Are corporations lastly getting the message to organize for ransomware assaults? With the pandemic’s arrival and extra folks working from residence, the variety of assaults grew and with it got here extra consciousness of the issue, one thing Taylor Downhour (pictured), Lead Underwriter – Cyber & Tech, at Tokio Marine HCC – Cyber & Professional Lines Group (CPLG), a member of the Tokio Marine HCC group of corporations primarily based in Houston, Texas, believes is a optimistic signal however not one that ought to result in complacency.
“We noticed a decline in ransomware frequency in quarter two of this year. We have seen previous quarterly fluctuations and they are usually temporary so we’re hoping this decreased frequency will trend into 2023,” she mentioned. “But we know ransomware isn’t going away and will continue to be a threat.”
Indeed, whereas there was a decline in ransomware incidents, there has not been a decline within the severity of these incidents.
“We still see limit losses into the millions,” Downhour mentioned.
New targets and new strategies
Criminals have been focusing on smaller corporations, and holding them hostage till a ransom is paid. CPLG is now seeing double extortion assaults the place hackers take issues a step additional.
“In addition to the encryption of systems and data, hackers are also now exfiltrating the data,” mentioned Downhour. “Threat actors are taking that data outside of the network, and threatening to either sell or publish that stolen data. This can lead to an increase in notification and/or breach support and credit monitoring expenses, thereby increasing the overall cost of a ransomware loss. The industries hit hardest include manufacturing and distribution.”
“If a target’s systems are encrypted, they can’t access their data, or if their assembly lines are down for a period of time, they can experience business interruption,” Downhour mentioned. “Healthcare is another industry largely targeted with ransomware attacks, due to the large amount of personal health information (PHI) stored.”
When an meeting line goes down, that has an financial affect. But if a healthcare system is affected, the implications may very well be dire.
“If a hospital or a healthcare entity suffers business interruption, it could be critical to someone’s safety,” Downhour mentioned. “Given the safety critical aspect associated with business interruption and the large amount of PHI available for extraction, the healthcare industry has a high motive to pay the ransom and/or work towards resolving the issue as quick as possible.”
Cyber workforce
Rather than wait to fall sufferer to an assault, there are steps that each insureds and insurers can take to guard themselves.
“EDR (endpoint detection and response) and MFA (multi-factor authentication) can help prevent ransomware, whereas immutable and off-site back-ups don’t necessarily prevent ransomware, but they do help reduce the cost and severity of a ransomware attack,” Downhour mentioned. Companies can even keep up-to-date on widespread vulnerabilities and exposures (CVEs) and schooling.
“We educate our clients on common attack vectors such as RDP (remote desktop protocol) and phishing,” she added.
CPLG has a Cyber Threat Intelligence Team that screens and scans their insureds’ community for widespread vulnerabilities and exposures (CVE).
“It is made up of a group of cyber threat intelligence analysts,” she mentioned. “And they monitor our portfolio. If there’s a critical CVE, they will scan and determine if any of our clients are vulnerable to that CVE and then alert them.”
They can even assist remediate or refer them to an organization that may supply an answer, if they don’t have their very own IT division or sources.
“When I started in this industry, CPLG didn’t have a Cyber Threat Intelligence Team. In today’s day and age, with the evolution of cyber, it very much is something that is needed to help reduce risk,” Downhour mentioned. “We really want our policyholders to feel like they’re in a partnership with us.”
So what’s the subsequent risk she sees on the horizon?
“It’s a little hard to predict. Cyber is constantly evolving and changing and new technology is emerging which may lead to new threats,” she mentioned. “What exactly those are is hard to predict. With the new hybrid work-from-home environment, there is potential for more data breaches and stolen laptops. We have individuals who used to work solely in the office and would never take their systems home with them. Now, they might be commuting back and forth to their house a couple of days a week. That poses a new threat into 2023.”
She mentioned she additionally expects to see extra CVE exploitation, enterprise e mail compromises, and new hacker teams rising as much as exchange Conti, which ceased operations final May. However, there may be one rising risk that has caught her eye particularly.
“Widespread (catastrophic) malware events are a cause for concern,” she mentioned. “An attack on a cloud computing provider, an email security provider, or a high-profile managed services provider (MSP) could be detrimental to not only that said provider, but to all their clients as well. This creates an aggregation exposure for insurance carriers. A loss stemming from a widespread malware event could easily reach into the tens of millions of dollars.”
Still although, there may be hope.
“Being aware of the known threats and having the adaptability to respond to the unknown threats is key,” Downhour mentioned. “This is what is going to help both insureds and insurers.”
For extra data on CPLG’s cyber insurance coverage resolution, click on on: https://www.tmhcc.com/en-us/products/netguard-plus-cyber-liability
Taylor Downhour is a Lead Underwriter inside Tokio Marine HCC’s Cyber & Professional Lines Group and has been with the corporate since 2018. Taylor is predicated out of the Atlanta workplace, the place she offers shopper help and account servicing for the Southeast area. She makes a speciality of first and third-party Cyber and Technology Errors and Omissions protection. Taylor holds a B.S. in Finance from California State University Northridge.