Category Archives: Cyber Risk

As Cybercriminals Act More Like Businesses, Insurers Must Think
More Like Criminals

Credit for all photos in this post: Don Pollard

Cybersecurity is no longer an emerging risk but a clear and present one for organizations of all sizes, panelists on a panel at Triple-I’s Joint Industry Forum (JIF) said. This is due in large part to the fact that cybercriminals are increasingly thinking and behaving like businesspeople.

“We’ve seen a large increase in ransomware attacks for the sensible economic reason that they are lucrative,” said Milliman managing director Chris Beck. Cybercriminals also are becoming more sophisticated, adapting their techniques to every move insurers, insureds, and regulators make in response to the latest attack trends. “Because this is a lucrative area for cyber bad actors to be in, specialization is happening. The people behind these attacks are becoming better at their jobs.”

As a result, the challenges facing insurers and the customers are increasing and becoming more complex and costly. Cyber insurance purchase rates reflect the growing awareness of this risk, with one global insurance broker finding that the percentage of its clients who purchased this coverage rose from 26 percent in 2016 to 47 percent in 2020, the U.S. Government Accountability Office (GAO) stated in a May 2021 report.

Panel moderator Dale Porfilio, Triple-I’s chief insurance officer, asked whether cyber is even an insurable risk for the private market. Panelist Paul Miskovich, global business leader for the Pango Group, said cyber insurance has been profitable almost every year for most insurers. Most cyber risk has been managed through more controls in underwriting, changes in cybersecurity tools, and modifications in IT maintenance for employees, he said.

By 2026, projections indicate insurers will be writing $28 billion annually in gross written premium for cyber insurance, according to Miskovich. He said he believes all the pieces are in place for insurers to adapt to the challenges presented by cyber and that part of the industry’s evolution will rely on recruiting new talent.

“I think the first step is bringing more young people into the industry who are more facile with technology,” he said. “Where insurance companies can’t move fast enough, we need partnerships with managing general agents, with technology and data analytics, who are going to bring in data and new information.”

“Reinsurers are in the game,” said Catherine Mulligan, Aon’s global head of cyber, stressing that reinsurers have been doing a lot of work to advance their understanding of cyber issues. “The attack vectors have largely remained unchanged over the last few years, and that’s good news because underwriters can pay more attention to those particular exposures and can close that gap in cybersecurity.”

Mulligan said reinsurers are committed to the cyber insurance space and believe it is insurable. “Let’s just keep refining our understanding of the risk,” she said.

When thinking about the future, Milliman’s Beck stressed the importance of understanding the business-driven logic of the cybercriminals.

If, for example, “insurance contracts will not pay if the insured pays the ransom, the logic for the bad actor is, ‘I need to come up with a ransom schema that I’m still making money’,” but the insured can still pay without using the insurance contract.

This could lead to a scenario in which the ransom demands become smaller, but the frequency of attacks increases. Under such circumstances, insurers might have to respond to demand for a new kind of product.

Learn More about Cyber Risk on the Triple-I Blog

Cyberattacks on Health Facilities: A Rising Danger

Cyber Insurance’s “Perfect Storm”

“Silent” Echoes of 9/11 in Today’s Management of Cyber-Related Risks

Brokers, Policyholders Need Greater Clarity on Cyber Coverage

Cyber Risk Gets Real, Demands New Approaches

Cyberattacks on Health Facilities: A Rising Danger

By Max Dorfman, Research Writer, Triple-I

As cyberattacks have increased in recent years, one area of particular concern has been those that target hospitals and health systems. These attacks have affected not only private information but also threatened the lives and well-being of patients.

A major shift

Hospitals rely more than ever on computerized systems to manage their information and systems. With the added complications related to the COVID-19 pandemic, the dangers associated with cyberattacks have only worsened.

