Tag Archives: ransomware

The Alarming Surge in Ransomware Attacks

Insurers can help clients protect themselves – but preventive approaches aren’t yet widely implemented, leaving the door open for unscrupulous hackers

Ransomware and business email compromise (BEC) attacks are soaring, and ransom demands have gone from an average of $10,000 to well north of $100,000 – demands sometimes reach the tens of millions of dollars. In this interview, we discuss what is causing the surge – and what businesses can do to protect themselves. 

This webinar will discuss:

  • Insights from Michael Palotay, Chief Underwriting Officer for Tokio Marine HCC – Cyber and Professional Lines Group, on the evolution of cyber threats

  • How ransomware and business email compromise attacks harm companies and how cyber insurance is not enough protection

  • What today’s businesses can do to protect themselves


Michael Palotay

Chief Underwriting Officer
Tokio Marine HCC – Cyber & Professional Lines Group

Michael Palotay started his career at AIG in 2006 as a Tech E&O and Cyber Liability Underwriter.  In 2009, he joined NAS Insurance to lead their new Tech/Cyber underwriting facility. Over the next 10 years, his team grew to over 36 underwriters, writing over $130M in premium and consistently delivered impressive underwriting profitability.  When Tokio Marine HCC acquired NAS Insurance, Michael was the Chief Underwriting Officer, focusing on maximizing underwriting profitability, product development and overall business development.  He has continued in this role within the Cyber & Professional Lines group at Tokio Marine HCC.

Paul Carroll

Insurance Thought Leadership

Paul is the co-author of “The New Killer Apps: How Large Companies Can Out-Innovate Start-Ups” and “Billion Dollar Lessons: What You Can Learn From the Most Inexcusable Business Failures of the Last 25 Years” and the author of “Big Blues: The Unmaking of IBM”, a major best-seller published in 1993. Paul spent 17 years at the Wall Street Journal as an editor and reporter. The paper nominated him twice for Pulitzer Prizes. In 1996, he founded Context, a thought-leadership magazine on the strategic importance of information technology that was a finalist for the National Magazine Award for General Excellence. He is a co-founder of the Devil’s Advocate Group consulting firm.

How to Combat the Surge in Ransomware

The threat of a cyber-attack is far more dangerous now than it has been in the past, yet knowledge of the threat prevention systems necessary to protect oneself remain widely unknown. 

Ransomware, in particular, has exploded as a problem. The frequency of such attacks is up almost 200% in the past two years. Severity is up, too — the average ransom demand has surged from roughly $10,000 to well north of $100,000. Combine those two issues, and ransomware is many times as big a problem for clients and insurers as it was two years ago. 

Unless companies create more sophisticated protection systems, the problem will become even worse. Hackers are more astute, increasingly have access to inexpensive tools and have greatly expanded how and what they attack. There are even ransomware developers who sell or lease their ransomware, offering Ransomware-as-a-Service (RaaS).

In the past, attacks were relatively limited. When an employee clicked on an attachment that included a virus, the attack would encrypt the computer. There was minimal ability to spread to other computers, and individual computers were oftentimes backed up. This meant ransomware was frequently seen as just an inconvenience for a company and wasn’t as significant an issue for insurers as it is today.

Now, attackers use their initial entry into a computer as the starting point to work their way into a potentially huge network. The hackers lay traps and can generally find how and where the system’s sensitive information and backup server are located. With this information, the hacker can ensure that paying the ransom is the only way for a company to recover. An attack is often so devastating that the hackers can — and will — ask for exorbitant ransoms.

Tools for hackers are now inexpensive on the dark web, and hacker groups often coordinate. Perhaps one individual finds some credentials that allow a path into a system but isn’t sure how to exploit it. The person might sell the credentials on the dark web or hire some hacker known to be especially good at exploring and exploiting that kind of system; this is RaaS.

While some industries were considered to be relatively low-risk, that’s no longer the case. For instance, a few years ago, manufacturers were considered a target class for cyber insurance carriers because they were unlikely to store personal information, like credit card records. But now, they’re getting hit the hardest: Manufacturers are typically large companies with underdeveloped cyber security capabilities. Hackers would use this to their advantage and exploit these companies, which weren’t prepared for the onslaught of ransomware attacks. 

Within the Tokio Marine HCC – Cyber & Professional Lines Group, we’ve been working with thousands of policyholders to better prepare them for attacks, and people understand the problem conceptually. Cyber is a serious consideration at the executive level and mandatory for business continuity and disaster recovery planning. The recent SolarWinds attack has reminded us all that even the best-protected government and business systems are vulnerable. 

