Cyber-attacks are never out of the press these days. And whilst these stories were previously confined to the insurance or IT publications, the mainstream media now heavily report these matters as more and more companies find themselves the target of hackers. The coronavirus pandemic has also brought an increase in the frequency and severity of ransom demands, as well as further dislocation in the cyber insurance market.
INCREASED FREQUENCY OF RANSOM DEMANDS:
- Increased number of hackers and a heightened sophistication of hackers operating, including “hacking as a service” whereby those with the knowledge and means to do so “sell” their services to clients.
- The increase in successful ransom attacks encourages the hackers to launch further attacks and be bolder with their targets.
- The pandemic has exponentially increased the number of individuals working remotely. This significantly increases a networks “surface” and potential vulnerabilities in the network.
- Significant volumes of emails flowing in and out of any organization will create an increased vulnerability of an attack. Sectors who rely heavily on email to conduct business (e.g. law firms) are at an even greater risk of attack.
- For some businesses, the need and desire to quickly establish remote working capabilities for their staff in Q1 2020 may have come at the cost of network security.
INCREASED SEVERITY OF RANSOM DEMANDS:
- The “spray and pray” tactics of yesteryear did not differentiate their targets. A hacker would attack as many targets as possible, hoping someone would “bite”. Ransom demands were small ($5,000-$10,000) and the same for all targets.
- Hackers now operate in a far more targeted way – they know who they are attacking, their financial means and (in one case we are aware of) the limit of their cyber insurance policy (the hacker was able to view the insured’s cyber policy details before bringing their network down).
- It is no longer just about the data that an organization is holding, but also about their reliance on their network to do business. Historically we have seen many ransom attacks purely encrypting the network and providing the decryption keys once their demands are met. Now a new trend has emerged where hackers will look to exfiltrate the data as well as encrypt the network – threatening to post this data on the dark web if the ransom demand is not met. So, if your business is reliant on data or an IT network, or in many cases both, you are of interest to cyber hackers.
- We understand the largest ransom demand paid by insurers is circa $40 million. We have seen ransom demands against our own clients running into the millions of dollars and this does not take into account the additional first party expenses, business interruption costs and extra expenses that are incurred during and post the ransom event.
What can firms do to protect themselves? There is no such thing as 100% secure when it comes to cyber security. The recent SolarWinds & Microsoft Exchange Server breaches demonstrates that a well-resourced hacker can hack any system, including the US government. However, there are some core cyber risk management tools that every organization should consider.
- Email controls & security – first line of defense against ransomware events. Use of an email filtering gateway, DKIM, SPF and DMARC will reduce (but not eliminate) the threat posed hackers.
- Multi-Factor Authentication (MFA), especially for all remote access, critical applications, back-ups and privileged accounts.
- Utilize an endpoint detection and response tool – in the current environment, endpoint protection alone is no longer good enough. Insurers will want to see firms use endpoint detection and response tools before offering terms.
- Secure back-ups – increasingly back-ups are also encrypted by the hackers. Secure back-ups are essential – segregated from the network, offline, backed up on to tapes, access via MFA. And test the back-ups frequently.
- Training – one of the weak links in most companies’ defense to hackers is their people. So, train and test all people with connectivity to the network in information security awareness, especially phishing threats running regular phishing campaigns. Share results. Give feedback. And continue to train/educate your people.
- Maintain good cyber security hygiene – no unsupported software/systems within the network, regular patching, monitoring and logging of access and suspicious activity, have separate credentials for privileged access, limit local administration rights access and employ a strong password policy, with an enhanced version for employees with administration rights.
When it comes to cyber insurance, subject to the terms and conditions of your policy, the ransom payment can be covered. More importantly, the IT/forensics vendor and specialized extortion vendor, in some cases, that comes with the policy will be able to provide support to the firm. They can:
- Make efforts to assess whether the extortionist has access to what they say they do.
- Make efforts to assess backups (or other control) in place to understand if the affected network can be restored via backups with minimal disruption to the business, thus not having to pay the ransom.
- Communicate with the extortionist to try to negotiate the demand down and to determine whether the decryption key is likely to work – vendors often deal with the same hacking group on a daily basis, so become acquainted with their tactics.
- Make efforts to determine whether the payment is being sent to a sanctioned territory or actor, a requirement under OFAC.
- Make the payment of the final negotiated demand via cryptocurrency to preserve the firm’s anonymity in the event it was not a targeted attack. The vendor typically has access to cryptocurrency accounts which can help get payment made quickly (these events have very short fuses).
The cyber market is hardening at rapid pace. However, for risks that can demonstrate strong cyber security controls there is still a lot of capacity available, albeit at increased rates (20-50%) and sometimes increased retentions. If firms cannot demonstrate strong controls then a combination of higher premium, increased retentions, sub limits, no ransomware cover, lower capacity offered and, in some cases, declinations from insurers (renewal and new markets) should be expected. Paragon has a team of expert cyber insurance professionals who can help insureds through the renewal process and obtain the best terms and coverage available from the market.
FOR MORE INFORMATION, PLEASE CONTACT:
Senior Vice President
E: firstname.lastname@example.org D: +44 (0)207 280 8242
M: +44 (0)771 867 0599