“It’s part of a trend we’ve seen building over the last couple years, even before the pandemic,” said Scott Shackelford, chairman of the IU Cybersecurity Risk Management Program. Unfortunately, health-care providers are very much in the crosshairs. Not only do they often have insurance and deep pockets, but doctors need access to patient information to perform procedures and provide required services.

Because of this vulnerability and urgency, Shackelford said, “They are more likely to pay up.”

“If you look at the surveys that have been done, about one-in-three health providers have been hit by ransomware attacks just since 2020, and there’s been a 45 percent uptick in that rate since last December,” Shackelford added.

One recent attack, on Johnson Memorial Health in Franklin, Indiana, disabled its computer system. Although the hospital said it could still manage its patient intake, the loss of computer capabilities slowed operations down dramatically.

“We’re used to sending lab orders via computer, sending prescriptions to pharmacies via computer, so we’re going back to a real reliance on paper again,” Johnson Memorial President and CEO David Dunkle said. “We’re using more human runners, people taking lab recs between the ER and the lab.”

Hospitals have been slow to respond

Although there have been major technological advancements in the medical field, not all health systems have provided robust IT teams or thorough safety protocols. One area of note is with new medical devices, which take years to earn FDA approval and can come with outmoded software and operating systems without the latest security mechanisms.

This has given hackers the ability to disable medical imaging devices like MRIs. They can then shut down or interfere with machines.  A recent study by McAfeeEnterprise’s Advanced Threat Research Team uncovered that an IV pump created by German medical manufacturer B. Braun possessed a susceptibility that would allow hackers to change medicine doses remotely.

And while traditional phishing attacks require a user to open a corrupted file — a trend that is now on the decline — new attacks can use so-called Zero Click malware, which can infect a system merely through receiving a text or email.

Additionally, sensitive data that health systems possess gives hackers the opportunity to sell this information online — or threaten to — with demands rising into the millions of dollars. After a 2009 U.S. law was passed that required Medicare and Medicaid providers to implement electronic health records, these risks have only accelerated.

Life and death circumstances

Hospitals are now not only seeing the financial risks with cyberattacks, but the threat to their patients’ lives.

In July 2019, Springhill Medical Center faced a massive ransomware attack that disabled its electronic devices. This failure created dire circumstances for one infant, causing doctors to be unable to monitor the child’s condition during delivery. The infant died, and the hospital is being sued by the mother for malpractice—a charge Springhill denies.

Another attack in Düsseldorf, Germany in 2020 saw the death of a 78-year-old woman from an aortic aneurysm. What was supposed to be a routine pick-up turned into a nightmare, when the local hospital’s system was disabled by a ransomware attack, forcing the emergency department to turn away the woman and causing the ambulance to travel much farther. During this time, the patient’s condition worsened, and she eventually died.

How much worse can it get?

By the middle of August of 2021, 38 attacks on health-care providers or systems had interrupted care at approximately 963 U.S. locations. For all of 2020, only 560 sites were affected in 80 separate incidents, according to Brett Callow, a threat analyst at security firm Emsisoft.

With the vast amount of data and equipment at each of these health facilities—as well as the linked networks of many systems—the threat of cyberattacks in health care will only continue to grow unless more action is taken.

Building a Robust
Cyber Insurance Market
Is Focus of Oct. 13 Panel

Triple-I CEO Sean Kevelighan will join a virtual panel on Wednesday, Oct. 13, at 11 a.m., ET, to brief public policymakers on ways to build a robust cyber risk insurance market.

“To allow businesses to operate safely in an increasingly interconnected world, insurers are working closely with their commercial customers to mitigate cyber risks and to make sure businesses have the right types, and amounts, of cyber insurance,” Kevelighan said.  “However, as we are seeing increasing uncertainty in the extensiveness of cyber risk, it is also essential that we better understand the role government needs to play in particular around law enforcement and international diplomacy.”

As previously noted in The Triple-I Blog, some in the national security world have compared U.S. cybersecurity preparedness today to its readiness for large terrorist acts prior to 9/11. Before those attacks, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded, therefore covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act to stabilize the market.

