A transportation company’s response to a ransomware attack

Ransomware attacks have increased in frequency, severity, and sophistication, affecting every industry, including transportation, where an attack can paralyze operations.

Consider Global Freight Forwarders, a hypothetical North America-based freight forwarding company that is the victim of a ransomware attack. With its systems frozen, the company is unable to book new business, match loads to ships and trucks, or keep track of clients’ deliveries.

The attack holds the potential for weeks of disruption and eventual reputational damage, aside from the potential costs of paying the ransom and downtime and restoration expenses. The potential leak of personal information can also result in significant additional costs for notification and credit monitoring.

Proactive tabletop exercises aid effective response

With no visibility into its clients’ accounts and unable to easily book new shipments, Global Freight Forwarders is losing money and facing potential legal ramifications if contractual obligations cannot be fulfilled.

The company’s leadership understands the implications of a ransomware attack, having recently gone through a tabletop exercise as part of preparedness planning. The exercise included identifying the multiple stakeholders to be consulted following a ransomware attack, including in-house and outside legal counsel. They had also identified and vetted specialty vendors that would help the company respond and recover from an attack.

As computer forensic specialists investigate the incident and work to limit the malware’s spread, crisis management and public relations teams discuss ways to minimize reputational harm. The company also engages a specialist law firm with expertise in ransomware to serve as the incident response coordinator.

A situation-specific decision

Based on the specific situation, leadership must decide on whether to pay the ransom and start preparations for the cryptocurrency payment should the company choose to make the payment. This process involves legal and regulatory checks to make sure the payment is not prohibited under rules established by the Office of Foreign Asset Control.

A pre-identified ransomware response vendor communicates with the attackers and helps test decryption keys to make sure they work before a payment is made and the IT team would use the key to restore network access. The process typically takes three days, but it would be weeks before the company’s affected systems are fully restored. A forensic team checks whether malware remnants are still in the system, identifying and eliminating any backdoors. Backups are reconfigured and tested, and new hardware and software is purchased to improve overall security.

Claims advocacy critical to recovery

Global Freight Forwarders’ Marsh representative has maintained communication with the company’s cyber insurers since Marsh was first notified of the attack. The company’s cyber insurance policy includes reimbursement for the ransomware payment and covers the costs of the vendors. Insurance will also cover costs associated with incident response, including attorney fees, PR expenses, and data restoration costs, as well as lost income that Global Freight Forwarders sustained during the period of downtime.

Marsh helps the company prepare a detailed claim submission, including all information about decisions taken during the incident, which is presented to the cyber insurer. The company recoups the reasonable and necessary costs, minus self-insured retentions, under the policy terms.

Post-incident review

Once operations are running smoothly, Marsh helps Global Freight Forwarders review its response and recovery to better understand and document what went well, identify gaps or weaknesses, and update incident response plans.

With Marsh’s help, the company’s risk management team updates the cyber incident response plan to include specific actions required to address a ransomware attack. This is critical in making timely decisions during a crisis.

The right risk and insurance advisor can help companies like Global Freight Forwarders effectively plan and prepare for a potential ransomware attack, allowing them to more proactively protect operations, systems, revenue, and reputation. Marsh’s team of cyber specialists can deliver recommendations before, during, and after a ransomware incident.

Preparing for a potential ransomware attack is a continuous process. Marsh’s team of cyber specialists can help you through:

For more information contact your Marsh representative.

Preparation of the airplane before flight. Airport at the colorful sunset.

Article

A transportation company’s response to a ransomware attack