The cyber threat – held to ransom

Insurers are becoming increasingly concerned at changing trends in ransomware demands. For a long time, extortion attacks were mostly brought against small to medium sized organisations, and the ransom demands were relatively modest. But both of these factors are no longer the case.

Over the past 18 months, malicious actors have increasingly focused on “big game hunting”. Ransom attacks are targeting much larger organisations, and this is resulting in an explosion in the financial amounts demanded. Losses have also risen dramatically due to the emergence of double and triple ransomware attacks which focus on publication extortion and re-infection threats. Reputational embarrassment, that is, attackers obtaining information that businesses would very much prefer to keep private, is now a common element of most major cyber events. Our own work shows the main source of recent claims and cyber events has involved ransomware attacks.

While Australia has seen a relatively modest rise in the frequency of cyber claims since the advent of COVID-19 across the globe, the financial severity of each incident has risen dramatically. This has been attributed to various factors such as integration and digital chances driven by work from home (WFH) environments, employee cyber security risks, the use of bring your own and insecure device, supply chain risks, heightened strain on technology and information security teams, as well as heightened malicious actor activity.

Why do ransomware attacks succeed?

Many successful attacks still occur because of basic failures in an organisation’s risk management strategy including lack of staff awareness, inadequate training of employees, failures to focus on email based security, limited controls to prevent phishing attacks, unsupported and legacy systems, and a reliance on flat IT environments that do not provide appropriate data and segregation controls.

Some observers, looking at the COVID-19 issues, have also pointed to potential cultural failings – employees not having had the same cyber-awareness focus and hygiene, when working from more remote and home environments. Malicious actors are also increasingly deploying measures that obfuscate malicious code and relying on malware that automatically collects data and information from infected organisations.

Insurers are also grappling with changing attacker methods which can include a focus on commercially sensitive and embarrassing data held by organisations as well as specific searches to identify whether targeted and breached organisations hold sensitive data.

Major liability issues for impacted organisations

One of the biggest challenges for insured organisations is the sheer number of work streams they need to manage when a catastrophic cyber event occurs. Some of these streams are obvious, such as the need to forensically investigate an incident, and understand potential privacy obligations. However, other common streams include support in dealing with malicious and ransom actors, the payment and reimbursement of ransom demands, recovery and restoration of crippled IT systems, support across incident mitigation processes, navigating regulatory obligations, addressing potential third party liabilities and resolving business interruption. It is the aggregate of all of these issues together, that makes cyber events a catastrophic challenge for organisations to manage.

There are also significant changes happening in the consequential and legal risk space. Legislation changes have been foreshadowed across privacy enhancements, critical infrastructure security obligations, and potential new laws regarding the public reporting of ransom payments. There has also been renewed focus on cyber event related directors’ liabilities, consumer protection law requirements, and what quality of information should be publicly disclosed following a cyber event.

So, what are the key issues for businesses to be aware of during a cyber incident response and insurance claim process?

Insured organisations need to harmonise their insurance policy obligations with their incident response and business continuity processes. All wordings will have language that require an insured to engage, communicate and seek consent from their insurer, when they make decisions which will impact elements of coverage or fuse a cyber event loss.

Cyber events are unique in that event losses are front loaded, and decisions that need to be made in the first 12 or 24 hours can have a drastic impact on incident triage, recovery and financial harms.

A second challenge occurs where and when an insured may stray outside of the bounds of strict policy coverage. A common example occurs when an organisation elects to rebuild or strengthen its IT environment, beyond what was in existence prior to the incident. Often an organisation will have good reasons to make this decision, but they should be aware that strengthening costs incurred may be considered a betterment, and result in at least part of the restoration expenses being uninsured.

Managing the claims process

Providing support to the information technology team and senior leadership of an impacted organisation, and the need to avoid bottlenecks is critical particularly during the first 24 to 48 hours of an incident. Organisations may also need support in terms of managing vendors, coordinating internal and external resources and balancing the competing set of priorities they face during a cyber event, from availability concerns, legal risks, communications and reputational threats.

Organisations also need to carefully consider the malicious attackers involved, including how they engage with them, whether trust can be placed in them to follow through on promised actions if an extortion payment will be made, and how to deal with threats of re-infection or double extortions.

Prevention is better than cure

When it comes to risk management, for many organisations significant cyber maturity gains can be made where the organisation focuses on low hanging fruit. Many cyber events still occur through basic failures that could be readily identified and fixed.

Multi Factor Authentication (MFA) and email-focused security remain some of the most important tools in preventing malicious compromises. Ensuring employees have continual and consistent awareness training on what a cyber risk looks like and its ramifications should also be prioritised. Incident response and business continuity processes should also be a key consideration, together with external support from an expert information security vendor.

Many commentators rightly focus on the importance of tools, controls and monitoring investments such as Security Information and Events Management, Security Operation Centres, Endpoint Detection and Response, Security Orchestration, Automation and Response, and restoration processes. While these are all important elements, other investments should also be made into internal technology and infosec headcount and expert support vendors who have a critical role in managing IT environments.

One of our common recommendations for larger organisations is the need for them to understand a crisis-focused cyber tabletop scenario. This allows key internal stakeholders to experience the types of dilemmas that would arise from a complex cyber event. Consistently, these exercises identify significant gaps within the organisation’s existing crisis management and incident responses processes and provide key learnings on how the organisation can strengthen its resilience. Where tabletops are combined with high level client risk assessment, they will also provide invaluable insights on future investment priorities and the wider needs of the organisation.

What are other emerging trends in cyber attacks?

A challenge both organisations and their insurers are facing is cyber compromises which focus on operational technology environments, as opposed to only pure information systems. At a basic level, operational technology is hardware and software that monitors, changes, or controls some form of industrial equipment or machinery. The current Colonial Pipeline cyber event in the US provides a good case study of the catastrophic outcomes that can result from a cyber event which impacts an organisation that depends on operational technology.

Colonial Pipeline carries refined gasoline and jet fuel from Texas up the east coast to New York and was forced to shut down on May 7 after being hit with a ransomware attack. It is one of the country’s largest pipelines, carrying 2.5 million barrels of fuel a day or 45% of the east coast’s fuel supplies. The company indicated that it had shut down nearly 9,000km of pipeline in an effort to contain the breach.

While there were disruptions along the pipeline on May 7, it was not clear whether those were the result of the attack or Colonial’s efforts to proactively halt the intrusion. It has also been reported that the incident did not involve the compromise of any operational technology asset directly, and instead was the result of a breach of information technology assets only. The company and its customers were impacted for at least seven days, and the incident is being investigated by the FBI, among other agencies.

Insurers are also grappling with the difficult decision on how to understand or identify which organisations are cyber mature, and likely to be resilient in the event they sustain a significant breach event. Historically many insurance proposals and insurance questionnaires focused on high level and generic issues which failed to properly analyse whether an organisation’s environment was likely to be compromised, or the likelihood that a cyber event could be effectively triaged. This is now changing, with proposal questions actively focusing on the granular controls used by clients, third party assessments, and the cyber security risk management investments which organisations have made.

The upshot is that, where insurers identify that an organisation is not mature, there is noticeably reduced appetite to cover the risk, and any coverage obtainable is normally subject to significant terms retractions and sub-limits.