Based on simulations of attacks, we know that approximately 30% of those who receive a phishing email will click on a link that infects their system. Thorough training of staff on awareness and best practices reduces the number who fall for a phishing attack. With proper training, we’ve seen a reduction in exposure, whereby only 10% of employees fall for the trick when a hacker attacks; but that can still be enough for a catastrophe to happen, like the SolarWinds incident.  

Training should be mandatory, but it shouldn’t be the only layer of defense for the network. Perimeter defense, secure backups and patch management are all critical. At present, Tokio Marine HCC provides a vulnerability scanning service for policyholders, which provides insights on vulnerable points of entry for hackers, including security vulnerabilities in policyholders’ perimeter and out-of-date software, to help the insured avoid becoming a victim. 

To combat weak passwords, many companies are starting to require multi-factor authentication to safeguard access to their system. A person must use an alternate means to authenticate themselves through a code texted to a smartphone, provide biometric evidence of their identity through something such as an iris scan or verify their identity via another secondary means. This dramatically reduces the risk that a compromised password leads to a devastating attack.

Companies are moving toward a “zero trust” model to protect their systems. The idea behind this emerging model is to have virtual “hall monitors” to challenge every actor in the system and force that actor to revalidate itself before going into an additional “room.” In the past, companies would use a firewall to keep hackers out, but once hackers get past the wall they virtually have access to any “hall” in the network. 

Companies should also be thinking about their outsourcing arrangements. Outsourcing can be cost-efficient, but if you have a 1,000-person company and only have three full-time people in IT, you’re likely to be using outside contractors. Issues may arise with disagreements regarding who is responsible patching systems or monitoring the network for suspicious activity. Furthermore, Managed Service Providers (MSPs) are being targeted by hackers and, if the hackers gain unauthorized access, are being used to launch ransomware attacks against their clients.

At Tokio Marine HCC – Cyber & Professional Lines Group, we apply our expertise and use our scale to make deals on behalf of clients to create a package of security services from leading providers. These packages involve, for instance, CrowdStrike, which provides endpoint detection security; Cisco’s Duo, a leading service provider of multi-factor authentication; and many others. We provide the bundling of these services at a discount off the market price, as well as with a discount on premiums, because, based on our data, we’re confident that our clients are less vulnerable with solutions such as these. 

However achieved, reducing vulnerability helps both our company and our clients. We view this as a mutual relationship. If we can keep our claims costs as low as possible, our premiums can be as low as possible. However, it is critical for our insureds to focus on cyber security, so they are not an easy target for hackers. Whether a company has insurance or not, an attack is hugely disruptive, and, although we can transfer some of the financial costs, we can’t transfer everything. For instance, companies oftentimes still have to deal with being shut down for a stretch of time, while they hopefully recover their data and ramp back up.

Minimizing exposure to an attack is possible, but a company must invest in layers of network defenses, training and maintenance to stay ahead. Having the right insurance policy can protect you from the financial burden, but the reputational harm or missed opportunities that result from a cyber-attack can be very costly.  

If you are unable to reduce your vulnerability, the problem could spiral out of control. Insurers will need to keep raising rates rapidly or will simply drop out of the market — supply is already dwindling. Clients may find rates so high that they will self-insure — at great risk.  

At Tokio Marine HCC – Cyber & Professional Lines Group, we’re committed to the market, and demand for the insurance has never been greater. Our focus is staying on top of loss trends so we can help our clients continue to reduce risks and keep the problem manageable for all.

For more information about the Cyber & Professional Lines Group, please visit www.tmhcc.com/pro

Surging Costs of Cyber Claims

External attacks on companies result in the most expensive cyber insurance losses, but employee mistakes and technical problems are the most frequent generator of claims by number, according to a new report from Allianz Global Corporate & Specialty, Managing The Impact Of Increasing Interconnectivity – Trends In Cyber Risk. The study analyzes 1,736 cyber-related insurance claims valued at $770 million involving AGCS and other insurers from 2015 to 2020.

The number of cyber insurance claims AGCS has been notified of has steadily risen over the last few years, up from 77 in 2016, when cyber was a relatively new line of insurance, to 809 in 2019. In 2020, AGCS has already seen 770 claims in the first three quarters. This steady increase in claims has been driven, in part, by the growth of the global cyber insurance market, which is currently estimated to be $7 billion, according to Munich Re

AGCS started offering cyber insurance in 2013 and, in 2019, generated more than EUR 100 million in gross written premium in this segment. There has been a 70%-plus increase in the average cost of cybercrime to an organization over five years to $13 million and a 60%-plus increase in the average number of security breaches.

