1) Background Cyber insurance has been around since the late 1990’s, it started in the form of network liability, which covered the exposure of transferring a corrupt email from one company to the other and the resulting expenses. In the following years, network liability evolved into a cyber policy including both first- and third-party elements including lots of additional component parts that were excluded by other insurance policies. Examples of the broadening of the policies, were Data Breach notification / credit monitoring, media liability, social engineering, and business interruption to name just a few. Most of these policies have performed well for both the insured and the insurers providing the coverage. Breach expenses and fines were the big concern of clients to start with as a result of large numbers of high-profile events. However, more recently Ransomware and Malware have increasingly been in the news with hackers extorting demands for a reward to unlock systems. The reward is normally payable in the form of bitcoin or other crypto currencies, which has helped to accelerate this behaviour due to the difficulty in tracing the monetary reward. This has been a headache for insurers as these large one-off pay-outs were never really priced for when these policies were first written. In 2021, cybercrime is projected to cost the World an estimated 6 trillion dollars. To put this into perspective if you converted this sum into an economy, it would be ranked the 3rd largest economic power! The outcome, therefore, is a dramatic hardening of the cyber market with limits for ransomware / extortion being drastically cut or reduced altogether and limits being reduced. We are all now so heavily reliant on the connectivity of the internet, sadly we cannot operate in any business without it. Therefore, we need to focus more heavily on good risk management strategy, just like in all other areas of our business, especially when it comes to the security of our systems and maintaining them in constant operation. Due to the oversupply of competitively priced cyber insurance, is there an imbalance between the reliance of this insurance and the risk management / security resources put into safeguard our IT systems? In Spotlight this month we will explore this subject in more depth.
2) Firstly, quick overview on Cyber - First and Third-Party Coverages First party coverages are for those damages an organization may incur as (the Incident Response, Cyber Crime – social engineering and ransom, Business Interruption, regulatory fines etc). Third party coverages are included as well, covering not only the Regulatory liability aspect, but also in the event the organisation is responsible for causing a cyber incident to another organization and are liable to indemnify them for negligence or error. This also includes identity theft damages that an individual may incur because of a data breach. Cyber policy key definition of terms
Breach coach – coordinates the efforts of the forensic, public relations, legal and Credit monitoring.
Business interruption – provides cover whilst your system is down due to the unauthorised access.
Credit monitoring is offered to data owners to try to offset reputational harm.
Forensic expenses – expert will determine whether the system was compromised, and data accessed.
Legal expenses – you will need legal representation in order to determine the scope of federal or state requirements for breaches.
Liability and defence costs – it is not uncommon for class action lawsuits to be filed against you, this will cover your costs to defend.
Malware - software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
Network liability – the liability arising from transferring a virus or malware to another company
Notification expenses – expense required to send mail, call centres etc.
Public relations firm – mitigates the reputational harm and handles the press releases.
Ransomware – a type of malicious software designed to block access to a computer system until a sum of money is paid.
Regulatory fines and penalties – if legal to insured, will cover any fines from governing bodies in relation to the breach. Such as FTC, PCI, HIPAA, or a state or federal body.
Social engineering - is the process of manipulating people so they give up confidential information.
3) Some of the high profile ransomware cases in 2021
AXA – 3tb of data stolen – Avaddon gang
Acer – USD50m - REvil
Brenntag – USD4.4 million – The Dark side gang
CNA – locked down 15,000 devices
CD Project – nothing paid so far – HelloKitty gang
Colonial Pipeline – USD4.4 million – The Dark side gang
JBS Foods – USD11million - REvil
Kia Motors – USD20million – DoppelPaymer gang
NBA – 500gb of info stolen, no ransom so far paid - Babuk
Quanta – USD50million - REvil
These are just some of the high-profile cases, there are many more.
4) How do the hackers know who buys ransomware cover?
There has been lots of discussion and suggestions that hackers break into the sources listed below to try and find out the buyers of cyber coverage. If correct, cyber criminals can generate their own pipeline of targets as they know the ransoms will more than likely be paid, due to being insured.
Dark web
Insureds
Insurers
Retail brokers
Wholesale Brokers It appears that hackers have a pipeline of targets as well!
5) What methods do hackers exploit?·
Holes – Looking for creative ways in to get into the system, these are clever people.
Human error – reacting on a phishing email, leaving a laptop on a train. Busy people are easy to manipulate.
Open doors – weak passwords, ports on laptops and pc’s open and not locked down.
Vulnerabilities – items that aren’t well protected, the "Target" breach was caused by Target giving an HVAC company system access, the hackers then targeted this sub contractor.
6) Security Think of the IT system in your company as your very own “Tower of London” housing the Queens’s “Crown Jewels”, surrounded by a moat, and having multiple lines of defence. Wouldn’t you want:
All windows and doors locked
The Jewels checked every second of the day
All security people checked, double checked, and verified
Cameras everywhere
All security systems checked daily
Security people checked weekly
This is the same as your IT system, you should do as many security checks as possible with process and practise. Sadly, too many of us leave a window open or the door on the latch and experience “IT security lethargy”, thinking it will never happen to us, which the hackers then swoop in on and take advantage.