“A balanced public-private partnership that recognizes where insurance can be a helpful financial responder, and how government is an essential preventative tool, will be critical to helping mitigate the ever-increasing cyber risks we are facing in the world,” Kevelighan said.

Presented by Indiana University’s Ostrom Workshop and Cybersecurity Risk Management Program in collaboration with The Institutes Griffith Insurance Education Foundation, the discussion can be viewed free of charge by public policymakers who register online in advance. It is one of three Cybersecurity Policy Bootcamp sessions the two organizations are co-hosting in October as part of Cyber Security Awareness Month.

The one-hour session will focus on Deepening Partnerships Between States, the Federal Government, the Private Sector, and Academia to Build a Robust Cyber Risk Insurance Market.

Along with Kevelighan on the panel will be three other subject matter experts:

  • Elizabeth Kelleher Dwyer, Esq., superintendent of Financial Services for Rhode Island Department of Business Regulation;
  • Scott J. Shackelford, JD, PhD, chair of the Cybersecurity Program at Indiana University, Bloomington; and
  • Douglas Swetnam, section chief for Data Privacy & Identity Theft in the Indiana Attorney General’s Office

Frank Tomasello, executive director for the Institutes Griffith Insurance Education Foundation, will be the panel’s moderator.

Learn More:

Article:                 Cyber Liability Risks

Video:                  Seven Cybersecurity Tips to Safeguard Your Business

Triple-I Blog:  

 Cyber Insurance’s “Perfect Storm”

 “Silent” Echoes Of 9/11 in Today’s Management of Cyber Risks

 Brokers, Policyholders Need Greater Clarity on Cyber Coverage

  Cyber Risk Gets Real, Demands New Approaches

Cyber Insurance’s “Perfect Storm”

Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure.

Increasing cybercrime incidents resulting in large losses – combined with some carriers retreating from writing the coverage – is driving cyber insurance premiums sharply higher.

Once a diversifying secondary line and another endorsement on a policy, cyber has become a primary component of any corporation’s risk-management and insurance-buying decisions. As a result, insurers need to review their appetite for the peril, risk controls, modeling, stress testing and pricing.

According to A.M. Best, the prospects for the cyber insurance market are “grim” for several reasons:

  • Rapid growth in exposure without adequate risk controls,
  • Growing sophistication of cyber criminals, and
  • The cascading effects of cyber risks and a lack of geographic or commercial boundaries.

While the industry is well capitalized, A.M. Best says individual insurers who venture into cyber without thoroughly understanding the market can put themselves in a vulnerable position.

“The cyber insurance industry is experiencing a perfect storm between widespread technology risk, increased regulations, increased criminal activity, and carriers pulling back coverage,” according to Joshua Motta, co-founder and CEO of Coalition, a San Francisco-based cyber insurance and security company. “We’ve seen many carriers sublimit ransomware coverage, add coinsurance, or add exclusions.”

Worsening since the pandemic

A recent Willis Towers Watson study found primary and excess cyber renewals averaging premium increases “well into the double digits.” One factor helping to drive these increases, Willis writes, is the sudden shift toward remote work on potentially less-secure networks and hardware during the pandemic, which has made organizations more vulnerable to phishing and hacking.

The average cost of a data breach rose year over year in 2021 from $3.86 million to $4.24 million, according to a recent report by IBM and the Ponemon Institute — the highest in the 17 years that this report has been published. Costs were highest in the United States, where the average cost of a data breach was $9.05 million, up from $8.64 million in 2020, driven by a complex regulatory landscape that can vary from state to state, especially for breach notification.

The top five industries for average total cost were:

  • Health care
  • Financial
  • Pharmaceuticals
  • Technology
  • Energy

For the health care sector, the average total cost rose 29.5 percent, from $7.13 million in 2020 to $9.23 million in 2021.