Losses resulting from external incidents, such as distributed denial of service (DDoS) attacks or phishing and malware/ransomware campaigns, account for the majority of the value of claims analyzed (85%), according to the report, followed by malicious internal actions (9%) – which are infrequent but can be costly. Accidental internal incidents, such as employee errors while undertaking daily responsibilities, IT or platform outages, systems and software migration problems or loss of data, account for over half of cyber claims analyzed by number (54%), but, often, the financial impact of these is limited compared with cybercrime. However, losses can quickly escalate in the case of more serious incidents.

The cyber risk environment is not expected to become any easier in the future. Businesses and insurers are facing a number of challenges, such as the prospect of more expensive business interruptions, the rising frequency of ransomware incidents, more costly consequences of larger data breaches given more robust regulation and litigation, and the impact from the playing out of political differences in cyber space through state-sponsored attacks. 

The huge rise in remote working due to the coronavirus pandemic is also an issue. Displaced workforces create opportunities for cyber criminals to gain access to networks and sensitive information. Malware and ransomware incidents are already reported to have increased by more than a third since the start of 2020, while coronavirus-themed online scams and phishing campaigns about the pandemic continue. At the same time, the potential impact from human error or technical failure incidents may also be heightened. 

While exposures are rising, the COVID-19 outbreak cannot yet be said to be a direct cause of cyber-related claims. AGCS has seen the first few cyber claims that can be indirectly attributed to the COVID-19 landscape, including ransomware attacks that can be linked to the shift to more remote working. However, it’s too early to confirm a broader trend.

See also: The Missing Tool for Cyber Resilience

Ransomware threats surge

Already high in frequency, ransomware incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. There were nearly half a million ransomware incidents reported globally last year, costing organizations at least $6.3 billion in ransom demands alone. Total costs associated with dealing with these incidents are estimated to be well in excess of $100 billion.

Business interruption and digital supply chain vulnerability growing

Business interruption (BI) following a cyber incident has become a major concern for business. Analysis of cyber claims by AGCS shows that BI is the main cost driver in the majority of cases. Whether ransomware, human error or a technical fault, the loss of critical systems or data can bring an organization to its knees in today’s digitalized economy. 

Dependency on digital supply chains – both for the delivery of services and the supply of goods brings numerous benefits. Shared technology-based platforms enable data to be exchanged between parties, automate administrative tasks and transport products on demand. However, such platforms can potentially create a chain reaction ensuring a BI cascades through a whole sector. If a platform is unavailable due to a technical glitch or cyber event, it could bring large BI losses for multiple companies that all rely and share the same system.

Data breaches and state-sponsored attacks

The cost of dealing with a large data breach is rising as IT systems and cyber events become more complex, and with the growth in cloud and third-party services. Data privacy regulation, which has recently been tightened in many countries, is also a key factor driving cost, as are growing third-party liability and the prospect of class action litigation. So-called mega data breaches (involving more than one million records) are more frequent and expensive, now costing $50 million on average, up 20% over 2019.

In addition, the impact of the increasing involvement of nation states in cyber-attacks is a growing concern. Major events like elections and COVID-19 present significant opportunities. During 2020, Google said it has had to block over 11,000 government-sponsored potential cyber-attacks per quarter. Recent years have seen critical infrastructure, such as ports and terminals and oil and gas installations hit by cyber-attacks and ransomware campaigns.

Prepare, practice and prevent

Preparation and training of employees can significantly reduce the consequences of a cyber event, especially in phishing and business email compromise schemes, which can often involve human error. It can also help mitigate ransomware attacks, although maintaining secure backups can limit damage. Cross-sector exchange and cooperation among companies is also key when it comes to defying highly commercially organized cybercrime, developing joint security standards and improving cyber resilience. 

See also: Essential Steps for Cyber Insurance

The COVID-19 landscape brings new challenges. With home-working widespread, security around access and authentication points is critical, but organizations should also ensure there is sufficient network capacity as this can have a significant impact on lost income if there is an outage. 

For more key takeaways from the report, please visit this page.

Essential Steps for Cyber Insurance

Almost daily, news reports cover ransomware attacks involving Garmin; the world’s largest cruise line operator; the Las Vegas school district; Brown-Forman, the manufacturer of global distilled spirits brands like Jack Daniels and Finlandia; and the University of Utah, among other victims.

