Category Archives: Cyber Risk

Businesses Large and Small Need to Be Cyber Resilient in a COVID-19 World

By Loretta Worters, Vice President, Media Relations, Triple-I

Advanced Persistent Threat groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months.  Weak and stolen passwords, back doors, applications vulnerabilities, malware and insider threats have been among the most common causes of data breaches in the past.  But according to a recent Willis Towers Watson report new threats include:

  • Phishing, using the subject of coronavirus or COVID-19 as a lure;
  • Malware distribution, using coronavirus or COVID-19-themed lures;
  • Registration of new domain names containing wording related to coronavirus or COVID-19; and
  • Attacks against newly and often rapidly deployed remote access and teleworking infrastructure.

Security breaches have increased by 67% since 2014, yet businesses fail to take the proper precautions.   Ransomware has become big business for “professional” criminals, crippling large and small businesses alike.  But small businesses are especially attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses. 

A remote workforce due to COVID-19 has made many organizations address issues of remote access and the need for multifactor authentication and virtual private networks (VPNs). But others – less cyber savvy— have left themselves exposed to cyberattacks.

In addition, vishing (via telephone) and smishing (via text message or WhatsApp) attacks have also increased in frequency, and in a work from home environment where colleagues and clients are increasingly connecting via mobile phones, vulnerability increases, according to a new AON Report. Short message attacks will generally seek to redirect a victim to a compromised website in order to harvest user credentials.

According to a recent survey by the Small Business Administration , 88% of small business owners felt their business was vulnerable to a cyber-attack – and that was before the pandemic. Yet many businesses can’t afford professional IT solutions, have limited time to devote to cybersecurity, or don’t know where to begin.

In observance of National Cybersecurity Awareness Month,  Triple-I offers U.S. businesses these seven tips for improving their cybersecurity and averting data breaches:

  1. Understand your cyber risks. Businesses are vulnerable to cyberattacks through hacking, phishing, malware, and other methods. 
  2. Train Staff. Those engaged in cyberattacks find a point of entry into a business’ systems and network. A business’ exposure can be reduced by having and enforcing a computer password policy for its employees.
  3. Keep Software Updated. Businesses should routinely check and upgrade the major software they use.
  4. Create back-up files and store off-site. A business’ files should be backed up either as an external hard drive or on a separate cloud account. Taking these steps are vital to data recovery and the prevention of ransomware. Ransomware is when a cyberattack results in a situation where a business is asked to pay a fee to regain access to its own data.

Victimized Twice? Firms Paying Cyber Ransom Could Face U.S. Penalties

Recent advisories from two U.S. Treasury agencies –  the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) – indicating that companies paying ransom or facilitating such payments to cyber extortionists could be subject to federal penalties are a reminder of the importance of good cyber hygiene.  

The notices also underscore businesses’ need to consult with knowledgeable, reputable professionals long before a ransomware attack occurs and before making any payments. 

Ransomware on the rise 

In a ransomware attack, hackers use software to block access to the victim’s own data and demand payment (usually in Bitcoin or another cryptocurrency) to regain access. It has been a growing problem in recent years, and such attacks have intensified since the COVID-19 pandemic has led to many people working from home for the first time.  

The FBI warns against paying ransoms, but studies have shown that business leaders today pay a lot in the hope of getting their data back.  An IBM survey of 600 U.S. business leaders found that 70% had paid a ransom to regain access to their business files. Of the companies responding, nearly half have paid more than $10,000, and 20% of them paid more than $40,000. 

Sanctioned entities 

The OFAC advisory specifically targets transactions benefiting individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). 

If you pay ransom to anyone in these categories, you could be fined or even jailed for breaching the  International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA). Penalties can vary widely, depending on the circumstances.  

How is a business owner to know?  

“Companies should rely on experts to assist with their due diligence and work with the FBI,” writes law firm BakerHostetler in a recent blog post. “Experience in incident response is key, and your counsel should be an informed, confident partner as you navigate this rapidly evolving area.” 

