Category Archives: Cyber Risk

Brokers, Policyholders Need Greater Clarityon Cyber Coverage

August 4, 2021 Jeff Dunsavage Leave a comment

By Loretta Worters, Vice President, Media Relations, Triple-I

Despite the prevalence of cyber threats and the increasing number and severity of incidents, directors, officers, and C-suite executives remain too much in the dark when it comes to cyber risk and insurance, Risk & Insurance writer Alex Wright describes in this month’s cover story, Vigilance Demanded.

While specific policies are available to cover the risk, many policyholders still expect to be covered under their property and liability policies — but are not. Risk & Insurance, an affiliate of the Institutes and the Triple-I’s sister organization, notes that commercial insurance policies still suffer from a lack of clarity regarding damage from cybercrimes.

Confusion around coverage can lead policyholders to experience unexpected coverage gaps.

“In a best-case scenario, a cyber incident may trigger coverage under multiple insurance policies and increase the available total limit to respond to a covered event,” said Adam Lantrip, CAC Specialty’s cyber practice leader. “In a more common scenario, multiple insurance policies may be triggered but not coordinate with one another, and the policyholder spends more on legal fees than the cost of having purchased standalone cyber insurance in the first place.”

Of particular concern to insurers is silent – or “non-affirmative” – cyber risk, in which potential cyber-related events or losses are not expressly covered or excluded within traditional policies. In such cases, insurers can end up having to pay unexpected claims for which the policies weren’t adequately priced.

“Cyber risk is present in just about every insurance policy now,” said Tracie Grella, AIG’s global head of cyber insurance. “But because it hasn’t been factored into the underwriting of standard policies such as property, or properly identified, assessed, priced for and put into the aggregation model, it presents a huge systemic risk that can’t simply be ignored.”

Silent cyber first manifested in the WannaCry, Petya and NotPetya cyber-attacks of 2017, which devastated everything from shipping ports and supermarkets to advertising agencies and law firms, the article explains. The resulting losses from the encryption of master files and subsequent Bitcoin ransom demands for restoring access were the costliest on record, surpassing $3 billion.

Underwriters, brokers, and policyholders need to understand how ever-evolving risks and legal frameworks will affect their policies. They also need to keep themselves appraised of the scale of the problem and understand the most common misconceptions and coverage disputes around silent cyber.

More on cyber from Risk & Insurance

5 Tips to Get the Board Invested in Cyber Risk Management

Why Every Company Needs a Cyber Attack Response Plan No Matter Their Size — and Helpful Tips to Get Started

No One’s Safe from Cyber Threats. Train Your Employees to Defend Your Company Now or Risk Millions

Managing Cyber Risk for Mid- and Large-Sized Companies: Why Each Requires a Specialized Approach

More from the Triple-I Blog

Cyber Risk Gets Real, Demands New Approaches

Businesses Large and Small Need to Be Cyber Resilient in a COVID-19 World

Victimized Twice? Firms Paying Cyber Ransom Could Face U.S. Penalties

Business Risk, Cyber Risk, Technology

Cyber Risk Gets Real, Demands New Approaches

June 14, 2021 Jeff Dunsavage Leave a comment

With the cyber risk environment worsening significantly, a recent A.M. Best report says, “prospects for the U.S. cyber insurance market are grim.”

The recent proliferation of ransomware attacks leading to business interruption and other related hazards has caused cyber insurance – which began as a diversifying, secondary line – to become a primary component of a corporation’s risk management and insurance purchasing decisions.

Consequently, the A.M. Best report says, insurers urgently need to reassess all aspects of cyber risk, including their appetite, risk controls, modeling, stress testing, and pricing, to remain a viable long-term partner for dealing with cyber risk.

Cyber insurance “take-up” rates (the percentage of eligible customers opting to buy the coverage) are on the rise, according to a recent Government Accountability Office (GAO) report – to 47 percent in 2020 from 26 percent in 2016. This increased demand has been accompanied by higher prices for cyber insurance, as well as reduced coverage limits for some industry sectors, such as healthcare and education. In a recent survey of insurance brokers, the GAO says, more than half of respondents’ clients saw prices rise 10 to 30 percent in late 2020.

