Tag Archives: cyber insurance

Ransomware Grows More Pernicious

Ransomware attacks and ransom payments for data continue to spike, with The New York Times reporting a 40% increase between 2018 and 2019.

As cyber threats go, ransomware is especially insidious, because these attacks, hitting everything from municipalities to banks to small businesses, often go unreported. That means less shared information and fewer actionable insights for insurers or insureds trying to arm against an ever-morphing enemy.

We saw a gap — leading incident response experts who work with the cyber insurance industry didn’t have a forum to exchange information about what was happening on the front lines of these attacks.

We needed a way to get our arms around this problem to better support our cyber insurance carrier partners, a way to keep up to date and better understand the data trends from the expert’s vantage point at ground level.

Enter the Cyber Insurance Ransomware Advisory Group, which NetDiligence assembled in early 2020. Featuring 20 members from leading breach incident response service providers — consisting of Arete, Charles River Associates, Crowdstrike, Kroll, Kivu, Tracepoint, MOXFIVE, Tetra Defense and others.

The group meets quarterly and at select NetDiligence Cyber Risk Summit conferences to discuss emerging trends and best practices and make these insights available to the cyber insurance industry.

The Emergence of the Maze Variant

One of the key takeaways from the inaugural meeting was the emergence of the Maze variant and a “new normal” of data exfiltration, often including stolen private customer information.

Whereas previous generations of ransomware have been designed by threat actors to encrypt data and extort an organization for bitcoin in exchange for the decryption key, Maze significantly increases the pressure on the victimized organization and threatens to make the stolen data public by releasing it on the internet.

This has magnified the potential loss exposure and has led to a host of new privacy data breach risks for insureds — with accompanying notification requirements.

Even clients capable of restoring files from secure backups may find themselves subject to privacy data breach impacts, such as the need to comply with state breach notification laws that include attorneys general and the victimized population, which significantly increases claim costs.

See also: 5 Questions That Thwart Ransomware  

Ryuk Is Still Ever-Present

Another dangerous variant, Ryuk, continues to plague organizations with its tendency to attack both servers and workstations.

Experts expressed concern about organizations responding to Ryuk attacks with complete network shutdowns rather than impact isolation.

When assisting small to medium-sized enterprises (SMEs), experts often find it challenging to convince management of the necessity of deploying automated malware eradication and remediation tools and to ultimately convince these organizations to keep endpoint protection in place once the immediate incident is resolved.

What Other Ransomware Concerns Are Out There?

Other specific ransomware types encountered include DopplePaymer, Sodinokibi, Revel and Netwalker, as well as the continued rise of ransomware as a service (RaaS).

During the COVID-19 global pandemic, the impact of ransomware could prove devastating to an organization that may already be struggling.

Many of the widely held notions about ransomware are changing, we found. After paying the ransom, some organizations may never receive the promised decryption key (in the past, certain threat actors were believed to be reliable).

Even with reliable threat actors, experienced negotiation can be critical.

Threat actors are also extorting organizations to pay for their encrypted administrator-level credentials. And, increasingly, ransomware affects the backup files, as well, encrypting or otherwise making them unusable for data recovery.

The experts reported that more than 50% of the time backups had already been exploited.

To Pay or Not to Pay

Nevertheless, recovering from a viable and segmented backup repository is still the preferred method of the majority of experts rather than paying the bad guys.

In fact, reported time for business interruption is much longer for cases where the ransom is paid — lasting from three to 15 days. If backup is used, business interruption typically spans one to 10 days, experts say.

This was a bit of a surprising finding. Members advised that the negotiation process itself, as well as problems encountered with the unreliable decryption keys, have contributed to delays with the bitcoin payment path and extended the business interruption.

A Need for a Cyber-Ready Team

A continuing concern for handling ransomware remediation is the difficulty for SMEs to respond in a timely manner toward the essential task of paying larger amounts of bitcoin — or authorizing a third party to pay — for the ransom demand (averaging $100,000, but based on severity ranging from $400,000 to $8 million, according to group members) within the given timeline for response.

SME clients often don’t have the liquidity for these significant payments, even if their cyber insurer will reimburse them.