Since the start of the year, cyber insurance rates have increased 7 percent for small businesses, according to AdvisorSmith Solutions. For midsize and large businesses, AdvisorSmith said,  those increases were closer to 20 percent.

Insurers’ reactions

AIG last month said it is tightening terms of its cyber insurance, noting that its own premium prices are up nearly 40 percent globally, with the largest increase in North America.

“We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber loss trends, the rising threat associated with ransomware and the systemic nature of cyber risk generally,” CEO Peter Zaffino said on a conference call with analysts.

In May, AXA said it would stop writing cyber policies in France that reimburse customers for extortion payments made to ransomware criminals. In a ransomware attack, hackers use software to block access to the victim’s own data and demand payment to regain access.

The FBI warns against paying ransoms, but studies have shown that business leaders today pay a lot in the hope of getting their data back.  An IBM survey of 600 U.S. business leaders found that 70 percent had paid a ransom to regain access to their business files. Of the companies responding, nearly half have paid more than $10,000, and 20 percent paid more than $40,000. 

Two advisories last year from U.S. Treasury agencies –  the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) – indicated that companies paying ransom or facilitating such payments could be subject to federal penalties. These notices underscore businesses’ need to consult with knowledgeable, reputable professionals long before an attack occurs and before making any payments. 

More like terror than flood

Cyber risk is unlike flood and fire, for which insurers have decades of data to help them accurately measure and price policies. Cyber threats are comparatively new and constantly evolving. The presence of malicious intent results in their having more in common with terrorism than with natural catastrophes.

Insurers and policyholders need to be partners in mitigating these risks through continuously improving data hygiene, sharing of intelligence, and clarity as to coverage and its limits.

“Silent” Echoes of 9/11
in Today’s Management
of Cyber-Related Risks

“The cyber landscape to me looks a lot like the counterterrorism landscape did before 9/11.”
Garrett Graff , historian and journalist

Before Sept. 11, 2001, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded, therefore covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act (TRIA) to stabilize the market.

TRIA requires insurers to make terrorism coverage available to commercial policyholders but doesn’t require policyholders to buy it. Originally created as three-year program allowing the federal government to share losses due to terrorist attacks with insurers, it has been renewed four times: in 200520072015, and 2019.  

An evolving risk

Terrorism risk has evolved in complexity and scope, and some in the national security world have compared U.S. cybersecurity preparedness today to its readiness for terrorist acts two decades ago.

“The cyber landscape to me looks a lot like the counterterrorism landscape did before 9/11,” historian and journalist Garrett Graff said during a recent Homeland Security Committee event at which scholars and former 9/11 Commission members urged lawmakers to increase funding for the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies focused on preventing attacks.

Cyber is more complicated, said Amy Zegart, co-director of Stanford University’s Center for International Security and Cooperation, due to the private sector’s role “as both a victim and a threat vector. There are more people in the U.S. protecting our national parks than there are in CISA protecting our critical infrastructure.”  Cyberattacks like the one on the Colonial Pipeline underscore this reality.

When TRIA was reauthorized in 2019, a crucial component was the mandate for the Government Accountability Office (GAO) to make recommendations to Congress on amending the act to address cyberthreats. The trillion-dollar infrastructure bill now being considered in Congress proposes $1.9 billion for cybersecurity, with more than half set aside for state, local, and tribal governments. It would establish a Cyber Response and Recovery Fund for use by CISA.

“Silent cyber”

Like terrorism before 9/11, much cyber risk remains silent. Silent cyber – also called “non-affirmative cyber” – refers to potential losses stemming from policies not designed to cover cyber-related hazards. If silent cyber isn’t addressed, insurer solvency could be affected, ultimately hurting policyholders. 

The United Kingdom’s Prudential Regulation Authority in 2019 sent a letter to all U.K. insurers saying they must have “action plans to reduce the unintended exposure” to non-affirmative cyber. Later that year, Lloyd’s issued a bulletin mandating clarity on all policies as to whether cyber risk is covered. This led many insurers to exclude cyber or include it and price the risk accordingly. 

