In today’s interconnected world, where technology plays an integral role in our daily operations, we are more reliant than ever on a few consolidated technology providers. As Kristen Mickelson, (pictured above), cyber practice group leader at Gallagher Bassett, shared: “More entities are relying on fewer and fewer tech or IT products.”
While this consolidation can deliver benefits such as cost efficiency, enhanced integrations and streamlined workflows, it also heightens cybersecurity risks. A breach in one consolidated system can allow threat actors to do significant damage by gaining access to numerous organizations at once.
According to Mickelson, the primary method threat actors now use to infiltrate systems is by targeting vulnerabilities in VPNs.
“It’s a significant shift. In the past, threat actors often exploited open Remote Desktop Protocols (RDP), essentially gaining unauthorized access though ‘open doors’ found within a network,” she explained.
“However, current trends show that they are now infiltrating systems through Virtual Private Networks (VPNs) that lack multi-factor authentication (MFA), and phishing emails remain a common entry point for this,” continued Mickelson.
“I would characterize 2024 as the year where vulnerabilities in VPNs without MFA have become the new frontline in cyberattacks.”
One notable example is the Akira ransomware gang, which has attacked over 250 organizations across Europe and North America in the past year. The group primarily gains access through VPN services that lack MFA. Since its emergence in March 2023, Akira has amassed an alarming $42 million in ransom payments.
As shared by Mickelson, one reason groups like Akira have been incredibly successful is that the current cyber climate is shifting back toward favoring ransomware payouts.
Several years ago, when the conflict in Ukraine broke out, the volume of ransomware attacks and payments decreased due to sanctions placed on Russian entities and financial institutions under the OFAC (Office of Foreign Assets Control) do-not-pay list.
However, Mickelson noted the cyber landscape is now seeing a resurgence in ransomware attacks, driven by smaller, more decentralized groups. These smaller actors are able to negotiate more effectively, often leading to lower ransom demands, making them more successful in securing payouts.
“With that context in mind, from a claims perspective, regardless of where the ransomware group resides or how big or how small they are, we do not encourage our policyholders to pay,” shared Mickelson.
For brokers navigating cyber policies, Mickelson stressed the importance of ensuring ransomware coverage is explicitly included.
“Brokers need to assess whether the policy includes ‘pay on behalf of’ coverage, meaning the insurer will handle negotiations and payments, or if it’s a reimbursement policy where the client handles ransom payments and gets reimbursed afterward.”
She also urged brokers to ensure cyber policies include business interruption and restoration coverage as a fallback, should ransom payments be restricted due to OFAC or sanctions compliance.