What’s more, SME-sized IT departments are often unprepared to deal with this type of business interruption and may at times lack a functional understanding of cyber policy coverages and the supporting claims process, which forces them to learn on the fly during the crisis — underscoring that preparation is key.

Finally, the expert group reported that leading cyber security deficiencies that continue to haunt organizations include the usual suspects: lack of multifactor authentication, lack of next generation anti-malware endpoint protections, open remote desktop protocols, unsegmented backups and lack of employee training.

One thing is certain: The ransomware scourge is no fleeting trend. Experts believe that it’s here to stay, inflicting damage as long as companies are willing to pay.

With the onset of COVID-19, ransomware attacks continue apace. While the nature of the attacks has altered slightly, their frequency has not, said Winston Krone, global managing director of Kivu Consulting.

See also: A Dangerous New Form of Ransomware  

The Ransomware Advisory Group will continue to stay on top of these threats so that carriers and their policyholders can defend against them.

Quick Takeaways for Cyber Carriers and Covered Entities:

  • Ensure that policyholders’ management has in place an actionable data breach incident response plan that can be accessed at a moment’s notice and includes vital third-party experts known to their cyber insurer.
  • Offer a loss control checklist for SMEs of some baseline must-have cyber security measures to mitigate ransomware, such as multifactor authentication (especially in O365), endpoint protections (example Crowdstrike’s Falcon Prevent), close remote desktop protocols, cloud-based backups and employee training.

You can find this article originally published here on riskandinsurance.com

How to Fight Rise in Cyber Criminals

Coronavirus is changing how people work and interact every day. Many companies have needed to expand their remote working capacity as a result of the outbreak – and usually at very short notice. To provide as many employees as possible with easy access to operating software and systems quickly, in some cases IT security standards have had to be lowered or suspended, resulting in potential cyber security exposures for companies.

One consequence of potentially laxer security may be that cybercriminals and hackers may find it easier to penetrate previously protected corporate systems, causing data breaches, cyber blackmail intrusions and IT system failures.

According to the Allianz Risk Barometer, an annual survey of more than 2,700 risk management experts around the globe, cyber risk already ranked as the number one threat for businesses in 2020 before the coronavirus outbreak, driven by concerns about data breaches becoming larger and more expensive; ransomware incidents bringing increasing losses and business email compromise (BEC) or spoofing attacks, which typically involve social engineering and phishing emails to dupe employees into revealing confidential or valuable information. BEC attacks have resulted in fraudulent losses in excess of $20 billion since 2016.

Unfortunately, the significant increase in home workers accessing the corporate network with a virtual private network (VPN) connection because of the coronavirus pandemic only exacerbates these risks, providing a perfect opportunity for cyber criminals, as recent events demonstrate only too well.

It is estimated that anywhere between 50% and 90% of data breaches are caused or abetted by employees, be it by simple error or by falling victim of phishing or social engineering. Recent events demonstrate the vulnerability only too well. In April, Google detected and blocked more than 18 million malware and phishing emails and 240 million daily spam messages related to the coronavirus pandemic in a single week. In total, Google blocks more than 100 million phishing emails each day.

See also: Coronavirus Boosts Cyber Risk  

If remote workers fall victim to a cyberattack, it puts their work network at risk. There are several effective security measures businesses can apply to help remote employees combat internet attacks.

Keep Software Up to Date

Check whether you can use current versions of operating systems and installed programs. If possible, use the automatic update feature, which is often the default setting. Otherwise, immediately install security updates for your software, especially for your web browser and operating system.

Use Virus Protection and Firewalls

Check activation of virus protection and firewalls, but keep in mind that this measure can only be effective as an accompanying measure with other security procedures. Its application does not reduce the importance of the other tips in this article.

Create Different User Accounts

Malicious programs have the same rights on the PC as the user account through which they entered the computer. You should, therefore, only work with administrator rights if absolutely necessary.

