One of the distinguishing features of the cybersecurity space is how beholden it is to those winds of change that buffet the wider risk environment. So, it is in line with its ambition of keeping the market informed of internal and external evolutions that DAC Beachcroft continues to dedicate thought leadership and specialist insight into the area of cyber and data risk.
In his role as DAC’s head of cyber and data risk Hans Allnutt (pictured above) heads up the primary response team under cyber insurance policies, and acts as the first responder to breach and cyber incidents, typically under cyber insurance programmes. The team sees between 200 and 300 breaches a year, he said, which allows it to track and analyse the wider trends sweeping the sector.
One such trend is the underlying causes of the attacks. The number of threat actor groups is growing, he said, and their motivations and ways of operating are also quite varied.
“The biggest trend last year and coming into this year was ransomware,” Allnutt said. “Some ransomware gangs are very sophisticated while others build the technology for other people to use. The beginning of this year is quite interesting as, if you track ransomware, it used to be that three years ago, the attackers got in and encrypted your systems and charged you a ransom for the decryption key – and nothing else.
“Then a year ago, they started stealing data as well. So you’d have the ransom attack and you’d contact the attackers and they’d say, ‘Oh, we’ve also stolen data’, and they would leak that online – so you’d get this double extortion. This year, interestingly, we’ve seen there’s a group going around just stealing data, but they’re stealing a lot of data. And they seem to have no compunction or thresholds in terms of leaking the data, so the amount of data leakage going on the dark web is quite significant.”
Ellie Ludlam (pictured immediately above), senior associate at DAC Beachcroft, noted that this group also operates on Facebook and Twitter, which is quite unusual. Normally, she said, you’d see a threat actor leak data on to the dark web as opposed to distributing it across mainstream social media platforms. Extortion tacts are also evolving as a trend, Allnutt said. Previously, the victim of a cyber incident would receive a ransom note that might connect them to an email address or instead demand that they log on to the dark web.
Now, the DAC team have seen that threat actors will sometimes ring up the reception of the targeted business, or even have somebody ring up the impacted business’s customers and tell them that the company has been hacked. Sometimes, they even contact the Press directly, he said, and inform them that the targeted company is not prepared to talk to them following the attack. As Ludlam highlighted, Allnutt said, some hackers are even using social media and leveraging social pressure in a bid to get companies to act.
So if the company that has been attacked makes the decision that they are not prepared to negotiate or engage but will rather keep the process internal, it might not be that simple anymore, he said. If the threat actor group responsible for the incident is utilising techniques such as the above, then the ransom process is going to play out in a much more public arena, with all the additional challenges that brings.
“The lack of the deployment of malware and the lack of encryption of data is interesting from an insurance perspective,” Ludlam said. “Because it typically means the business isn’t brought to its knees. Hans and I will often join ransomware breach response calls where the organisation simply can’t function because its systems have been brought to a halt. [For instance], there can be no manufacturing, because it’s all computerised, and the computers are down. And of course, the business interruption losses that would flow from that could be significant.
“Whereas if there’s no encryption of malware, the business continues running. The issue is more around PR, potential regulatory fines, and making data subject notifications but the business continuity point is less of a [consideration]. So, I think it’s quite an interesting development from an insurance perspective as well.”