CyberGuide - Information Security and Cyber Risk Management

Insurance cover for ransom payment ‘wasn’t even in the forefront’ of Colonial Pipeline CEO’s mind

By Erin Ayers, Advisen

Reimbursement from Colonial Pipeline’s cyber insurance policy wasn’t top of mind when it came to deciding to pay the ransom, the firm’s CEO told a U.S. House of Representatives committee this week.

Colonial Pipeline has had cyber coverage for “quite some time,” Joseph Blount, Colonial Pipeline’s CEO, told members of the U.S. House Homeland Security Committee. The pipeline operator has submitted a claim for the ransomware event that prompted a dayslong shutdown, he added.

“I suspect that it will be covered,” said Blount. “That wasn’t my focus – It was to get access to that decryptor in an effort to get that pipeline restarted as quickly as possible. The insurance wasn’t even in the forefront of my mind.”

Paying the ransom provided the decryption tools and “additional services” from the DarkSide hackers, he said, adding “It was a tough decision, I didn’t like handing that money over to criminals.”

Some organizations, like hospitals, may not have any other option, Blount added, saying, “I’m not saying that’s a morally right or wrong decision, but it may be a decision you have to make.”

On June 7, the U.S. Justice Department announced it had seized $2.3 million in cryptocurrency paid to the Colonial Pipeline hackers. The federal involvement in the cyber event prompted congressional lawmakers to grill Blount on whether “the private sector can no longer go it alone” on cyber risk, in the words of Rep. Sheila Jackson Lee (D-TX).

Blount agreed, saying, “We have to stop the criminals and that’s something the industry can’t do without a partnership.”

Lawmakers also quizzed Blount on whether the company spoke to outside counsel before hiring FireEye to remediate the cyber event in order to protect details of the response by attorney-client privilege and questioned Colonial’s refusal of ongoing help from the U.S. Cyber and Infrastructure Security Agency (CISA).

During a U.S. Senate hearing on June 7, Blount confirmed that DarkSide hackers were able to access Colonial Pipeline’s system via a single stolen password and an unprotected VPN. A focus of the hearing was to identify key takeaways for other critical infrastructure operators and businesses of all sizes to harden their systems against cyber threats.

“It’s the warning we should all see before an attack that debilitates us in a much more significant way,” said Elissa Slotkin (D-MI). She asked whether Colonial Pipeline has deployed ethical hackers to find vulnerabilities.

“You have to continually stress-test your system. It’s like all technology that changes constantly,” said Blount, citing the tabletop exercises Colonial Pipeline conducts to test business continuity. He said the pipeline ultimately had “very quality back-up systems that allowed us to bring the pipeline back online sooner rather than later.”

“We’ve had a criminal inside our system. We’ll be doing a lot of things differently,” he said, but declined to give details, noting, “We don’t want to give a roadmap to the outside criminals.”

Editor Erin Ayers can be reached at [email protected]