Be Cautious About Sharing Personal Data

Online fraudsters increase their success rates by addressing their victims individually: Previously spied-on data, such as surfing habits or personal names, are used to inspire confidence. Today, personal data is considered a currency on the internet and is traded in this way. If possible, use a VPN connected to your home network in public wireless local area network (WLAN) hotspots.

Otherwise, unencrypted transmitted data can be read by third parties. At the same time, a VPN also protects against a number of other attacks on the PC and the data stored on it.

Use Up-to-Date Web Browsers

Check whether to disable components and plug-ins in your browser settings. First, enter the addresses for security-critical websites, such as for online banking, manually in the address line of the browser and save the address entered in this way as a bookmark, which you can then use for secure access.

Two-Factor Authentication

Where two-factor authentication is offered, use it to secure access to your account. A password manager can facilitate the handling of different passwords. Do not share your passwords with third parties.

Protect Your Data Through Encryption

Protect your confidential emails with encryption. If a WLAN is used, subject to the information security guidance of your entity, pay attention to the encryption of the wireless network. Subject to higher standards as per individual guidance of the respective individual security officer (ISO), in your router, select the WPA3 encryption standard or, if this is not yet supported, WPA2, until further notice. Choose a complex password of at least 20 characters.

Identify All Participants in Online Sessions

It is particularly easy for unauthorized persons who have obtained the dial-in data to join large online meetings with many participants. That’s why everyone who appears in the meeting needs to briefly identify themselves, especially when discussing sensitive topics and sharing presentations on screen.

Be Extremely Careful With Suspicious E-mails or Attachments, Especially if the Sender Is Unknown

Especially in the familiar environment of your home office, you must be wary of suspicious e-mails. Take your time and check each email thoroughly before you open it.

Please see  CORONAVIRUS: STAYING CYBER-SECURE THROUGH THE PANDEMIC for a complete list of IT security measures.

See also: New Enhancements for Cyber Coverage  

COVID-19 is one of the many crises that hackers and scammers leveraged to exploit vulnerable businesses, and they will find more innovative ways in the future. More than ever, it is vital for organizations to protect themselves from malicious cyberattacks by educating employees about how to identify and prevent cyberattacks and implementing home security policies for remote workers.

10 Tips for Moving Online in COVID World

In the retail industry, O2O “online-to-offline” signifies an online trigger, such as an ad, that prompts consumers to go to a physical location to complete their purchases, but it can also occur in the opposite order.

In the insurance sector, over 100,000 independent agents in the U.S. depend on high-value networking, customer references and direct carrier relationships. For insurance professionals, interacting with customers face-to-face has been vital.  But in the wake of the coronavirus, it is critical to move insurance agencies from an offline to an online model, O2O, where almost all tasks that agents were accustomed to on a day-to-day basis need to be done completely remotely.

This change can offer considerable benefits if executed correctly: higher productivity, greater scale and a high degree of accuracy that allows agents to continue to build trusted relationships. As risk management advisers, agents are responsible now more than ever for equipping policyholders with unbeatable risk transfer strategies. As cyberattacks on small to mid-size businesses (SMBs) continue to escalate, cyber insurance presents an opportunity to rebuild an agency book of business when done right. 

Here are 10 tips on jumpstarting your O2O transformation:

1. Focus your efforts on insurance lines with growth opportunity

Cyber insurance is relatively new, with substantial opportunities for adoption in the SMBs market as cybercriminals exploit people’s vulnerabilities using sophisticated social engineering attacks during COVID-19. In fact, phishing has increased by over 600% since the end of February, according to security provider Barracuda Networks.

2. Prioritize industries for which cyber insurance is vital

Organizations have begun using SaaS applications and operations in an effort to digitize online but will likely be left vulnerable to cyber incidents. Recognize which industries are either required to obtain cyber insurance or are paving the way for digital transformation.

See also: Will COVID-19 Be Digital Tipping Point?

3. Select partners that operate exclusively online

Now is the perfect time to reassess the insurance carriers and programs that you’re working with for capacity to shift online. Today’s technology allows businesses to deliver a vertically integrated insurance solution that ties together insurance requests, risk assessment, underwriting and policy and claims management in one system enabled by a common, relevant dataset. 