“The rate increases for cyber insurance outpaced that of the broader property/casualty industry, but the increase in cyber losses outstripped the rate hikes, which suggests more trouble for 2021 as ransom demands continue to grow,” said Sridhar Manyem, director, industry research and analytics at A.M. Best.

The A.M. Best report says the challenges the cyber insurance market faces include:

Rapid growth in exposure without adequate underwriting controls;
The growing sophistication of cyber criminals that have exploited malware and cyber vulnerabilities faster than companies that may have been late in protecting themselves; and
The far-reaching implications of the cascading effects of cyber risks and the lack of geographic or commercial boundaries.

In April, Federal Reserve Chairman Jerome Powell said cyberattacks are the foremost risk to the global financial system, even more so than the lending and liquidity risks that led to the 2008 financial crisis.

“The world evolves, and the risks change as well and I would say that the risk that we keep our eyes on the most now is cyber risk,” Powell said. “There are scenarios in which a large financial institution would lose the ability to track the payments that it’s making, where you would have a part of the financial system come to a halt, and so we spend so much time, energy and money guarding against these things.”

The Fed chief’s concerns have since been borne out by attacks on the Colonial Pipeline, JBS SA – the world’s largest meat producer – the New York City Metropolitan Transportation Authority, and others.

More recently, FBI Director Christopher Wray compared compared the current spate of cyberattacks with the challenge posed by the Sept. 11, 2001, terrorist attacks. He said the agency was investigating about 100 different types of ransomware, many tracing back to hackers in Russia.

As we’ve written elsewhere with respect to natural catastrophes, it seems the world has entered a phase in which the traditional emphasis on risk transfer through insurance products is no longer sufficient to address today’s complex, interconnected perils. A focus on resilience and pre-emptive mitigation is in order, and insurers are well positioned to serve not only as financial first responders but as partners in managing these evolving hazards.

Ms. Winnie Tsen, Assistant Director, Financial Markets and Community Investment, U.S. Government Accountability Office (GAO), was one of the key contributors to the GAO’s May 2021 report on cyber insurance.

Business Risk, Catastrophes, Cyber Risk, Disaster Preparedness, Disaster Resilience, Emerging Risks, Risk Management

Man-made and Natural Hazards Both Demanda Resilience Mindset

May 11, 2021 Jeff Dunsavage Leave a comment

This weekend’s ransomware attack that forced the closure of the largest U.S. fuel pipeline provides another powerful illustration of the need for a resilience mindset that applies to more than just natural catastrophes.

Colonial Pipeline Co. operates a 5,500-mile system that transports fuel from refineries in the Gulf of Mexico to the New York metropolitan area. It said it learned Friday that it was the victim of the attack and “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations.”

Individually, the event demonstrates the threat cybercriminals pose to the aging energy infrastructure that keeps the nation moving. More frighteningly, though, it is yet another example of how vulnerable the complex, interconnected global supply chain is to disruptions of all kinds – a message that isn’t lost on risk managers and insurers.

Last year, a ransomware attack moved from a natural-gas company’s networks into the control systems at a compression facility, halting operations for two days, according to a Department of Homeland Security (DHS) alert.

The DHS described the attack on an unnamed pipeline operator that halted operations for two days. Although staff didn’t lose control of operations, the alert said the company didn’t have a plan in place for responding to a cyberattack.

“This incident is just the latest example of the risk ransomware and other cyber threats can pose to industrial control systems, and of the importance of implementing cybersecurity measures to guard against this risk,” a CISA spokesperson said at the time.

Not just energy companies

It isn’t only energy and industrial companies that need to be paying attention. According to cyber security firm VMware, attacks against the global financial sector increased 238 percent from the beginning of February 2020 to the end of April, with some 80 percent of institutions reporting an increase in attacks.

“Cyber is an existential issue for financial institutions, which is why they invest heavily in cyber security,” says Thomas Kang, Head of Cyber, Tech and Media, North America at Allianz Global Corporate & Specialty (AGCS). “However, with such potentially high rewards, cybercriminals will also invest time and money into attacking them.”

He pointed to two malware campaigns – known as Carbanak and Cobalt – that targeted over 100 financial institutions in more than 40 countries over five years, stealing over $1 billion.