“Other regulators and the rating agencies have been less vocal about the issue” writes Willis Towers Watson,  “and, until recently, efforts to address silent cyber have been limited.” Some insurers – most notably in the specialty mutual sector – updated their policies in the mid-2010s to provide clarity on cyber. But, until recently, movement elsewhere has been sporadic, Willis writes.

Event-driven action

The recent proliferation of ransomware attacks leading to business interruption has led to cyber insurance – which began as a diversifying, secondary line – becoming a primary insurance-purchasing consideration. Unfortunately, while policies are available, many policyholders still incorrectly expect to be covered under their property and liability policies. Confusion around cyber coverage can lead to unexpected gaps.

“In a best-case scenario, a cyber incident may trigger coverage under multiple policies and increase the available total limit to respond to a covered event,” said Adam Lantrip, CAC Specialty’s cyber practice leader. “In a more common scenario, multiple policies may be triggered but not coordinate with one another, and the policyholder spends more on legal fees than the cost of having purchased standalone cyber insurance in the first place.”

Cyber risk will only grow in significance, complexity, and cost as the world becomes more wired and interdependent. The costs of cyberattacks are potentially massive and need to be mitigated in advance.

From the Triple-I blog

Emerging Cyber Terrorism Threats and the Federal Terrorism Risk Insurance Act

A World Without TRIA:  Formation of a Federal Terrorism Insurance Backstop

Brokers, Policyholders Need Greater Clarity on Cyber Coverage

Cyber Risk Gets Real, Demands New Approaches

Businesses Large and Small Need to Be Cyber Resilient in a COVID-19 World

Victimized Twice? Firms Paying Cyber Ransom Could Face U.S. Penalties

From Risk & Insurance (an affiliate of The Institutes and sister organization to Triple-I)

Silent Cyber Will Sabotage Your Insurance Policy if You Don’t Watch Out. Here’s What Risk Managers Should Keep Top of Mind

Brokers, Policyholders Need Greater Clarity
on Cyber Coverage

By Loretta Worters, Vice President, Media Relations, Triple-I 

Despite the prevalence of cyber threats and the increasing number and severity of incidents, directors, officers, and C-suite executives remain too much in the dark when it comes to cyber risk and insurance, Risk & Insurance writer Alex Wright describes in this month’s cover story, Vigilance Demanded.

While specific policies are available to cover the risk, many policyholders still expect to be covered under their property and liability policies — but are not. Risk & Insurance, an affiliate of the Institutes and the Triple-I’s sister organization, notes that commercial insurance policies still suffer from a lack of clarity regarding damage from cybercrimes.

Confusion around coverage can lead policyholders to experience unexpected coverage gaps.

“In a best-case scenario, a cyber incident may trigger coverage under multiple insurance policies and increase the available total limit to respond to a covered event,” said Adam Lantrip, CAC Specialty’s cyber practice leader. “In a more common scenario, multiple insurance policies may be triggered but not coordinate with one another, and the policyholder spends more on legal fees than the cost of having purchased standalone cyber insurance in the first place.”

Of particular concern to insurers is silent – or “non-affirmative” – cyber risk, in which potential cyber-related events or losses are not expressly covered or excluded within traditional policies. In such cases, insurers can end up having to pay unexpected claims for which the policies weren’t adequately priced.

“Cyber risk is present in just about every insurance policy now,” said Tracie Grella, AIG’s global head of cyber insurance. “But because it hasn’t been factored into the underwriting of standard policies such as property, or properly identified, assessed, priced for and put into the aggregation model, it presents a huge systemic risk that can’t simply be ignored.”

Silent cyber first manifested in the WannaCry, Petya and NotPetya cyber-attacks of 2017, which devastated everything from shipping ports and supermarkets to advertising agencies and law firms, the article explains. The resulting losses from the encryption of master files and subsequent Bitcoin ransom demands for restoring access were the costliest on record, surpassing $3 billion.