“Before a payment is made,” the law firm writes, “a company generally retains a third party to conduct due diligence to ensure that the payment isn’t being made to a sanctioned organization or a group reasonably suspected of being tied to a sanctioned organization. Additionally, checks are in place to ensure that anti-money laundering laws are not being violated.”

Many insurers are working with their clients to put such practices in place and taking a variety of other steps to address the threat of ransomware attacks. Cyber-insurance premiums started rising 5% to 25% late last year, according to Robert Parisi, U.S. cyber product leader at insurance broker Marsh & McLennan. Parisi called the increases “dramatic” but said insurers have not scaled back coverage. 

Marsh has issued a client advisory — What OFAC’s Ransomware Advisory Means for US Companies — explaining what U.S. businesses need to know about the OFAC advisory and the importance of completing an OFAC review before payment of ransom demands.  Marsh’s advisory also makes recommendations for re-assessing ransom incident response plans, mitigating ransomware risk, and preparation for and recovery from ransomware and cyber extortion attacks. 

Ransomware claims rise in severity since start of pandemic

During the last week in September, Universal Health Services Inc., one of the largest hospital chains in the United States, began taking some ambulances out of service because of disruptions caused by a ransomware attack. Universal said no patients were harmed, but systems that support medical records, laboratories and pharmacies were taken offline at approximately 250 facilities.

This incident is part of a disturbing trend of healthcare institutions being targeted by ransomware attacks  as the software used by hackers becomes more sophisticated and their attacks broader.

While cyber insurance claims impacted businesses of all types and sizes certain industries, including consumer businesses (retail, hospitality and food), healthcare and financial services were more frequent targets of cyberattacks in the first half of 2020, according to a recent report by Coalition, a provider of cyber insurance.

Overall, ransomware (41 percent), funds transfer loss (27 percent), and business email compromise incidents (19 percent) were the most frequent types of loss—accounting for 87 percent of reported incidents and 84 percent of claims paid in the first half of 2020.

“We’ve seen a sharp increase in ransom demands over the past quarter as threat actors have exploited COVID-19 and changes in company operating procedures. Although the frequency of ransomware claims has decreased by 18 percent from 2019 into the first half of 2020, we’ve observed a dramatic increase in the severity of these attacks,” said the Coalition report.

Since email is the single most targeted point of entry for a hacker, taking a few basic email security measures and implementing an anti-phishing solution would go a long way toward securing your business from criminals.

Coalition reports that, for each claim processed, cyber insurance played a critical role in helping the insured recover operationally. For example, a nonprofit organization providing child and family services grants to other nonprofits was duped into transferring $1.3 million to criminals. Coalition worked with law enforcement and the financial institutions involved to recover the stolen funds.

Senate Panel Meets
On COVID-19 Fraud

The Senate Judiciary Committee last week held a  hearing  titled “COVID-19 Fraud: Law Enforcement’s Response to Those Exploiting the Pandemic.”   

The hearing included testimony by William Hughes, associate deputy attorney general, U.S. Department of Justice; Craig Carpenito, U.S. attorney, District of New Jersey; Calvin Shivers, assistant director, Criminal Investigative Division, Federal Bureau of Investigation; and Michael D’Ambrosio, assistant director, U.S. Secret Service, Department of Homeland Security. 

Testimony focused on the response to fraud that has resulted from the COVID-19 pandemic. Examples included sale of fraudulent personal protective equipment (PPE) and cyber-enabled fraud; price gouging and hoarding; and fraud relating to the CARES Act’s Paycheck Protection Program (PPP). 

As demand for PPE has been greater than the supply, the environment created has been “ripe for exploitation,” Shivers said.  

In addition to sales of counterfeit PPE, he cited “advance fee” schemes – in which a victim prepays for goods like ventilators, masks, or sanitizer that are never received – and business email compromise (BEC) schemes, which involve spoofing an email address or using one that’s nearly identical to one  trusted by the victim to instruct them to direct funds to bank accounts controlled by the fraudsters. 