7) What risk management tools can be utilised to defend companies ?
Asset and Non owned Asset management – making sure devices for decommissioned employees are taken offline as soon as possible.
Anti-Virus – these will look for known viruses, however, new ones may slip through if these aren’t logged in their directory
Endpoint Detection and Response (EDR) – works consolidating the data on all endpoints and finding the endpoint that has been compromised and then responds.
End Point Security (EPS) – everything is locked down and protected on each end point device, (laptop, desktops, phones, ipads & server). No applications or programmes can execute or operate without first being approved and trusted. Works using a zero trust policy.
Multi Factor Authentication – enable MFA on all cloud-based systems to provide another layer of security
NGAV – next generation anti-virus, uses AI, machine learning and behaviour detection to update its directory. It will analyse the behaviour and threats on one endpoint.
Patching software – to fix security vulnerabilities
Strong contractual language - on all contracts between customers, suppliers, and contractors. When was the last time you reviewed your terms of business language with mitigating cyber risk as an objective? Do you make all contractors have a cyber policy etc. Do you review all other contracts and ask how you can mitigate your cyber exposure?
Stronger passwords – minimum of 16 characters
How many companies have a well-built IT risk management strategy/policy that is reinforced each day throughout the organisation? Think of all the openings that need to be managed in the firm.
8) End Point Security (EPS) systems – What is it? Have you heard of it before?·
How many of us have heard of End Point Systems that work on devices both online and offline? Not to be confused with EDR systems.
This software works by not allowing anything to execute unless it recognises the code in its safe directory.
When installed Trident Lockdown™ goes into learn mode, after that time it produces your trusted list that comprises only of safe applications.
Once your trust directory is filed after 7 days, then everything else is blocked.
Any programmes can be added after they have been tested and security verified as “safe”
A completely different pro-active way of securing endpoints 9) Trident Lockdown “End Point Security” system by GBMS Limited – overview Trident Lockdown ™ security as a service, provides a unique zero trust, proactive and robust solution at the core of the computer operating system known as the kernel-level that eliminates threats before a breach can occur
Developed by the CIA now commercially licensed and undefeated
Prevents breaches and Zero-day attacks
Fast and simple to deploy
Low Computer power and memory usage
Trident Lockdown™ seamlessly integrates and co-exists with existing software and programmes
No requirement for your endpoints to be updated daily
Does not need to be online, connected to the internet or cloud services to stay protected
The security service package is based and costed on a 1, 3 or 5 year agreement www.gbmstech.com/trident-lockdown
10) Who buys Trident lockdown? Deployed in over 6,000 mid to large environments including:
US government contractors – who are being audited and will be mandated that they purchase Endpoint Security system on each device used from Jan 2022.
Military and critical national infrastructure.
High net worth individuals
Financial Institutions
Hospitals
Banks
Law Firms
Schools
Universities
Municipalities
11) What Cyber policy to ideally buy? ·
Policy with a very broad coverage all in one package (including Ransomware and social engineering) if available.
As much limit as you can afford or judge that you need against your balance sheet.
Low deductibles
The number of insurers offering this product are starting to reduce due to Ransomware losses or making significant changes in their underwriting strategy.
12) What to buy in a dislocated insurance market? A. Cyber from your existing carrier if they are still able to provide cover on the same terms and conditions. B. If ransomware isn’t available, then consider buying a cyber policy (without ransomware) from a traditional market provider (as it would be advantageous to retain as many of the additional coverages as possible) PLUS standalone ransomware policy from Volante Global. C. If no cyber coverage is available, then consider buying a cyber policy from Volante Global. Cyber policy terms and conditions would be slightly more restrictive. https://volanteglobal.com/underwriting/volante-cyber-lockout/ In the last two instances, this would mean the client having to buy Trident Lockdown ™ security protecting every endpoint connected to their network (including laptop, desktops, phones, iPads & server). 13) What type of clients buy Ransomware only policies from Volante Global?
Coverage is available to all industry types including Municipalities
14) What type of clients buys Full Cyber policies from Volante Global?
Coverage is available to all industry types except for Municipalities
15) Profile of a client
Clients who would prefer to prevent disruption to their business and avoid malware and ransomware from doing damage rather than merely relying on the insurance to repair the damage after the event
Clients who recognise the truly unique malware/ransomware-blocking capabilities of Trident Lockdown
Any client who would prefer to keep the principal insured cyber perils in one carrier (excluding activities that may be considered moral hazards) This could be the only solution if the client wants to maintain their ransomware coverage and traditional coverages aren’t available. Contact:- Richard Daniel Email: Richard.daniel@fenchurcbroking.com
David Price
Email: David.price@fenchurchbroking.com
Comments