4. Search for admitted, standalone programs

This is directly related to your carrier of choice. The shift toward standalone cyber insurance programs is occurring because cyber insurance provided as an endorsement to other intricate coverages only creates more complexity. Standalone cyber programs outline what incidents are and are not covered, and the policy’s aggregate limit and sub-limits for each coverage, along with precise cyber criteria. 

5. Align risk to coverage, as your go-to sales pitch 

Cybersecurity aims to safeguard a business’ use of technology and the web. Each business uses different applications and operates in its own way. In turn, each business has drastically different risks that should be recognized by policies. Policyholders must be able to account for the coverages, aggregate limit, sub-limits and deductibles that best fit their risk assessment. 

6. Learn as much as the customer about the risk, if not more

Cyber risk exposures and attacks are constantly evolving. Evaluating an organization for cyber risk yearly is a risky and obsolete cyber strategy. Being able to regularly reevaluate risks and coverage on a continuing basis is necessary for cyber and shields all parties from coverage gaps.

7. Collaborate with carriers on prospecting

Transform your website to a producing site, not just a lead generation platform. API integration of your website into the carrier’s quoting and underwriting platform is instrumental in delivering a constant stream of potential cyber insurance consumers.

8. Educate policyholders on claims experience and loss control

Your customers should be equipped with security awareness training, generally administered by the carrier. Phishing simulation and basic InfoSec training are key education tools. Regular updates to policyholders on providing their risk insights and remediation guidance provide effective risk mitigation and loss control.

9. Educate yourself on what events activate which coverage

Outline for your policyholders what exactly is covered by the carrier’s insurance program by sharing your claim scenarios. Demand a list of cases for each incident that would activate specific coverage paired with concrete use cases.

See also: COVID-19: Implications for Business Models  

10. Don’t spend more than a few minutes on a submission, application or binding

Moving to an online operation can feel unsettling at first but, if done correctly, will produce real results:

  • Faster and more precise applications
  • Quicker turnaround time on quote and bind when working with a program that is also deployed online
  • Ability to offer additional services to policyholders as part of the online experience – risk assessment, training, notification of critical updates. Consistent communication online boosts customer satisfaction and opens the door to lasting relationships

New Enhancements for Cyber Coverage

Cyber insurance is probably the single most rapidly evolving insurance product on the market, and understandably so. It’s still a fairly young product, and cyber criminals are constantly changing their tactics. As a result, insurers are constantly adapting their policy forms. With constant changes, it can be difficult to know what coverages, you (as a policyholder or broker) may be missing out on. Here are some of the newer enhancements we’re regularly seeing from insurers.

  • Utility Fraud Coverage: Sometimes the damages related to cyber-attacks can be entirely unexpected, like a hefty electric bill. Cyber criminals are now employing two newer hacks that can significantly affect a company’s utility costs. The first such attack is crypto-jacking, in which hackers fraudulently use computer systems to mine crypto-assets. For those unaware of what “mining” means, for every bitcoin transaction a verification is required and a ledger is added to the blockchain. Those processing these transactions can earn cryptocurrency in return. To maximize that return, however, cyber criminals are now taking over the computers systems of others, to process large blocks of transactions. This results in computer systems running at near full capacity, which can generate a significant increase in electricity costs for the victims. Despite the fact that many may be unfamiliar with this type of attack, they are extremely popular and growing. Last year, IBM reported that many hackers had actually abandoned ransomware attacks in favor of crypto-jacking, with an increase of 450% from the prior year. The other utility-related fraud is telecom fraud, in which cyber criminals access VOIP systems to route long-distance calls, often on a large scale. Trend Micro has a nice illustration here of exactly how those frauds are carried out. In response, many insurers have begun providing “utility fraud endorsements,” which provide coverage for any resulting increase in utility costs stemming from these unauthorized acts. 
  • Bricking Coverage: Almost all cyber insurance policies contain broad bodily injury and property damage exclusions. These can be particularly problematic for companies operating in certain sectors. They can also be problematic for specific claims, such as those attacks that effectively cripple (also known as “bricking”) a company’s computer systems. Crypto-jacking attacks can not only result in significant utility costs but can overwhelm a company’s computer network, effectively destroying any affected computers. Imagine a mid-sized company with 150 affected computers, having to replace each system at a cost of $2,000. That’s a cyber-attack with a $300,000 price tag. Luckily, many carriers today now provide “bricking coverage endorsements,” which specifically cover the costs to repair or replace computer systems that may be destroyed from cyber attacks. 
  • System Failure Coverage: Generally speaking, if computer system failures are caused by cyber intrusions, coverage for any resulting lost income would be triggered under the “lost income” insuring agreement within a cyber policy. Many companies today have taken this coverage one step further by including specific “system failure endorsements” that provide coverage for lost income resulting from any unintentional/unplanned system failures. The broadest versions of these endorsements also often extend coverage to include lost income resulting from system failures that affect dependent third parties.

