Photo by NordWood Themes on Unsplash
By Emily Payne | BenefitsPro
Despite concerted efforts by governments and law enforcement around the world, cyber threats are still very real. We’ve experienced another record-breaking year, both for the number of cyberattacks and record highs in ransomware payments. Companies of all sizes continued to deal with juggling a hybrid workforce, continuing security exposures caused by COVID-19 and a skills shortage, and audacious cyberattacks against our critical infrastructure.
A global pandemic proved to be no match for cybercriminals. If anything, the vulnerability, and uncertainty have fertilized a breeding ground for new attacks.
Ransomware isn’t going anywhere. The banking industry alone saw ransomware attacks increase by more than 1,300% last year, according to a Security Magazine report. And a report by Accenture indicated that insurance companies receive an average of more than 100 cyber-attacks each year, with 30% of the attempts being successful. The worst being the ransomware attack against CAN Insurance, which reportedly cost $40 million in ransom payments alone. One of the worst aspects of attacks against insurance companies is the theft of policyholder data, which contains a rich trove of personal information criminals can sell on the dark web and use to commit all manner of fraud.
Benefits organizations are particularly desirable targets because of the volume of personal identifying information.
Benefits organizations are particularly desirable targets because of the volume of personal identifying information (PII), personal health information (PHI), and personal financial information (PFI) being stored, driving up the cost of a breach. Too often companies allow years of data to accumulate in email as if it was their archive system. It’s not even safe to transmit documentation like tax returns and bank statements via email on a system that is inherently not secure.
Having scanned 100s of thousands of companies for security vulnerabilities, insurance companies are no different than companies in other industries when it comes to cybersecurity. More than half have serious vulnerabilities that hackers could exploit without trying very hard. And having studied the tactics used in hundreds of ransomware attacks, ransomware gangs have certain favorite attack vectors. Log4Shell made headlines when it was announced, and it is certainly being exploited, but there are several old favorites that are still surprisingly popular.
Vulnerable Microsoft Exchange servers are a favorite attack vector used by ransomware gangs. Proxy Logon and Proxy Shell are two Exchange vulnerabilities that were prevalent in March of last year, hitting government sites and servers globally. Unfortunately, we are still seeing that they are quite prevalent today among companies who have not prioritized cybersecurity.
The impact of all these attacks has certainly been felt by cyber insurers. With combined ratios of 100% or more in 2020, cyber insurance capacity dwindled. The hard market in cyber insurance has led to premium increases of 100% or more year over year for many policyholders. In addition, cyber insurance underwriting has become much more stringent in its risk selection, requiring stronger cybersecurity defenses, and in some cases, still only offering reduced coverage and lower sub-limits. The days of four question cyber insurance applications are over.
We work with many cyber insurers to conduct cybersecurity scans of prospects and policyholders. This type of external assessment is akin to the assessments done for property insurance, and perhaps less intrusive than a physical required for life insurance, but it’s basically the same idea. There are common risk indicators that can be ascertained to give underwriting insight into cyber risks that would otherwise be difficult to identify and evaluate.
1. Have you thought about your attack surface? No one wants to be low-hanging fruit for a cybercriminal. That’s why it is critical to know what your vulnerabilities are; but if you don’t know what digital assets you have, you can’t protect them. It is very common to find companies that don’t know where all their digital assets are, or which ones are exposed to the internet. That exposure is called your attack surface.
2. Have you started to mitigate your cyber risks? Once you’ve identified your digital assets, it’s important to prioritize and protect the ones that you can’t live without. Sensitive data? Critical systems? What are the threats to those assets and what are the best methods to mitigate the risks posed by those threats? Keep in mind that while hardening your exterior defenses is critically important, it’s not enough by itself. Phishing attacks are the launching point for a large portion of attacks, while internal threat actors (both malicious and accidental) make up 44% of financial services and insurance company breaches according to Verizon’s 2021 Data Breach Investigations Report.
3. What are you doing to identify, measure and manage your cyber risk? Cyber risk is not widely understood, even among companies that sell risk management products and services. Many companies are not adequately protecting their IT systems for their own company or accurately gauging their own cyber risk. Prevention is the name of the game. Use tools, take precautions, invest in the right technologies and train, train, train your people.
Not sure where to start? Here are some top actions to take immediately to secure better cyber insurance and protect your business.
Your cyber insurance company will very likely scan you as part of the underwriting process. Do it before they do. It is critical to know what your vulnerabilities are, but it’s also critical to know what your digital assets are. If you don’t know you have it, you can’t protect it. Scan regularly for asset discovery, for configuration errors and for vulnerabilities. Then make sure you have continuous monitoring of the alerts.
Once you have scanned and identified systems with critical issues that you need to patch or reconfigure, prioritize critical, high risk vulnerabilities and patch right away. Don’t delay or attacks will continue while you wait.
There have been numerous incidents where attackers broke through the initial security defenses but got stopped by multifactor authentication. Also, endpoint detection and response software is not the same as the traditional antivirus software of yesteryear. Today’s threat actors test their malware against all the major antivirus tools, so they are far less effective at stopping an attack than they once were. EDR, on the other hand, watches for behaviors and can automatically take action to stop attacks or disconnect systems from the network. These are critical advantages that are worth the extra cost.
And don’t forget to test your backups. Operate under the assumption that you will be hacked. Backup regularly, keep an offline copy, and test a restore from your backup.
First, get a cyber insurance policy with the right coverage. Make sure you know what resources the coverage provides and then put a solid incident response, disaster recovery and crisis communications plan in place. Train your team on these plans and exercise the plans every year.
Being aware of potential cybersecurity threats puts you in a better position to adopt the right preventative measures, which in turn will make you a better risk in the eyes of a cyber insurance underwriter. And remediation after a breach can come with a price tag as high as 30x the cost of prevention.
Cyber security issues won’t go away if you ignore them. Cyber insurance carriers are no longer the easy risk transfer solution for companies that undervalue the risk. Evaluate your risk, do what you can to reduce your risk and protect your business, and don’t be afraid to invest in the right technology or cyber security expertise.
An investment in cyber security will help you save on cyber insurance today and could save you serious money on remediation down the road after an attack that could have been prevented.
This article was written by Emily Payne from BenefitsPro and was legally licensed through the Industry Dive Content Marketplace. Please direct all licensing questions to legal@industrydive.com.