Shivers said the FBI is working to educate “the health care industry, financial institutions, other private sector partners, and the American public of an increased potential for fraudulent activity dealing with the purchase of COVID-19-related medical equipment.”  

He added that millions of units of PPE have been recovered from price-gouging and hoarding operations and the FBI is working to determine next steps for how to redistribute or sell the PPE. 

D’Ambrosio said that although “criminals throughout history have exploited emergencies for illicit gain, the fraud associated with the current COVID-19 pandemic presents a scale and scope of risks we have not seen before.” 

He described four categories of threat: 

  1. COVID-19-related scams, including the sale of fraudulent medical equipment and nondelivery scams;  
  1. Cybercrime like BECs, exploiting increased telework; 
  1. Ransomware and other activities that could disrupt pandemic response; and 
  1. Defrauding government and financial institutions associated with response and recovery efforts. 

Thus far, the Secret Service has initiated over 100 criminal investigations, prevented approximately $1 billion in fraud losses, and disrupted hundreds of online COVID-19-related scams, D’Ambrosio said. 

CORONAVIRUS WRAP-UP: PROPERTY AND CASUALTY (4/21/2020)

Automobile Insurance
Acting on ‘Thin’ Data, Auto Insurers Retain Flexibility With Premium Credits
Speeders Take Over Empty Roads — With Fatal Consequences
Business Interruption
Triple-I Economists: Enforced COVID-19 Business Interruption Payouts Would Damage Industry
Fight Over Pandemic Insurance Intensifies
Restaurants vs. Insurers Shapes Up as Main Event In D.C. Lobbying Fight
Cyber Risk
Hacking Against Corporations Surges as Workers Take Computers Home
Directors & Officers
D&O Insurance May Help Non-Public Companies With COVID-19 Claims
Financial Impact
Despite Recent Market Rally, Pandemic Will Continue to Hit Insurers’ Investments
COVID-19 to deter M&A activity in 2020: Conning
Kidnap & Ransom
Pandemic Exposes Organizations to Kidnap for Ransom Risk
Litigation
U.S. Businesses Bring Wave of Class Action Lawsuits Against Insurance Companies for Denial of Business Interruption Claims in Wake of COVID-19Pandemic
Hiscox Faces Legal Action From Chef Raymond Blanc: Reports
Ending Virus Shutdowns Too Soon Poses Legal Risk for Businesses
Reinsurance and Insurance-Linked Securities
Lack of Exclusions, Poor Wordings the COVID-19 BI Threats to Reinsurers & ILS
Workers Compensation
Utah Passes Bill to Provide First Responders With Comp for COVID
Comp Premiums Likely to Dip as Employment Declines: NCCI

From The Triple-I Blog:
MIXED REACTIONS TO WORKERS COMP COVID-19 EXPANSIONS

CORONAVIRUS WRAP-UP: PROPERTY AND CASUALTY (4/17/2020)

Auto Insurance
Stay-at-home Pandemic Orders Reduce Auto Claims Almost by Half
As Coronavirus Empties Streets, Speeders Hit the Gas
Business Interruption
UK Watchdog Orders Insurers to Pay Small Business Claims Quickly
Cannabis Insurance
Pandemic Could Shrink Cannabis Insurers’ Premiums, Market
Cyber Insurance
Preventing Losses Due to Growing Cyber Crime During Coronavirus Crisis
As Attacks Rise, Paladin Offers Cybersecurity Platform Free to Insurance Agencies
Disaster Preparedness
‘Uncharted Territory’ as Wildfire Fighting Adapts to Pandemic
Insurance-Linked Securities
Artemis Live: Interview with Tom Johansmeyer, Head of PCS
Litigation
Nashville Bar Sues Insurer Over COVID-19 Loss Claim. Experts Say It Won’t Be the Last
Businesses Warn Fear of Liability Lawsuits Could Stall Rebooting of Economy
P/C Industry Impact
Suddenly There is Big Demand for Pandemic Cover, Says Underwriter
Chubb CEO: Forcing Insurers to Pay Pandemic Loss Claims is ‘Plainly Unconstitutional’
Allianz CEO: Pandemic Hit “Like a Metororite”
From Hacker Attacks to Shareholder Lawsuits, Insurance Industry Braces for COVID-19 Fallout
Public Health and Safety
What FDA Says About Food Safety Amid COVID-19
Travel Insurance
Travelers Consider Their Risk Tolerance
HOLIDAY HELL How to Get a Refund on Your Holiday if it’s Cancelled and How Long Should it Take to Get Cash Back
Workers Compensation
Workers Compensation in Wake of COVID-19

