Reed Smith Client Alerts

Another serious ransomware attack has been reported – this time involving a multinational tech company with headquarters in Florida and Massachusetts. In addition to causing major disruptions to the direct victim of the attack, the incident has potentially serious ramifications for the victim’s clients and customers.

Cloud-based, HR management service provider Ultimate Kronos Group (UKG or Kronos) reported that it suffered a ransomware attack on December 11, 2021. According to a December 13 statement by UKG’s Executive Vice President Bob Hughes, the breach impacted several of Kronos’ HR-related functions, and Kronos anticipates that those functions will be affected for “several weeks.”

Major corporations across various industries, including health care companies, hospitals, municipal governments, and university systems, rely on Kronos. This ransomware attack appears to have already affected some of Kronos’ customers, leaving employees of those customers facing the prospect of delayed paychecks until after Christmas and the end of the year.

But I’m not a Kronos customer…

Kronos ransomware attack is not an isolated event. Some of the largest and most recognized cloud-based service providers in the United States have already been hacked. You may not be a direct Kronos customer, but that does not mean that the data that you have provided to a third party has not made its way onto a cloud-based platform.

From a cyber-insurance perspective, some of the questions entities should be asking when they apply for, or renew, their cyber insurance include: Do we receive data from third parties? Where is that data stored? Who has access to the data? Is the data transferred to a cloud or other third parties? A complete understanding between a company’s IT department and its business associates is critical to ensuring that a company has fully assessed all potential risks that may need to be covered by its insurance.

What can I do to prepare for a ransomware attack?

Because of the transferable nature of electronic data, entities that receive customer data or personally identifiable information are responsible for the security of that data. When applying for cyberliability insurance, it is imperative to work with your IT department, as well as business associates, to ensure that all are aware of where data is stored and whether it is transferred to a cloud-based system, or to any other third party.

Also, do not wait for a breach to happen. Companies should create, review, and test-drive their cyber-incident response plans. Understanding what your insurance policies cover, and the notice required under those policies, is a critical part of every comprehensive incident response.