The attacks illustrate ransomware’s far-reaching and costly impact in terms of exposed data, disrupted operations and ransoms paid: Intruders claiming responsibility for the Brown-Forman attack, for example, said they had copied a terabyte of confidential internal network data and threatened to share it online, as part of the extortion. The cruise line operator, Carnival, experienced the compromise of guest and employee personal data. The Las Vegas school district notified employees that their Social Security numbers may have been stolen. The University of Utah reportedly arranged to pay more than $455,000 to satisfy a ransom demand, while Garmin reportedly paid $10 million after certain web sites, customer support and user application functions were blocked.

Clearly, companies are living in an age of high cyber risk. In addition to ransomware – which is targeting three of five organizations – wildly lucrative business e-mail compromises (BECs) are also behind mounting financial losses. Through BECs, adversaries create fake but authentic-looking e-mails (often disguised to look like they were sent by a high-level executive) to trick employees into wiring money into bank accounts controlled by the bad guys. Like ransomware, BECs are generating lucrative returns for fraudsters, costing U.S. businesses more than $300 million a month – up from $110 million a month in 2016, according to the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN).

To minimize the fallout from these and additional risks, organizations are increasingly investing in cyber insurance, a global market projected to reach $28.6 billion by 2026, up from an estimated $4.85 billion two years ago, according to a forecast from Allied Market Research. Cyber insurance often covers a company’s liability for data breaches leading to the compromise or loss of customers’ Social Security numbers, credit card accounts, health records and other personally identifiable information (PII). These insurance policies can also help a targeted organization cover the costs of customer breach notifications, fraud monitoring and the restoration of personal identities.

To be sure, cyber insurance is a significant investment. Acquired and managed correctly, this insurance coverage becomes part of an integrated cyber risk posture complementing security controls and policies. However, the insurance can bring a false sense of security and lead to coverage gaps and expensive disputes with carriers, if corporate IT, legal, risk and business leaders do not collaborate closely on the following essential action steps to take before updating or acquiring new coverage:

Inventory your assets – and understand their value

The IT ecosystem is much more dynamic today. The traditional perimeter no longer applies in the global, mobile age of digital transformation. There are more remote employees, third-party partners and non-traditional connected devices. Companies operate anywhere and everywhere, which leads to negotiating and purchasing coverage based on incomplete views of true assets and risks — increasing the probability of costly disputes. A single shift like moving e-mail, storage and other applications to the cloud, for example, could get entirely overlooked – and uncovered. That’s why IT and a cross-functional team of leaders must develop a comprehensive, current view of these assets and their role in supporting business continuity, customer services and the accomplishment of strategic/bottom-line goals.

An objective, “data-first” approach proves critical in visualizing and managing coverage requirements. Cyber insurance evaluation team members need to pinpoint where the data resides, and where it travels to, i.e., which non-traditional networked devices, new partners or regional offices it touches. Even if entirely new parties are not handling the data, team members must determine if they’re storing information in new internal locations and form factors, which may make the data more susceptible to theft or exposure.

See also: The Missing Tool for Cyber Resilience

Understand what is covered, and what is not

The cybersecurity profession uses terminology like “compromise,” “intrusion” or “incident.” The insurance domain assigns very specific meaning to works like “theft,” versus “loss” and “damages.” These terms are not interchangeable, and the stakes for coverage disputes and litigation are high because so much turns on whether a cybercriminal “broke in” to steal or ransom something, for example — versus tricking a victim to e-mail the attacker sensitive files figuring in a compromise.

Therefore, it’s critical to know coverage and limits before an incident, with the leadership team mapping out plausible attack scenarios and consequences, along with a range of possible outcomes in the form of stolen data, business disruptions, brand reputation damage and customer churn. Then, team members must ensure that these outcomes are covered in the scale and scope of coverage.

Enlist a digital forensics and incident response partner before you buy

Many organizations benefit from sharing their initial cyber insurance checklists and assessments with a trusted digital forensics and incident response (DFIR) partner experienced in cyber insurance investigations and related matters. A DFIR partner familiar with your business and industry sector brings invaluable “outside eyes” on potential coverage gaps and helps ensure your team will be able to preserve files and document how an incident occurred, maximizing the likelihood that accurate claims for covered incidents are processed as quickly as possible. 

Policyholders benefit from “writing-in” (specifying) the DFIR partner as the designated, go-to response firm for incidents. Otherwise, the carrier will designate a response firm from its list of default contractors – vendors that do not command the same level of knowledge about a firm’s IT ecosystem and operations. And default vendors work for the insurance provider to reduce its liability, instead of committing to the interests of the policyholder.