From the Triple-I Blog:
INSURERS RESPOND TO COVID-19 (4/17/2020)
TRIPLE-I BRIEFING: SURPLUS IS KEY TO INSURERS KEEPING POLICYHOLDER PROMISES
PUTTING CAR INSURANCE PRICES INTO PERSPECTIVE

CORONAVIRUS WRAP-UP: PROPERTY AND CASUALTY (4/16/2020)

Legislation and regulation
Democrats Plan Legislation to Force Insurance Companies to Pay Out for Pandemic Losses
Thompson Introduces the Business Interruption Insurance Coverage Act
Lawmakers Advocate Stimulus Aid to Insurers on Business Interruption
SC Proposes Bill Over Coronavirus-related Business Interruption Claims
NJ offers grace period for insurance premium expenses
Coronavirus Regulations: A State-By-State Week In Review
Litigation
COVID-19, business interruption and bad faith litigation
P/C Industry Impact
No Evidence COVID-19 Industry Loss Will Match Large Catastrophe Years: Flandro
How Insurance Claims Pros Are Adjusting to Pandemic Complications
COVID-19 Response ‘Could Bankrupt the Insurance Industry’: Insurance Defense Lawyer
Coronavirus response: Short- and long-term actions for P&C insurers
Auto Insurance
Analysts: Auto Insurance Coronavirus Rebates a Solid Move in Short Term
Will Fewer Drivers on the Road Mean Lower Auto Losses? It Depends
Auto Insurers Offer Rebates as Traffic Abates During Pandemic
Business Interruption
Neglecting Idle Facilities Amid COVID-19 Will Cost Companies, Warns FM Global
Cyber
Working From Home? Don’t Let Cyber Criminals Break In
Hospital Hackers Seize Upon Coronavirus Pandemic
Workers Compensation
COVID-19 Comp Expansions Could Have Significant Impact on Industry

CORONAVIRUS WRAP-UP: PROPERTY AND CASUALTY (4/13/2020)

Auto Insurance
Car Insurance Refunds Become Standard Issue
State Farm Rolls Out $2 Billion Consumer Financial Relief Program
The Landscape Has Changed Dramatically’: Donelon Calls for Lower Car Insurance Rates
Business Interruption Insurance
COVID-19, Business Interruption Coverage, and the ‘Physical Loss or Damage’ Requirement
S.C. Bill Would up Pressure on Insurers to Cover Business Interruption
Insurers Can’t Cover Everything
With Hollywood on Hiatus, Studios Bracing for Fights With Insurers Over Coronavirus Losses
Proposed Backstop Would Cover Pandemic Business Interruption
Claims
Best’s Insurance Law Podcast Discusses Impact of COVID-19 on Claims
Coronavirus comp claims present challenges: Experts
Cyber
State-Backed Hackers Taking Advantage of Outbreak: Officials
The Line Between Biological and Cyber Threats Has Never Been So Thin
Hackathons Target Coronavirus
Impacts by Industry
Shifts in Manufacturing Create New Exposures: Experts
6 Critical COVID-19 Risks Facing the Health Care Industry
Tracking U.S. Small and Medium Business Sentiment During COVID-19
Pharmacy Workers Are Coming Down With COVID-19. But They Can’t Afford to Stop Working
6 Critical COVID-19 Risks for the Construction Industry

COVID-19 Meets Cyberrisk

As COVID-19 spreads, we’ve been hearing more about the importance of hygiene and maintaining “social distance.”