See also: Coronavirus Boosts Cyber Risk

  • Coverage for Reputational Loss: Cyber intrusions can generate considerable media attention and inflict significant reputational harm. Almost all cyber policies include some form of crisis management coverage for the costs associated with hiring a PR firm to minimize reputational harm, but coverage for any resulting lost income is often absent. In an effort to mitigate the risk of lost income stemming from negative PR following a cyber event, policyholders should ensure their policies contain an appropriate endorsement for “reputational loss.” It’s also important that insureds review these endorsements carefully – coverage can often be severely sub-limited, and more restrictive endorsements may specify that the loss must be the direct result of a publication. Because such a direct relationship will likely be difficult to establish, insureds should favor endorsements that have no “direct” requirement to trigger coverage. 
  • Coverage for GDPR/CCPA Violations: The passage of recent privacy regulations such as GDPR and CCPA now subject companies and their directors to regulatory scrutiny (and hefty fines) for privacy-related violations. To complicate matters, many companies are unfamiliar with their compliance requirements and obligations. While the majority of insurers already include regulatory coverage within their cyber policies, there are often considerable gaps in those insuring agreements. To broaden policy terms and clarify the scope of coverage for violations of these regulations, some companies have begun to include specific GDPR and CCPA endorsements that provide coverage for costs associated with violations of these laws, stemming from “privacy wrongful acts” such as: misuse of protected information, improper collection of protected information, failure to correctly safeguard or manage protected information or failure to inform individuals regarding the collection of protection of information. 
  • Bodily Injury and Property Damage Carve-Backs: As briefly mentioned above, almost all insurers include broad bodily injury and property damage exclusions within their policy forms. The intent is to push those claims to respective general liability policies, where they belong. However, insureds are left without coverage in circumstances where the cyber intrusion itself results in bodily injury or property damage (a topic we visited in depth in our prior article). This coverage gap is often identified when working with an experienced cyber broker, who will attempt to negotiate improved wording at the time of purchase. However, it appears a growing number of insurers are slowly realizing the need for improved policy language and automatically including appropriate carve-backs, which will preserve coverage for such claims. 

How CAT Models Are Extending to Cyber

The insurance industry relies heavily on catastrophe modeling to set capital adequacy, adhere and respond to evolving regulatory requirements and stress test portfolios. The same is now increasingly true of the cyber catastrophe sphere, in which key areas of focus include how models can help with capital allocation, stress testing and informing development of underwriting guidelines and insurance products. Parallels can be drawn from the cyber catastrophe and natural catastrophe risk management sectors when modeling these risks.

The introduction of models provided critical insight into the potential for catastrophic claims for all risk policies or policies without clear exclusionary language. Historical events such as the April 1906 San Francisco earthquake (leading to unanticipated claims for fire policies), 2005 Hurricane Katrina flooding (resulting in unanticipated claims for homeowners wind policies) or the 9/11 U.S. terrorist attacks (experiencing unanticipated war exclusion interpretation and definition of a single event), and the current unfolding of the coronavirus pandemic crisis highlight the criticality of understanding the triggers and correlation of potential loss due to a single event.

In many cases, insurers paid losses to avert “reputational risk” and have since used models to provide insight into realistic structuring of policy, reinsurance and other risk transfer vehicles. Clear exclusionary language, endorsements and coverage-specific terms evolved over the decades in concert with evolving scientific knowledge of the risks and modeled loss potential. 