See also: How COVID Alters Claims Patterns

Cyber insurance is a booming part of the risk management world spurred on by current events. It can be a key part of your organization’s safety net. But, like any net, it can come with holes – holes that can amount to an unnecessarily expensive proposition for companies that fail to recognize and eliminate them. By combining complete IT asset awareness with granular attention to detail about coverage, an organization can move forward with its DFIR partner to ensure the continuous improvement of risk mitigation and containment efforts no matter how forbidding the circumstances – along with the right insurance plan for these uncertain times.

6 Cybersecurity Threats for Insurers

The connectedness of everything – assets, people, business and commerce – has increased the severity and frequency of cyber attacks. The insurance sector faces a bigger threat than most industries because insurers deal with extremely sensitive data. Several insurance companies, such as Premera Blue Cross and Anthem, have experienced significant data breaches over the past years. However, these are not the only insurers affected. A report by Accenture shows that an average insurance company receives over 100 cybersecurity attacks each year, with 30% of the attempts being successful.

As an insurance leader, being aware of the potential cybersecurity threats puts you in a better position to adopt the right prevention measures. Here are the top cybersecurity threats in the insurance sector that you should know.

6 Cybersecurity Threats for Insurance Leaders

1. Cloud Vulnerabilities  

Cloud data access and storage has become a common practice for many people. However, this practice can increase the risk of a data breach. You can be susceptible to denial of services (DoS) and account hijacking attacks. With such attacks, hackers can access and tamper with your company’s data while preventing your team from accessing it. This threat can be prevented by implementing an extensive cyber risk management plan.

2. Patch Management

If your insurance company is using outdated software, you have a higher risk of cyberattack. Most cybercriminals exploit software vulnerability to access and steal company information. Failing to update your software patches makes your organization vulnerable to numerous data breaches.

Cybercrime vulnerability can be through something you consider as minor as the computer operating system. For instance, most organizations became exposed to cyber-attacks in 2018 for failing to update their Microsoft Office software following a patch release for Eternal Blue vulnerability. Therefore, it is advisable you stay up-to-date with any software you are using in your organization to avoid costly attacks.

3. Social Engineering

With the increase in social interactions, cybercriminals are exploiting such opportunities to launch social engineering attacks. Deception is the major aspect of such attacks. Usually, these criminals use trickery and manipulative approaches to lure individuals into taking various actions. For instance, you can be lured to disclose sensitive information or even bypass set security measures.

Social engineering threats are high because targets simply give hackers access to the system. Thus, it is hard for you to prevent these crimes with cybersecurity systems. However, regular training on cybersecurity is necessary for ensuring that your team members know how to detect and prevent such crimes.

See also: A Novel Approach to Cybersecurity

4. Ransomware Threats

If you thought it was only individuals who can be held hostage, think again, because your computer systems and data can, too. Ransomware attacks are some of the serious cyber threats you should worry about in the modern era. A report by the U.S Depart of Homeland Security reveals a rising number of ransomware attacks. The hackers attack your network and prevent you from accessing any data in it until a certain amount is paid. Such attacks are associated with significant losses. For example, besides the immediate losses, a ransomware attack can lead to huge monetary damages because of lost data and loss of productivity.

5. Third-Party Exposure Threats

The use of third-party services is a common practice nowadays, especially for payment processing. Most organizations do not take the necessary precautions when engaging in third-party transactions. Even where the party you are transacting with does not handle personal data directly, it can put your organization at risk of attack.

Hackers are using malware to access personal data, such as credit card numbers and Social Security numbers, through third-party companies. Therefore, it is important to take all the necessary precautions when dealing with a third-party vendor. For instance, inquire about their policy on data breaches and find out whether they have any measures in place to prevent cybersecurity attacks.  

6. Outdated Hardware

There is a common misconception that cybersecurity threats have to come from software. If you are using outdated hardware, your company data is vulnerable, too. With the increasing rate of software updates, some hardware may find it challenging to keep up. Obsolete hardware may be difficult to accept the latest security measures and patches. In such cases, your organization’s data is exposed; hence, at a high risk of cyberattack. Therefore, it is critical to regularly check your devices and replace any obsolete ones to avoid outdated hardware-related cyber-attacks.

See also: The Missing Tool for Cyber Resilience

Holistic Risk Management Plan

There you have it – a comprehensive overview of some of the top cybersecurity threats in the insurance sector. Evidently, as technology advances, insurance companies will continue to face different forms of cybersecurity threats.

While there might not be a one-size-fits-all approach to address or prevent cyber threats, being knowledgeable on the various cybersecurity vulnerabilities can help you adopt better risk detection and prevention measures. Therefore, make sure to adopt a holistic management plan to stay away from most of these threats.