Subscribe to our blog for all the latest news, updates, and events from MMA and our partnersSubscribe
Like so many businesses, MMA Insurance experienced some of the most difficult challenges in our history in 2020. As we sent employees home to work to minimize the risk of coronavirus, another invisible threat loomed, exposing itself in October 2020 when a ransomware attack nearly crippled our operations. We share our story because the very real risk of a cyber attack shadows businesses across the communities we serve and our worldwide community — a threat that will remain long past the pandemic. But as we learned, there are steps organizations can take now to mitigate risk of attack. In the unfortunate event of an attack, we hope these lessons learned may also help you respond quickly.
On an October morning, a MMA colleague was up early trying to check email but unable to connect. They notified an IT team member to troubleshoot. What was initially thought to be an easily addressed email issue, a little investigating soon uncovered a much larger problem: the primary company servers and backup servers had been encrypted, and email systems across all MMA locations were down. The ability for colleagues to access server files and communicate with each other and clients were hampered.
MMA’s Security Task Force comprising of senior leaders in operations, legal and finance were notified, and so began the longest week in MMA history.
“When we saw ‘Click here for decryption’ on our files, we knew this wasn’t a simple email issue,” said Kyle Brucker, managing director of technology at MMA Insurance. “We had been attacked, and the ransomware had infiltrated our entire network. We deployed our task force and immediately called our cyber insurance carrier.”
Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data through encryption. The cybercriminals demand ransom in return for providing the decryption key. Encrypting ransomware is particularly malicious as encrypted files cannot be restored without a decryption key. Ransomware typically spreads by a victim unknowingly visiting an infected website or through phishing emails, emails masquerading as a trusted entity and encouraging victims to download a document or visit a link that secretly installs malware.
Due to new security challenges caused by the Covid-19 pandemic, cyber attacks have drastically increased, and there are no signs that attacks will decrease soon. In Q3 of 2020 ransomware attacks in the U.S. numbered 145.2 million — a 139% year-over-year increase according to cyber security firm SonicWall. While organizations of all sizes and types including local and federal government are at risk of cyber attack, the U.S. Cyber Security & Infrastructure Security Agency has released recent warnings of attacks targeting education, health care and public safety sectors.
Engaging our cyber insurance carrier as soon as the attack was discovered would prove to be the most valuable step in the path to recovery. Our carrier immediately connected us with a team of expert partners, including an IT security forensics firm, a negotiating team to deal with the cybercriminals and cyber security legal experts. These vendors and our MMA task force worked together to identify the scope of the attack, communicate with employees and clients without releasing compromising information, obtain the decryption key and resume normal operations as quickly as possible. But the process would take days and would be a lesson in what we had done right to plan for a crisis and what we could do better in the future.
“Cyber insurance companies and their teams are dealing with client attacks every day,” said Sarah Walsh, COO of MMA Insurance. “Even as a sizable company of 700 employees, we can’t employ in-house specialists across all areas of cyber security and disaster recovery. Our carrier was invaluable in creating our defense team of experts who complemented our internal capabilities and guided us to resolution.”