Anyone who works in cyber insurance knows that the industry is never static. It’s an ever-changing business as risks change all the time, and it has never been more evident than it is now, panelists said on Insurance Journal’s recent webinar – Cyber Insurance: Is This. the Beginning, Middle or End?
“The game changer,” said Justin Herring, deputy executive superintendent in the New York State Department of Financial Services (DFS), “has been ransomware.”
Ransomware attacks accounted for nearly a quarter of all cyber incidents worldwide last year, according to software company Bitdefender.
“I still think of December 2019 as the tipping point of when we started to see ransomware take hold,” said Bob Wice, global head of underwriting management for Cyber & Tech at Beazley.
Indeed, the United States was hit by a barrage of ransomware attacks in 2019 that affected at least 966 government agencies, educational institutions and healthcare providers at a potential cost of over $ 7.5 billion. dollars, Emsisoft reported on his blog.
“And you just see with each passing year, but sometimes it seems like almost with each passing month, we see more and more of these events,” Herring said.
A recent wave of attacks this year has been of particular concern among U.S. government officials, as they have been attributed to cybercriminals operating from Russia, Insurance Journal previously reported. There was the hack last year in which Russian military cybercriminals sabotaged the computer code of software called SolarWinds. Today, a ransomware attack in July found itself at the center of the conversation, in which Florida-based information technology company Kaseya saw its management system hacked. REvil, a cybercrime syndicate linked to Russia, took credit for the breach.
In June, REvil extorted an $ 11 million ransom from meat packer JBS after compromising its supply chain. Earlier this year, in May, an intrusion by another Russian-linked group into U.S. fuel carrier Colonial Pipeline shut down 5,500 miles of critical infrastructure, sparking panic buying and gas shortages. all along the east coast.
“You can also see that we have had recent cyber attacks where an attack that has crossed over widely used technology has accessed or disrupted or potentially disrupted many organizations,” Herring said. “Similar types of attacks on IT or technology vendors or service providers have suddenly disrupted a half-dozen, a dozen or more companies regulated by DFS.
Herring said a growing interdependence on technology, especially during the ongoing COVID-19 pandemic, has made businesses and organizations more vulnerable to the type of cyber attack that can have systemic effects.
“[We’re seeing] attacks effectively against our technology on which we are increasingly dependent, ”he said. “Attacks against a single institution or organization where there is a disruption, and which disrupts a lot of downstream organizations. “
Wice agrees, adding that businesses and individuals are more exposed than ever to computer incidents involving social engineering or cybercrime that capitalize on human error.
“During the pandemic, that was largely about remote access, open ports and phishing,” he said. “People [could be] looking at a map that was sent to them showing where the cases were and the death rates in certain jurisdictions, and voila, there’s a bad link in there. And that’s how a lot of these attacks happened from March 2020. “
On a positive note, said Marc Voses, partner at Clyde & Co., all of this has led to greater public awareness of cyber incidents, with more and more companies trying to strengthen their cybersecurity posture.
“Not a day goes by that we don’t see an article or a newscast that basically says companies need to get their homes in order when it comes to cybersecurity,” he said.
And businesses listen widely, Sylvestro agreed.
“I think we are reacting by going towards education, and I think that is a very good thing,” he said. “And I just hope we keep doing it because the cyber risk doesn’t go away. We are not going to stray from the use of computers, the use of e-mail, the processing of data.
Sylvestro said the best way for policyholders to make sure their coverages are as strong as possible is to take a close look at the exposures insurers are asking them to reduce.
“Insurers don’t tell us to do these things just so that we have one more thing to add to our checklist,” he said. “They do it because they don’t want to have to face a loss and our customers don’t want to have to face a loss.”
Without good cyberhygiene, policyholders “will find themselves at the mercy of the market,” he added. “And I can tell you from experience that this is not a fun place to be.”
Herring added that it is important for policyholders to take steps such as using strong passwords, securing poorly configured ports or machines within their network, patching vulnerabilities, and using a minimum number of privileged accounts to manage their network.
“I think the good news is that it is possible to prevent most ransomware attacks, or at least for organizations to significantly reduce their risk of experiencing a ransomware attack,” he said. “And if they do experience a ransomware attack, it is possible to significantly reduce its impact, either by intercepting the attack earlier in the process or by having good backups from which the company can recover.
More questions than ever
For insurance agents, on the other hand, the challenges of cyber coverage are just as critical.
“It’s complex. It is complicated. It’s hard to understand, ”Sylvestro said. “There are more questions now than there ever were.”
For this reason, he said it’s important for brokerage houses and agencies to invest in education and understand what cyber risk really is.
“I would just like to encourage everyone in the industry to take the time to really invest in your education, to invest in finding new ways to find out more about this space, whether it’s reaching out to hand to insurers, “he said. “A lot of insurers do a lot of cyber risk education, and they’re happy to share that because they see a vested interest in it as well. “
Voses added that cyber insurers can protect their own risks in this area by updating policies as necessary with language that reflects current exposures. This can help avoid problems when policyholders do not have coverage in a necessary area or when silent coverage is provided under a cyber policy that was not provided by the insurer.
“A lot of these fonts have been on the market for years now,” he said. “Some of these have not been given a refresh or a review of the covers provided.”
Additionally, it may be important to address the scope of coverage and include any relevant exclusions or sub-limits as part of a policy refresh, Voses said.
“I think it can be easy to feel like trying to fill a cup of water deep in Niagara Falls in this space right now,” Sylvestro added. “And the better equipped we are as brokers, the more symbiotic our relationship will be in placing risk.”
Wice said that for underwriters it’s just as important to react to losses as it is to try to avoid them in the first place.
“It’s about trying to understand where the losses are and yes, it’s somewhat reactive, but it’s the goose that lays the golden eggs to try to understand what the next threat will be,” he said. declared.
Not an insurmountable risk
While Herring said that DFS rated cyber as “the biggest risk to the financial services industry as a whole” right now, it’s not necessarily an insurmountable problem for insurers, especially the big players in the industry. .
“But it’s a difficult problem because it’s an area where change is happening quickly,” he said.
The best thing insurers and policyholders can do is stay vigilant, he explained.
“One of the things I come across is what I see as a feeling of cyber-fatalism,” he said. “If you are not a professional working in this field every day, you are probably learning a lot of what you know about cyber from major current events.”
Herring said this can lead to a biased perspective in which cyber risk seems like an impossible mountain to climb.
“For every Solarwinds-type attack… there are 99 other cyberattacks, the vast majority of which use well-understood and proven hacking methods,” he said.
In fact, in its analysis of cyber incidents affecting DFS regulated entities this year alone, Herring said the regulator found that many hackers were using the same basic manual, with the number one attack method being phishing in which email is generally used to solicit personal information. by claiming to be from a trustworthy sender.
“I think what we hope people take away from this is that despite what you read in the news, you can actually reduce that risk,” he said. “You can protect yourself from most of the attacks that most organizations face most of the time. “
However, that doesn’t mean insurers and their clients can learn about cyber risk just yet, Sylvestro warned.
“I think whenever we feel like we have some sort of control, or we have real compensating controls, the threat actors also keep investing in their craft,” he said. . “So I think it’s important to understand that when we talk about ransomware, we are not talking about this type of static threat. It is something that grows, evolves and changes, and we must continue to be vigilant as we deal with this as an industry. Otherwise, we could easily end up far behind the eight, even further than we are now. “