Underwriters, brokers, and policyholders need to understand how ever-evolving risks and legal frameworks will affect their policies. They also need to keep themselves appraised of the scale of the problem and understand the most common misconceptions and coverage disputes around silent cyber.

More on cyber from Risk & Insurance

5 Tips to Get the Board Invested in Cyber Risk Management

Why Every Company Needs a Cyber Attack Response Plan No Matter Their Size — and Helpful Tips to Get Started

No One’s Safe from Cyber Threats. Train Your Employees to Defend Your Company Now or Risk Millions

Managing Cyber Risk for Mid- and Large-Sized Companies: Why Each Requires a Specialized Approach

More from the Triple-I Blog

Cyber Risk Gets Real, Demands New Approaches

Businesses Large and Small Need to Be Cyber Resilient in a COVID-19 World

Victimized Twice? Firms Paying Cyber Ransom Could Face U.S. Penalties

Cyber Risk Gets Real, Demands New Approaches

With the cyber risk environment worsening significantly, a recent A.M. Best report says, “prospects for the U.S. cyber insurance market are grim.”

The recent proliferation of ransomware attacks leading to business interruption and other related hazards has caused cyber insurance – which began as a diversifying, secondary line – to become a primary component of a corporation’s risk management and insurance purchasing decisions.

Consequently, the A.M. Best report says, insurers urgently need to reassess all aspects of cyber risk, including their appetite, risk controls, modeling, stress testing, and pricing, to remain a viable long-term partner for dealing with cyber risk.

Cyber insurance “take-up” rates (the percentage of eligible customers opting to buy the coverage) are on the rise, according to a recent Government Accountability Office (GAO) report – to 47 percent in 2020 from 26 percent in 2016. This increased demand has been accompanied by higher prices for cyber insurance, as well as reduced coverage limits for some industry sectors, such as healthcare and education. In a recent survey of insurance brokers, the GAO says, more than half of respondents’ clients saw prices rise 10 to 30 percent in late 2020.

“The rate increases for cyber insurance outpaced that of the broader property/casualty industry, but the increase in cyber losses outstripped the rate hikes, which suggests more trouble for 2021 as ransom demands continue to grow,” said Sridhar Manyem, director, industry research and analytics at A.M. Best.

The A.M. Best report says the challenges the cyber insurance market faces include:

  • Rapid growth in exposure without adequate underwriting controls;
  • The growing sophistication of cyber criminals that have exploited malware and cyber vulnerabilities faster than companies that may have been late in protecting themselves; and
  • The far-reaching implications of the cascading effects of cyber risks and the lack of geographic or commercial boundaries.

In April, Federal Reserve Chairman Jerome Powell said cyberattacks are the foremost risk to the global financial system, even more so than the lending and liquidity risks that led to the 2008 financial crisis.  

“The world evolves, and the risks change as well and I would say that the risk that we keep our eyes on the most now is cyber risk,” Powell said. “There are scenarios in which a large financial institution would lose the ability to track the payments that it’s making, where you would have a part of the financial system come to a halt, and so we spend so much time, energy and money guarding against these things.” 

The Fed chief’s concerns have since been borne out by attacks on the Colonial PipelineJBS SA – the world’s largest meat producer – the New York City Metropolitan Transportation Authority, and others.

More recently, FBI Director Christopher Wray compared compared the current spate of cyberattacks with the challenge posed by the Sept. 11, 2001, terrorist attacks. He said the agency was investigating about 100 different types of ransomware, many tracing back to hackers in Russia.

As we’ve written elsewhere with respect to natural catastrophes, it seems the world has entered a phase in which the traditional emphasis on risk transfer through insurance products is no longer sufficient to address today’s complex, interconnected perils. A focus on resilience and pre-emptive mitigation is in order, and insurers are well positioned to serve not only as financial first responders but as partners in managing these evolving hazards.

