There’s no shortage of myths to be debunked to be found across the cyber insurance space, and the era of misinformation that is the COVID-19 crisis has only poured fuel on that particular fire. And as noted by the cyber development leader at CFC, Lindsey Nelson (pictured) in a recent interview with Insurance Business, the cyber insurance market has fostered a lot of conversations around the presumed direct correlation between COVID and cyber risk.
Find out more: Explore CFC’s market-leading cyber insurance proposition
“In fact, cyber claims have been increasing for years which we’ve seen from our own data as well,” she said. “The delta between claims frequency was actually much greater going from 2018 to 2019 than it was between 2019 and the year of the pandemic 2020. What COVID has done is increased businesses’ awareness that they have a cyber exposure.
“As you’ve had more clients purchasing cyber policies in the course of the pandemic than they ever have before, naturally cyber insurers are stating that cyber claims are going up. But if we use the true measure of cyber claims frequency, which is the percentage of policyholders who have had an incident, cyber claims frequency is fairly flat for us.”
Read more: What is actually fuelling cybercrime?
Rather than being COVID-precipitated, there is a perfect storm of several components that are impacting ransomware attacks and threats against businesses. Firstly the (fair) perception is that most businesses have weak security controls in place, she said, and criminals inherently are looking for the path of least resistance to financial gain. Small businesses are being hit by that perception and for their potential access as a gateway to larger organisations that are more difficult for threat actors to penetrate. More often than not small businesses do not have the multi-factor authentication or offline backups or advanced endpoint protection in place needed to mitigate an attack, which is why a lot of such businesses are increasingly buying cyber insurance.
Looking to the broader ransomware landscape, Nelson noted that a lot of recent industry conversations are now dominated by how targeted and severe ransomware attacks have become. Long gone are the days of 2017 discussions centred on the WannaCry and NotPetya attacks, she said, where average extortion demands against victims numbered hundreds of pounds. Now ransoms are being looked at in terms of hundreds of thousands if not millions.
“That’s a result of a few factors,” she said. “Firstly, the propensity of businesses to pay ransoms. A lot of that is particularly those that don't have access to the experts that come with a cyber insurance product, they will often make the decision to pay because they're not sure what the alternative is. But second to that is the data exfiltration element, which is a huge theme in a lot of the ransomware claims that we've seen at CFC over the last couple of years.
“That’s where to ensure that the criminals can make a client pay the ransom demand, they steal confidential data. So, there's the double extortion of them threatening to release that in order to incentivise a client to pay out of fear that confidential data will be broadcast in the public domain, and they'll get a lot of media scrutiny and it will have reputational impacts with both their client base and among their peers.”
Within the theme of the fluctuating propensity of clients to pay ransoms enters the role of cyber insurance in helping them make an informed and educated decision on whether that’s the right course of action. Cyber insurance is critical to helping insureds to do the right due diligence checks on this subject, she said, and to determine whether it’s even legally viable to pay a ransom demand, and where that money is being siphoned off to. And that’s something that can really only come from incident response specialists, which serve quite a different function to the IT department that a business usually has.
From catchups with CFC’s extensive cyber threat analysis team, Nelson noted that the biggest theme the group is seeing is the changes in how ransomware attacks are being carried out by threat actors. That’s where the most significant change in recent months has come, she said, and it is not being discussed enough in the wider market. There’s a lot of attention around open RDP ports within clients’ organisations and how criminals are exploiting these open digital doors and installing malware often in the form of ransomware on clients’ systems.
“But we've actually seen a huge shift away from exploiting open RDP ports to the growing use of exploiting vulnerabilities within the software that clients are using,” Nelson said. “We've seen recent studies that have shown that there's been a 300% rise in what we'd call zero-day attacks by criminals in the last year, and that's effectively a vulnerability that's discovered by the criminals within existing software before the software company knows about it as well and releases a patch for it.”
The market saw a perfect working example of this earlier in 2021 with the Microsoft Exchange ProxyLogon vulnerability, she said. CFC had hundreds of customers affected by that and its threat analysis team were able to scan, find those clients who were vulnerable to the incident and patch their systems the moment that patch became available to them. Open RDP now makes up less than a quarter of the attack vectors for ransomware that CFC is seeing, which was not the case just a year ago, and is a clear demonstration of the pace at which the cyber market moves.
“Criminal groups are quite well resourced,” she said. “They are growing organisations and for businesses that means that the criminals are able to move quite quickly onto new attack vectors, and they're able to work in a much more agile way than they ever have before. Our claims data stacks up just through those different ransomware varieties and the shift to exploiting vulnerabilities.
“And the implication for us from an insurance perspective is that implementing one particular security control or just asking for multi-factor authentication, or any single security control, is not going to solve the ransomware dilemma that the insurance market has, and cyber insurers ultimately have to adapt and be as dynamic as the claims landscape. So, it's really going to take a collection of security controls and basic minimum guidelines that we need clients to take on board as a measure of risk transfer, so we can future proof against loss and the new attack vectors that come up.”
You can find out more about how CFC protects businesses against cyber risk here