By Aaron Turner, Practice Group Leader – Management Liability
I am very lucky that my two elementary-school-aged sons are into baseball and had great seasons. Our family (dog included) was very much invested in baseball this spring and summer, and I realized early on that I wouldn’t have much time to consume much in the way of news and current events. So, I used the little time I had to focus on the latest news about cyber incidents and attacks. This included reading David Sanger’s “The Perfect Weapon,” published in 2018. The author details how nation-states, including the United States, have engaged in cyber actions against other countries and how those actions have raised the world’s cyber skill level. One negative impact is that threat actors’ skill sets have gotten way better which has made cyber attacks more prevalent and harder to deter effectively.
These threat actors will target any group or individual that they feel will provide an opportunity for them to get information or access to systems that will lead to their financial gain, which relies upon another’s financial loss. There are resources out there to help mitigate or avoid these situations, but in many cases organizations are on their own. Whether it’s a manufacturer, school, law firm, an engineering firm, municipal government or other private, public or not-for-profit entity, they are responsible for their own cyber posture and security in most respects. For this reason, this article will focus on what your organization can do to enhance its cyber posture and make it more secure.
But before we get there, here is a summary of some of the resources available with a few snippets about what the U.S. Government is doing to confront international cyber threats.
The FBI has insight into different ransomware variants that can support a response to a threat actor while also providing information on what to expect including a threat actor’s track record for producing de-encryption keys upon payment, for example. Also, the FBI has extensive foreign banking contacts that they can activate to potentially help claw back funds sent to criminal actors that are then transferred overseas making them more difficult to recoup. We certainly encourage organizations to engage government resources including the FBI in the event of a ransomware situation or business email compromise and social engineering fraud instance.
There are other government-sponsored resources within the Department of Homeland Security and Cyber Infrastructure and Security Agency (CISA) which have put out many alerts including recommendations on patches and general information for the benefit of the public. Later in this article, we refer to NIST (National Institute of Standards and Technology), which is part of the Commerce Department and their Cybersecurity framework intended to be a model for preparing for and handling Cyber incidents.
From an enforcement or deterrence standpoint, news outlets recently reported that President Biden pressed Russian President Vladimir Putin to act against groups conducting ransomware attacks from his territory.
The State Department has also explicitly accused China of being behind the Microsoft Exchange hack.
There is momentum growing for government agencies to better support private and public enterprises, but we feel that companies and individuals must take ownership of their security posture and invest in their ability to deal with any type of intrusion. This is not an easy task and can be daunting when we think about how much our lives and businesses revolve around accessing technology quickly and seamlessly.
So where do we start?
Well, it is important to understand the risk to at least a degree. If you compare the return on investment from spending time understanding a threat vs. spending time on preventative measures, we feel the greater return comes from working on those preventative measures. That being stated, to protect ourselves, we do need to understand what we are protecting against. One very valuable piece of information is the typical cost of current attacks. This can support preparation and response. While all hacks are different to a degree and the threat climate changes rapidly, we can look at averages to instruct our understanding. For example, as I was typing this, an email flashed across my screen with the following update from Business Insurance: “Average ransomware demands in the first half of 2021 almost tripled, to $1.2 million per claim from $444,498 for the comparable period a year ago.”
The article went on to note that this was down from the $1.3M average in the second half of last year. The report is based on the claims of 50,000 Coalition policyholders. Coalition is an insurtech Cyber provider based in San Francisco.
The future looks grim, which is why we feel compelled to write this. We’re seeing supply chain attacks in a diverse swatch of industries. Impacted sectors include software (SolarWinds, Microsoft Exchange, Kaseya and Accellion), an oil & gas pipelines (Colonial Pipeline), meat processing (JBS Meats) insurance (C.N.A., in particular, has a significant number of trading partners, including us).
Based on these well-publicized attacks and those not publicized, what is the impact on the Cyber Insurance industry?
How much are cyber policies going up by?
Another Business Insurance article cited a Marsh report indicating that cyber insurance prices continue to rise, increasing 56% in the U.S. in the second quarter. This increase is driven by the “frequency and severity of ransomware claims.”
The price increases are coupled with carriers requiring more information to quote and bind cyber policies. Carriers are requiring their own applications to be completed and are changing terms & conditions if application responses aren’t favorable. This often occurs at binding, which puts buyers in a difficult position to reconsider costs and terms after reviewing indications.
Carriers are also requiring minimum security requirements. These are focused on the following:
- Multi-Factor Authentication (MFA) across the board –this is the big one
- Employee Phishing Training
- Defined limits on privileged access
- Segregated backups
- Endpoint Detection and Response (EDR) or other intrusion detection software
- Segregated Internet-accessible systems
- Turning off Remote Desktop
- Shutting down open ports
In addition to increased costs and additional security requirements, some carriers are limiting coverage. This can be seen in the form of Ransomware co-insurance, increased Retentions (both for the time a policyholder needs to wait before calculating revenue loss and also dollar amounts that a policyholder needs to pay on a covered loss before the carrier will start paying) and reduced limits in general.
What can you do?
- Make sure you have an Incident Response Plan. This is a plan containing critical information a company needs to access in the event of an incident or indicator of compromise (IOC). Once you have a plan, practice its implementation in a simulated situation. This is called a tabletop exercise.
- Engage in a security posture assessment where a firm comes in and performs an assessment to determine how well your systems can repel an attack.
- Use the data from the assessment to implement preventative measures (see carrier security requirements above for some good examples)
- Inventorying your assets can help direct protection to the most critical business operations. You can do this, by ranking corporate assets by their value and prioritizing protection based on those rankings. Asset categories include People, Information, Technology, Facilities.
- Another key component to making your organization more resilient is to make sure you have the financial resources to engage all the parties that would support you in the event of an incident or indicator of compromise. Many times a Cyber Liability Insurance policy is a cost-effective way to transfer a certain amount of risk-off of an organization’s balance sheet. If you do make the investment in a cyber-insurance policy, we recommend relying on your broker and taking the time to understand what’s covered and what’s not covered.
All the recommendations above will better serve an organization if they are coordinated. The obvious takeaway is that cybersecurity is important. For one final note on this, let’s consider China’s take.
Certainly, China has been pegged as a perpetrator of cyberattacks across the globe. Still, an interesting piece of news from late July that reported China’s Ministry of Industry and Information Technology had issued an action plan to develop the country’s cybersecurity industry, estimating the sector may be worth more than 250 billion yuan ($38.6 billion) by 2023. The article also reported that Chinese authorities had been stepping up efforts to effectively govern data storage, data transfer and personal data privacy.
Let’s consider significantly what China is saying here in this statement. China sees the growth opportunity in the cybersecurity industry even while or especially while they may be a major player in creating some of those multitudes of risks. Backing this up, we are seeing more and more of our clients and partners agreeing with China’s assessment and investing significantly in cybersecurity measures and their own posture. Security is a huge deal, and measured investment in cybersecurity posture can be an asset for those organizations that invest resources. There are always (at least) two sides in a cyber-incident – if the group being attacked is better prepared, there will likely be a better result for that group than the attacker.
For guidance on how to enhance one’s cybersecurity posture, we have included a chart of the NIST (National Institute of Standards and Technology) Cybersecurity Framework. NIST is part of U.S. Department of Commerce and its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life.