An ACGS report shows technical failures and human error are the most frequent generators of cyber claims, but the financial impact of these is limited:

“Losses resulting from the external manipulation of computers, such as distributed denial of service attacks (DDoS) or phishing and malware/ ransomware campaigns, account for the significant majority of the value of claims analyzed across all industry sectors (not just involving financial services companies).”

According to the report, regulators have turned their attention to cyber resilience and business continuity.

“Following a number of major outages at banks and payment processing companies, regulators have begun drafting business continuity requirements in a bid to bolster resilience.”

Not just cyber

The COVID-19 pandemic has taught the world a lot of lessons, not the least of which is how vulnerable the global supply chain – from toilet paper to semiconductors – is to unexpected disruptions. Demand for chlorine increased during 2020 as more people used their pools while stuck at home under social distancing orders and homeowners also began building pools at a faster rate, adding to the additional demand. Such disruptions can ripple through the economy in different directions.

Business interruption claims and litigation have been a significant feature of the pandemic for property and casualty insurers.

When the container ship Ever Given got wedged in the Suez canal – one of the most important arteries in global trade – freight traffic was completely blocked for six days. Even as movement resumed, terminals experienced congestion and the severe drop in vessel arrival and container discharge in major terminals aggravated existing shortages of empty containers available for exports. The ship’s owners and the Egyptian government remain locked in negotiations over compensation for the disruption, and the ship is still impounded.

Spurred in part by this event, the Japanese shipping community is considering alternative freight routes to Europe, both reliant on Russia: the Trans-Siberian Railway and the Northern Sea Route. Neither option is devoid of risks.

In an increasingly interconnected world, there is no bright line distinguishing man-made from natural disasters. After all, the Ever Given grounding was caused, at least in part, by a sandstorm. April’s power and water disruptions that left dozens of Texans dead and could end up being the costliest disaster in state history were initiated by a severe winter storm.

A resilience mindset focused on pre-emptive mitigation and rapid recovery is called for in both cases. There is no “either/or.”

Business Risk, Cyber Risk

Businesses are urged to take steps immediately to mitigate massive data breach tied to Chinese hackers

March 9, 2021 Maria Sassian Leave a comment

CISA urges ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities; see CISA’s newly released web page for details. https://t.co/VwYqAKKUt6. #Cyber #InfoSec
— US-CERT (@USCERT_gov) March 9, 2021

The alarm about the ongoing hack of Microsoft Exchange Server, which began as early as January, appears quite justified. Microsoft believes a state-sponsored Chinese group called Hafnium orchestrated the attack that exploited flaws in Exchange software to gain access to email accounts and install unauthorized software, gaining full control of affected systems.

Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs, according to Microsoft.

In a tweet, the United States Cybersecurity and Infrastructure Security Agency (CISA) urged “ALL organizations” across “ALL sectors” to follow its guidance to address the email software’s vulnerabilities.

The number of U.S.-based organizations affected is estimated to be at least 30,000, while worldwide that number is close to 100,000. The vulnerability can be exploited to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack. CISA advises business leaders at all organizations to ask IT personnel to immediately address this incident or get third-party IT support.

A Hafnium attack should trigger any cyber insurance an organization has in place, according to Lockton, an insurance broker. Lockton recommends that organizations contact their insurer only if they discover that the vulnerabilities being exploited are present in the system. If an attack is underway, it should be reported to cyber insurers immediately.

Business Risk, Cyber Risk, Insurance Industry

Businesses Large and Small Need to Be Cyber Resilient in a COVID-19 World

October 22, 2020 Maria Sassian Leave a comment

By Loretta Worters, Vice President, Media Relations, Triple-I

Advanced Persistent Threat groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Weak and stolen passwords, back doors, applications vulnerabilities, malware and insider threats have been among the most common causes of data breaches in the past. But according to a recent Willis Towers Watson report new threats include:

Phishing, using the subject of coronavirus or COVID-19 as a lure;
Malware distribution, using coronavirus or COVID-19-themed lures;
Registration of new domain names containing wording related to coronavirus or COVID-19; and
Attacks against newly and often rapidly deployed remote access and teleworking infrastructure.