Ms. Winnie Tsen, Assistant Director, Financial Markets and Community Investment, U.S. Government Accountability Office (GAO), was one of the key contributors to the GAO’s May 2021 report on cyber insurance.

Man-made and Natural Hazards Both Demand
a Resilience Mindset

This weekend’s ransomware attack that forced the closure of the largest U.S. fuel pipeline provides another powerful illustration of the need for a resilience mindset that applies to more than just natural catastrophes.

Colonial Pipeline Co. operates a 5,500-mile system that transports fuel from refineries in the Gulf of Mexico to the New York metropolitan area. It said it learned Friday that it was the victim of the attack and “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations.”

Individually, the event demonstrates the threat cybercriminals pose to the aging energy infrastructure that keeps the nation moving. More frighteningly, though, it is yet another example of how vulnerable the complex, interconnected global supply chain is to disruptions of all kinds – a message that isn’t lost on risk managers and insurers.

Last year, a ransomware attack moved from a natural-gas company’s networks into the control systems at a compression facility, halting operations for two days, according to a Department of Homeland Security (DHS) alert

The DHS described the attack on an unnamed pipeline operator that halted operations for two days.  Although staff didn’t lose control of operations, the alert said the company didn’t have a plan in place for responding to a cyberattack.

“This incident is just the latest example of the risk ransomware and other cyber threats can pose to industrial control systems, and of the importance of implementing cybersecurity measures to guard against this risk,” a CISA spokesperson said at the time.

Not just energy companies

It isn’t only energy and industrial companies that need to be paying attention. According to cyber security firm VMware, attacks against the global financial sector increased 238 percent from the beginning of February 2020 to the end of April, with some 80 percent of institutions reporting an increase in attacks.

“Cyber is an existential issue for financial institutions, which is why they invest heavily in cyber security,” says Thomas Kang, Head of Cyber, Tech and Media, North America at Allianz Global Corporate & Specialty (AGCS). “However, with such potentially high rewards, cybercriminals will also invest time and money into attacking them.”

He pointed to two malware campaigns – known as Carbanak and Cobalt – that targeted over 100 financial institutions in more than 40 countries over five years, stealing over $1 billion.

An ACGS report shows technical failures and human error are the most frequent generators of cyber claims, but the financial impact of these is limited:

“Losses resulting from the external manipulation of computers, such as distributed denial of service attacks (DDoS) or phishing and malware/ ransomware campaigns, account for the significant majority of the value of claims analyzed across all industry sectors (not just involving financial services companies).”

According to the report, regulators have turned their attention to cyber resilience and business continuity.

“Following a number of major outages at banks and payment processing companies, regulators have begun drafting business continuity requirements in a bid to bolster resilience.”

Not just cyber

The COVID-19 pandemic has taught the world a lot of lessons, not the least of which is how vulnerable the global supply chain – from toilet paper to semiconductors – is to unexpected disruptions. Demand for chlorine increased during 2020 as more people used their pools while stuck at home under social distancing orders and homeowners also began building pools at a faster rate, adding to the additional demand. Such disruptions can ripple through the economy in different directions.

Business interruption claims and litigation have been a significant feature of the pandemic for property and casualty insurers.

When the container ship Ever Given got wedged in the Suez canal – one of the most important arteries in global trade – freight traffic was completely blocked for six days. Even as movement resumed, terminals experienced congestion and the severe drop in vessel arrival and container discharge in major terminals aggravated existing shortages of empty containers available for exports. The ship’s owners and the Egyptian government remain locked in negotiations over compensation for the disruption, and the ship is still impounded.

Spurred in part by this event, the Japanese shipping community is considering alternative freight routes to Europe, both reliant on Russia: the Trans-Siberian Railway and the Northern Sea Route. Neither option is devoid of risks.

