company may be liable to these third parties and may find protection under the third-party coverage of a standard cyber insurance policy.
Lessons Learned
Before the spate of recent cyber attacks on public schools, LCPS illustrated how to use planning and cyber insurance to mitigate the effects of a ransomware attack. Without their cyber insurance policy in place, the district would have had to pay for all the expenses associated with the attack. The cyber policy also provided an independent IT forensic group that was crucial to the districts timely and effective response. Although third-party coverage was not necessary in the LCPS attack, third-party coverage is essential in situations like the Los Angeles Unified attack where attackers leaked the personal data of hundreds of thousands of students and staff.
In addition to having a good cyber insurance policy, other preventative measures should be put into place to avoid ransomware attacks. For example, hardware and software systems should be maintained, firewall software should be purchased to detect activity, and employees should be trained to identify phishing emails and how to report suspicious activity.
- https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
- https://techcrunch.com/2022/10/03/los-angeles-school-district-ransomware-data/
- https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
- https://www.upguard.com/blog/biggest-data-breaches-us#:~:text=1.%20Yahoo!&text=The%20data%20breach%20of%20Yahoo,over%20the%20next%20three%20years
Enroll in the PROfocus Cyber Risk Course to acquire the skills needed to adapt to the ever-changing risks posed by our hyperconnected world.
Authors:
Tavyn Trujillo, Adrianna Baeza, Celina Camarillo-Dilbert, David Devore, Hannah Draper, Alex Guljas, Tyler Hoffman, Dwight Kealy, Aaliyah Mesa, Leonardo Ramos, Nathaniel Rowe, Yoselin Terrazas
About the authors:
This paper was written as partial fulfilment of a class on Insurance and the Law in the College of Business at New Mexico State University where students can earn a minor in Risk Management and Insurance. Their professor is insurance attorney and author Dwight Kealy, who received his CIC designation in 2007 and has been a faculty member with The National Alliance since 2011.