Security breaches have increased by 67% since 2014, yet businesses fail to take the proper precautions. Ransomware has become big business for “professional” criminals, crippling large and small businesses alike. But small businesses are especially attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses.

A remote workforce due to COVID-19 has made many organizations address issues of remote access and the need for multifactor authentication and virtual private networks (VPNs). But others – less cyber savvy— have left themselves exposed to cyberattacks.

In addition, vishing (via telephone) and smishing (via text message or WhatsApp) attacks have also increased in frequency, and in a work from home environment where colleagues and clients are increasingly connecting via mobile phones, vulnerability increases, according to a new AON Report. Short message attacks will generally seek to redirect a victim to a compromised website in order to harvest user credentials.

According to a recent survey by the Small Business Administration , 88% of small business owners felt their business was vulnerable to a cyber-attack – and that was before the pandemic. Yet many businesses can’t afford professional IT solutions, have limited time to devote to cybersecurity, or don’t know where to begin.

In observance of National Cybersecurity Awareness Month, Triple-I offers U.S. businesses these seven tips for improving their cybersecurity and averting data breaches:

Understand your cyber risks. Businesses are vulnerable to cyberattacks through hacking, phishing, malware, and other methods.
Train Staff. Those engaged in cyberattacks find a point of entry into a business’ systems and network. A business’ exposure can be reduced by having and enforcing a computer password policy for its employees.
Keep Software Updated. Businesses should routinely check and upgrade the major software they use.
Create back-up files and store off-site. A business’ files should be backed up either as an external hard drive or on a separate cloud account. Taking these steps are vital to data recovery and the prevention of ransomware. Ransomware is when a cyberattack results in a situation where a business is asked to pay a fee to regain access to its own data.

Cyber Risk, Legal Environment, Technology

Victimized Twice? Firms Paying Cyber Ransom Could Face U.S. Penalties

October 20, 2020 Jeff Dunsavage Leave a comment

Recent advisories from two U.S. Treasury agencies –  the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) – indicating that companies paying ransom or facilitating such payments to cyber extortionists could be subject to federal penalties are a reminder of the importance of good cyber hygiene.

The notices also underscore businesses’ need to consult with knowledgeable, reputable professionals long before a ransomware attack occurs and before making any payments.

Ransomware on the rise

In a ransomware attack, hackers use software to block access to the victim’s own data and demand payment (usually in Bitcoin or another cryptocurrency) to regain access. It has been a growing problem in recent years, and such attacks have intensified since the COVID-19 pandemic has led to many people working from home for the first time.

The FBI warns against paying ransoms, but studies have shown that business leaders today pay a lot in the hope of getting their data back. An IBM survey of 600 U.S. business leaders found that 70% had paid a ransom to regain access to their business files. Of the companies responding, nearly half have paid more than $10,000, and 20% of them paid more than $40,000.

Sanctioned entities

The OFAC advisory specifically targets transactions benefiting individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).

If you pay ransom to anyone in these categories, you could be fined or even jailed for breaching the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA). Penalties can vary widely, depending on the circumstances.

How is a business owner to know?

“Companies should rely on experts to assist with their due diligence and work with the FBI,” writes law firm BakerHostetler in a recent blog post. “Experience in incident response is key, and your counsel should be an informed, confident partner as you navigate this rapidly evolving area.”

“Before a payment is made,” the law firm writes, “a company generally retains a third party to conduct due diligence to ensure that the payment isn’t being made to a sanctioned organization or a group reasonably suspected of being tied to a sanctioned organization. Additionally, checks are in place to ensure that anti-money laundering laws are not being violated.”

Many insurers are working with their clients to put such practices in place and taking a variety of other steps to address the threat of ransomware attacks. Cyber-insurance premiums started rising 5% to 25% late last year, according to Robert Parisi, U.S. cyber product leader at insurance broker Marsh & McLennan. Parisi called the increases “dramatic” but said insurers have not scaled back coverage.

Marsh has issued a client advisory — What OFAC’s Ransomware Advisory Means for US Companies — explaining what U.S. businesses need to know about the OFAC advisory and the importance of completing an OFAC review before payment of ransom demands. Marsh’s advisory also makes recommendations for re-assessing ransom incident response plans, mitigating ransomware risk, and preparation for and recovery from ransomware and cyber extortion attacks.