In an increasingly interconnected world, there is no bright line distinguishing man-made from natural disasters. After all, the Ever Given grounding was caused, at least in part, by a sandstorm. April’s power and water disruptions that left dozens of Texans dead and could end up being the costliest disaster in state history were initiated by a severe winter storm.

A resilience mindset focused on pre-emptive mitigation and rapid recovery is called for in both cases. There is no “either/or.”

Businesses are urged to take steps immediately to mitigate massive data breach tied to Chinese hackers

The alarm about the ongoing hack of Microsoft Exchange Server, which began as early as January, appears quite justified. Microsoft believes a state-sponsored Chinese group called Hafnium orchestrated the attack that exploited flaws in Exchange software to gain access to email accounts and install unauthorized software, gaining full control of affected systems.

Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs, according to Microsoft.

In a tweet, the United States Cybersecurity and Infrastructure Security Agency (CISA) urged “ALL organizations” across “ALL sectors” to follow its guidance to address the email software’s vulnerabilities.

The number of U.S.-based organizations affected is estimated to be at least 30,000, while worldwide that number is close to 100,000. The vulnerability can be exploited to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack. CISA advises business leaders at all organizations to ask IT personnel to immediately address this incident or get third-party IT support.

A Hafnium attack should trigger any cyber insurance an organization has in place, according to Lockton, an insurance broker.  Lockton recommends that organizations contact their insurer only if they discover that the vulnerabilities being exploited are present in the system. If an attack is underway, it should be reported to cyber insurers immediately.

Businesses Large and Small Need to Be Cyber Resilient in a COVID-19 World

By Loretta Worters, Vice President, Media Relations, Triple-I

Advanced Persistent Threat groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months.  Weak and stolen passwords, back doors, applications vulnerabilities, malware and insider threats have been among the most common causes of data breaches in the past.  But according to a recent Willis Towers Watson report new threats include:

  • Phishing, using the subject of coronavirus or COVID-19 as a lure;
  • Malware distribution, using coronavirus or COVID-19-themed lures;
  • Registration of new domain names containing wording related to coronavirus or COVID-19; and
  • Attacks against newly and often rapidly deployed remote access and teleworking infrastructure.

Security breaches have increased by 67% since 2014, yet businesses fail to take the proper precautions.   Ransomware has become big business for “professional” criminals, crippling large and small businesses alike.  But small businesses are especially attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses. 

A remote workforce due to COVID-19 has made many organizations address issues of remote access and the need for multifactor authentication and virtual private networks (VPNs). But others – less cyber savvy— have left themselves exposed to cyberattacks.

In addition, vishing (via telephone) and smishing (via text message or WhatsApp) attacks have also increased in frequency, and in a work from home environment where colleagues and clients are increasingly connecting via mobile phones, vulnerability increases, according to a new AON Report. Short message attacks will generally seek to redirect a victim to a compromised website in order to harvest user credentials.

According to a recent survey by the Small Business Administration , 88% of small business owners felt their business was vulnerable to a cyber-attack – and that was before the pandemic. Yet many businesses can’t afford professional IT solutions, have limited time to devote to cybersecurity, or don’t know where to begin.

In observance of National Cybersecurity Awareness Month,  Triple-I offers U.S. businesses these seven tips for improving their cybersecurity and averting data breaches:

  1. Understand your cyber risks. Businesses are vulnerable to cyberattacks through hacking, phishing, malware, and other methods. 
  2. Train Staff. Those engaged in cyberattacks find a point of entry into a business’ systems and network. A business’ exposure can be reduced by having and enforcing a computer password policy for its employees.
  3. Keep Software Updated. Businesses should routinely check and upgrade the major software they use.
  4. Create back-up files and store off-site. A business’ files should be backed up either as an external hard drive or on a separate cloud account. Taking these steps are vital to data recovery and the prevention of ransomware. Ransomware is when a cyberattack results in a situation where a business is asked to pay a fee to regain access to its own data.