CYBER ATTACKS ARE ON A STEEP UPWARD PATH – HOW CAN BUSINESSES PROTECT THEMSELVES?
The Covid-19 crisis has positively accelerated the uptake of digitization. Less positively, businesses now find themselves more exposed to cyber threats, which have increased in both severity and frequency.
Among the fastest growing and most costly cyber threats are ransomware attacks – where a malicious software blocks access to a computer system and extortionate sums are demanded for it to be unlocked again.
Ipek Unal of Integra, WBN member in Turkey, highlights the importance of taking IT Security precautions for all businesses globally and underlines critical areas, including but not limited to endpoint isolation, back-up management, patch management, access management, end of life systems, business continuity and proper segregation between IT and operational technology (‘OT’). “These measures are vital in disabling a hacker from gaining access to a company’s IT system from where they could then easily get into the operating systems. In the manufacturing sector especially, it can have a real and direct impact on non-digital services”, she says.
When larger conglomerates are involved, the complexity increases. Unal adds: “The issue with conglomerates is segregation between subsidiaries. If they are all linked under one main IT structure, it is important to create segregation (walls) to prevent potential hackers from breaching one subsidiary and reaching into others.”
There are, however, many other ways that criminals and state actors are engaging in cyber-crime. Below, we outline the five key attack methods, mitigation tactics and insurance strategies to tackle them:
1 Ransomware
Driving this rising tide of ransomware attacks are nation-state sponsored hackers targeting key infrastructure with the intent of causing maximum disruption. Overtime, the level and sophistication of these hackers has grown to such an extent that it has become big business. Such is its growth as an industry in its own right, that the cyber criminals now hire out their hacking technology and expertise or act as a agent of services for other criminals to actually carry out the attack in return for a cut of the profits.
The effects of such attacks on businesses can be ruinous, both operationally and financially, with a typical attack resulting in access to systems denied and the threat of destruction of valuable data. They also ignite a potentially damaging reputational crisis, as law firm Grubman, Shire and Meiselas (GSM) found when it suffered a ransomware attack. When it refused to pay the ransom, the hackers revealed confidential data relating to a number of celebrities including Lady Gaga.
GSM’s response may be a typical one as, until an event happens, many business owners have inadequate cybersecurity and insurance cover because of the perceived low value return for investors.
To mitigate the risk, businesses should:
— Train staff to be alert for unsolicited emails
— Install and maintain anti-virus and malware protection software
— Keep software updated and back-up data.
2 Phishing
Phishing is an attempt to gain sensitive information while posing as a trustworthy contact, for example a bank or online service. The emails may look convincing, often with faultless wording and genuine logos. They target groups of individuals in the hope that someone will bite.
Spear phishing is a highly targeted attempt to gain information from individuals, with the intention of getting them to transfer money. At its extreme end is whaling, where a fake email from a CEO pressures a CFO into making an urgent payment.
Steve Pappas, Head of Global and Networks at member firm Honan puts an emphasis on regular internal training. If companies aren’t putting risk management measures like these in place, it could impact getting sufficient insurance coverage.
“Claims related to Phishing or Social Engineering are becoming more common every year – even the most seasoned CFO or Financial Controller has become a victim to a clever email from a cyber hacker.”
“We constantly remind our clients to update their internal training and engage security experts to teach their staff how to prevent a big transfer of money going into the wrong hands. The insurers ask if the expected preventative measures are in place when underwriting a risk, and if they don’t like the responses, they won’t provide cover.”
To mitigate the risk, businesses should:
— Stay alert – remember that companies rarely ask for sensitive information by email so always be suspicious of unexpected emails
— Install and maintain anti-malware software
— Make sure spam filters are turned on.
3 Data leakage
With the increasingly widespread use of smartphones, tablets, and other mobile devices by staff, hackers are becoming smarter at hacking the data they each store. Portable storage devices used to back up and move data are a target for criminals too.
To mitigate the risk, businesses should:
— Make sure mobile devices have passcode locks
— Turn on GPS tracking on the device and remotely wipe it if it gets lost
— Install encryption software on all computers, laptops and devices that use portable storage.