Today, we are seeing the same evolution with respect to insuring cyber risk, but over a highly compressed period, without the decades of experience of systemic insured loss events. Many cyber catastrophe risk managers attempt to apply the same lens of current natural catastrophe model availability of data resolution, data quality, catastrophic event knowledge and model validation expectations. But by embracing the commonality of lessons learned from the evolution of the property catastrophe insurance market, we can prepare for an event considered to be a case of not “if” but “when.”

The role of data in models

A first common theme is to recognize that the understanding and availability of information for a rapidly evolving risk means that there is value in aggregate data in the absence of detailed data. This has been and is still the case for property catastrophes and is also the case for cyber catastrophe risk models. Confidentiality obligations in portfolio data as well as the lack of high-quality data is an issue for all models. However, new sources of data as well as sophisticated data science and artificial intelligence analytics are being incorporated into models that provide an increased confidence in assessing the potential risk to an individual company or entity. 

See also: Coronavirus Boosts Cyber Risk

A second related common theme is the ability of catastrophe risk models to augment lack of risk-specific data capture at the time of underwriting. This is where all catastrophe risk models add significant value, where context for what should be captured as well as what can be captured is provided. In the case of cyber, this can include access to both inside-out (behind the firewall) and outside-in (outside the firewall) data. Inside-out data refers to aggregate data for segments of the economy, measuring the anonymized trends of security behaviors (such as frequency of software patching). Outside-in data is made up of specific signals that can be identified from outside an organization and that give indications of overall cybersecurity maturity (such as the use of unsupported end-of-life products). 

A third commonality is the value in extrapolating the impact of past events into the future given evolving available data on the changing causes of frequency and severity of cyber events. The property catastrophe arena is grappling with very similar issues relative to the rapid and uncertain evolution of climate models. For cyber risks, history is not a predictor of the future in terms of modeling threat actors, the methods they deploy and the vulnerabilities they exploit. However, it is possible to examine historic data and the types of cyber incidents that have occurred while addressing the challenges in the way that information is collected, curated and used. This historic data is used against the backdrop of a near-term threat actor and technological trends to understand future potential systemic losses due to large-scale attacks on bigger and more interconnected entities. 

The role of probabilistic models

At the enterprise level, the market is struggling with how to assess potential aggregations within and across business lines. Event clash due to a single event causing multiple loss triggers to policies and reinsurance treaties is a key concern across all lines of business. Use of common cyber and other catastrophe risk loss metrics that can be combined across perils and lines of business are being explored. In addition, regulatory groups are considering requirements similar to property catastrophe risk to address solvency requirements relative to cyber risk. 

In this environment, consistent and structured definitions of risk measures are critical for assessing and communicating potential systemic catastrophic loss. Both deterministic cyber scenario event analyses as well as probabilistic stochastic cyber event analyses are required. Given this context, cyber catastrophe risk models that can withstand validation scrutiny similar to property catastrophe risk models require the same level of rigorous attention to transparency in communication of model methodology.

Similarities… but some differences

There are some key differences between the systemic risks of natural disasters and cyber events. One material contrast is that cyber perils manifest with active adversaries seeking to cause malicious damage to individuals and companies globally. The factors affecting modeling include the changing nature of geopolitical threats, the dramatic increase in the use of digital means for criminal enterprises, the hyperconnectivity of developed economies and an ever-increasing reliance on networked technologies. Cyber event scenarios are developed to represent a range of potential systemic events in which technological dependencies affect individual insured companies, due to a common vulnerability or a “single point of failure.” Examples include common cloud service providers, payment systems, mobile phone networks, operating systems and other connected technologies. 

See also: Risks, Opportunities in the Next Wave  

There are limitations in any model relating to cyber risk, given the inherent uncertainties. Nevertheless, these models provide valuable insights to better decision-making relating to capital planning, reinsurance and addressing regulatory issues. By learning from previous insurance shocks, we can support a more stable and resilient cyber risk insurance market.