Last night I found out the cyberrisk conference I was scheduled to attend this morning had been changed to a “virtual” meeting. With so many events being canceled or postponed out of an abundance of caution over the spreading COVID-19 virus, it was nice to know the show would go on safely.

I’d already been working from home (thank you, Triple-I!) to avoid exposure during my train commute and potentially becoming a “vector” to family, friends, and co-workers. As I waited for the event to begin, I scrolled through my news feed and spotted several stories about risks related to increased remote work.

Cyberrisk featured prominently in these articles. Unprotected devices, they warned, can lead to data losses, privacy breaches, and ransomware attacks.

One article alluded to campaigns designed specifically to tap into concerns around COVID-19.

“We are already seeing targeted phishing campaigns globally,” said New Zealand Health IT chief executive Scott Arrol. “The cyber virus taking advantage of the biological virus.”

Arrol said hackers seeking to exploit fears of Covid-19 are sending fake ads or links with online viruses.

The message “might look like it has come from the World Health Organization, inviting you to register for more information,” he said. “You click on that link, you’ll be taken to fill out a form and then suddenly…you’re giving away personal information you shouldn’t.”

Technology can help us maintain social distance, but the devices we rely on need to be managed and protected, lest they make us even more vulnerable.

Insurance broker Aon has issued an advisory cautioning employers to take steps to ensure that work-from-home employees can connect to secure remote networks, a Claims Journal article says.

“Any time you’re taking about employees who are not used to working from home, who may not have the correct cybersecurity posture, a virtual private network (VPN) is critically important and having two-factor authentication is critically important,” Aon Senior Vice President Stephanie Snyder said.

A VPN connects remote users or regional offices to a company’s private internal network. Two-factor authentication adds a layer of security beyond a password to make sure a user is authorized to access the system.

Snyder added that telecommuters may be tempted to work from their laptops at a coffee shop – potentially exposing their computers to intrusion. She said employers need to have strict security protocols in place to avoid such exposures.

So, I wasn’t surprised when one of the first speakers at the event I was “attending” mentioned viral epidemics like COVID-19 as something underwriters just a few years ago would not have considered a factor in assessing cyber risk but now should.

As I’ve written before, increasingly interconnected risks require a holistic approach to risk management – one that takes into account preparation, mitigation, and built-in resilience. As COVID-19 has spread beyond its origins in Asia, we’ve been hearing more about the importance of hygiene and of maintaining “social distance.”

Technology can help us maintain social distance, but the devices we rely on need to be managed and protected, lest they make us even more vulnerable.

Consumers lack understanding of personal cyber insurance: I.I.I./J.D. Power Survey

Getty Images

By Mary-Anne Firneno, Research Manager, Insurance Information Institute

Americans have embraced the Internet of Things. As consumers own more internet-connected devices and buy more products online and businesses use more electronic data and online storage, cyberattacks continue to occur.

Despite reports of ever-larger data breaches, awareness of the protection available to consumers through insurance has shrunk over the past year, according to a survey from the Triple-I and J.D Power.

The 2020 Consumer Cyber Insurance and Security Spotlight Survey℠: Consumer indifference is still a challenge for personal cyber insurers, found that only about one in 10 American consumers who have connected devices in their homes or vehicles say they have insurance to help them recover from a cyberattack. And close to half do not know whether they have this protection. Fewer connected device owners say they have cyberrisk insurance than when the Triple-I and J.D. Power polled them in 2018.

Yet consumers are interested in cyberrisk insurance. More than half of connected-device owners (56 percent) said they believed homeowners or auto policies should offer cybersecurity coverage.

So why don’t more consumers buy cyberrisk insurance? The 2020 Consumer Cyber Survey found that three-quarters of connected consumers are reluctant to pay more for cyberrisk coverage – despite the fact that cyber coverage is relatively inexpensive: about $10 from a package policy and about $40 for a separate one.

Persistent attitudes that cyber coverage is a not a product consumers are willing to purchase is an opportunity for insurance professionals to explain the value of personal cyber coverage.