4 Hacking
Hacking might now seem ‘old fashioned’ but gaining access to systems from outside an organization offers rich pickings for criminals. Traditionally, they have attempted to gain access to bank account information or credit card databases. More recently, however, intellectual property has become a target. State-sponsored hackers have all attempted to steal Covid-19 vaccine secrets in recent months. Data thieves also use social engineering to trick staff into revealing user names and passwords.
To mitigate the chance of an attack, businesses should:
— Install network firewalls and data access security
— Implement procedures for providing and removing access
— Train staff to beware of social engineering scams.
5 Insider threat
There’s always the internal risk that full-time staff and contractors can leak data, either intentionally or by mistake. With people accessing sensitive company information on a daily basis, employees are even more critical to making sure it stays safe.
To mitigate the risk, businesses should:
— Train staff how to handle data properly
— Minimize their access to data to only what’s essential
— Limit use of portable storage devices.
What is the insurance industry’s response to cyber crime?
The insurance industry has been building a comprehensive program of cover to deal with cybercrime throughout the last decade. However, the upsurge in ransomware events has resulted in a significant increase in insurance claims arising from cyber-attacks. First-party ransomware claims were up 35% in 2020, accounting for 75% of all cyber claims by the start of this year, according to rating agency A.M. Best. This is reflected in cyber insurers’ loss ratios, which rose for 15 out of the 20 largest U.S. providers in 2019, climbing, on average, to 67.8% from 44.8% the previous year.
This claims hike is resulting in mounting losses for insurers from both the initial claim and subsequent class action lawsuits against directors and officers for negligence, often with large jury verdicts in their favor.
With these headline cyber events becoming more commonplace, the risk of aggregation for carriers with large portfolios is far higher too. Added to that, because cyber is a relatively new and constantly evolving risk, there’s a shortage of accurate historical loss data, making it difficult to assess and price.
Silent cyber
Another problem that the insurance market faces is silent cyber exposure – where an insured mistakenly believes certain cyber risks are covered in their traditional property and liability policies.
Silent cyber or non-affirmative cyber first manifested itself in the WannaCry, Petya and not Petya cyberattacks of 2017, which devastated everything from shipping ports and supermarkets to advertising agencies and law firms. The resulting losses from the encryption of master files and subsequent bitcoin ransom demands for restoring access were the costliest on record, surpassing $3 billion.
Despite the introduction of specific cyber policies to cover the risk, including write-back add-ons, many insureds still expect to be covered under their property and liability policies, and yet, they are not. There is significant risk of businesses facing unexpected coverage gaps that leave them exposed.
As a result, the insurance industry, led by Lloyd’s of London has taken the position that all property and casualty policies must now either implicitly exclude or include cyber coverage – a mandate which came into force at the start of 2020. The New York State Department of Financial Services announced a cybersecurity insurance risk framework in February this year to achieve a similar result.
In response to these challenges, insurers have been forced to ramp up their rates, or even start to pull back from offering comprehensive cyber insurance, tightening their terms and conditions, while others have exited the market altogether.
Insurance solutions
Businesses need to work with their broker to assess cyber as an enterprise-wide risk and map out all possible loss scenarios. Then they should look at their existing policies and determine exactly what is covered in terms of grants, limits and retentions, and where coverage gaps exist. Strategy setting should follow this thorough review.
It may also be preferable to keep all policies under one umbrella, bearing in mind that the most comprehensive solution is a standalone cyber policy that covers most foreseeable cyber-related risks.
At the start of the underwriting process, it pays to have a full picture of the cyber exposure a business runs. Unal points to the use of cyber scorecards as a way to provide more detail on each individual client company, making it easier for the underwriter to find a fair solution.
“Insurers can see a host of information including licenses which haven’t been renewed and outdated anti-virus protections. It also helps the client to present their risk more explicitly to the insurer as well as to inform senior management about what cybersecurity precautions they need to take.”
Sources
https://www.bankinfosecurity.com/blogs/ransomware-gangs-go-lady-gaga-for-data-breaches-p-2911