Business Risk, Cyber Risk, Emerging Risks

Ransomware claims rise in severity since start of pandemic

October 1, 2020 Maria Sassian Leave a comment

During the last week in September, Universal Health Services Inc., one of the largest hospital chains in the United States, began taking some ambulances out of service because of disruptions caused by a ransomware attack. Universal said no patients were harmed, but systems that support medical records, laboratories and pharmacies were taken offline at approximately 250 facilities.

This incident is part of a disturbing trend of healthcare institutions being targeted by ransomware attacks as the software used by hackers becomes more sophisticated and their attacks broader.

While cyber insurance claims impacted businesses of all types and sizes certain industries, including consumer businesses (retail, hospitality and food), healthcare and financial services were more frequent targets of cyberattacks in the first half of 2020, according to a recent report by Coalition, a provider of cyber insurance.

Overall, ransomware (41 percent), funds transfer loss (27 percent), and business email compromise incidents (19 percent) were the most frequent types of loss—accounting for 87 percent of reported incidents and 84 percent of claims paid in the first half of 2020.

“We’ve seen a sharp increase in ransom demands over the past quarter as threat actors have exploited COVID-19 and changes in company operating procedures. Although the frequency of ransomware claims has decreased by 18 percent from 2019 into the first half of 2020, we’ve observed a dramatic increase in the severity of these attacks,” said the Coalition report.

Since email is the single most targeted point of entry for a hacker, taking a few basic email security measures and implementing an anti-phishing solution would go a long way toward securing your business from criminals.

Coalition reports that, for each claim processed, cyber insurance played a critical role in helping the insured recover operationally. For example, a nonprofit organization providing child and family services grants to other nonprofits was duped into transferring $1.3 million to criminals. Coalition worked with law enforcement and the financial institutions involved to recover the stolen funds.

Cyber Risk, Legal Environment, Regulation

Senate Panel Meets On COVID-19 Fraud

June 16, 2020 Jeff Dunsavage Leave a comment

The Senate Judiciary Committee last week held a  hearing  titled “COVID-19 Fraud: Law Enforcement’s Response to Those Exploiting the Pandemic.” 

The hearing included testimony by William Hughes, associate deputy attorney general, U.S. Department of Justice; Craig Carpenito, U.S. attorney, District of New Jersey; Calvin Shivers, assistant director, Criminal Investigative Division, Federal Bureau of Investigation; and Michael D’Ambrosio, assistant director, U.S. Secret Service, Department of Homeland Security.

Testimony focused on the response to fraud that has resulted from the COVID-19 pandemic. Examples included sale of fraudulent personal protective equipment (PPE) and cyber-enabled fraud; price gouging and hoarding; and fraud relating to the CARES Act’s Paycheck Protection Program (PPP).

As demand for PPE has been greater than the supply, the environment created has been “ripe for exploitation,” Shivers said.

In addition to sales of counterfeit PPE, he cited “advance fee” schemes – in which a victim prepays for goods like ventilators, masks, or sanitizer that are never received – and business email compromise (BEC) schemes, which involve spoofing an email address or using one that’s nearly identical to one trusted by the victim to instruct them to direct funds to bank accounts controlled by the fraudsters.

Shivers said the FBI is working to educate “the health care industry, financial institutions, other private sector partners, and the American public of an increased potential for fraudulent activity dealing with the purchase of COVID-19-related medical equipment.”

He added that millions of units of PPE have been recovered from price-gouging and hoarding operations and the FBI is working to determine next steps for how to redistribute or sell the PPE.

D’Ambrosio said that although “criminals throughout history have exploited emergencies for illicit gain, the fraud associated with the current COVID-19 pandemic presents a scale and scope of risks we have not seen before.”

He described four categories of threat:

COVID-19-related scams, including the sale of fraudulent medical equipment and nondelivery scams;

Cybercrime like BECs, exploiting increased telework;

Ransomware and other activities that could disrupt pandemic response; and

Defrauding government and financial institutions associated with response and recovery efforts.

Thus far, the Secret Service has initiated over 100 criminal investigations, prevented approximately $1 billion in fraud losses, and disrupted hundreds of online COVID-19-related scams, D’Ambrosio said.