As 2016 winds down and the insurance industry begins to adjust its business and marketing strategies for the new year, cyber criminals are doing exactly the same thing – reviewing their successes and failures, attempting to maximize their ROI, and brainstorming ways to streamline their processes so they can work smarter, not harder.
Cyber criminals are also exploring new practices, and forming their own mergers, creating organizations capable of more sophisticated, specialized attacks. These changes will require organizations to implement better, stronger security controls, and become more attentive and agile in their reactions. This cycle should come as no surprise, it’s Newton’s Third Law at work, a constant cycle of action-reaction.
So what will 2017 bring?
I first encountered a ransomware claim around 2009. It was for a website for a small business, which was surprising at the time. Since then ransomware has become a “go-to” tool of choice for many cyber criminals, working its way onto every security “top 10” list. Simply put, it’s effective.
Some estimates have ransom attacks increasing 10-fold over the next year, and that is one of the more frugal figures. With all of this success, their increase in frequency is somewhat expected, but it is the increase in demands that could prove more troubling.
Up until now, ransom demands have been relatively low and generally viewed more as nuisance payments to regain possession of information that is worth considerably more, in some cases, millions of dollars. But it is widely speculated that, as these attacks increase, the cyber criminals behind them will also begin to understand the value of the data and how to capitalize on that data. This will likely result in a sharp increase in the ransom awards being demanded.
Demands that were once $5,000 to $10,000 could increase tenfold or more. With the FBI recently advising that payment may be the best option, these increases could have a profound financial effect – particularly smaller companies that may not be able to meet large demands.
It should also be noted that the costs/damages don’t end with the payment. In addition, organizations must deal with the time and labor involved to unencrypt the data (once handed over), repairing brand damage, resulting lost revenue, and the possibility of regulatory investigations. Which brings us to another trend – regulation.
Cyber-Related Regulatory Enforcement
Cyber security compliance and regulatory enforcement is set to receive a lot of attention. What began with the FTC, OCR and SEC has grown to a constantly expanding list of regulators. In just the past six months the CFPB (Consumer Financial Protection Bureau) and the New York State Department of Financial Services were added to that list with their first action and newly proposed regulation.
As the agencies struggle to keep up with the hackers, expanding their security requirements, compliance is becoming increasingly challenging for organizations. The FTC has been active in pursuing companies, citing violations for security failures and deceptive practices related to the collection of information and misleading privacy statements (among others). And the OCR has been aggressively enforcing HIPAA violations.
Regulators are also widening their view by: 1) Enforcing new foreign cyber laws; 2) Voicing an interest in the small-and-medium-sized business (SMB) sector; and 3) Voicing interest in regulating controls to prevent ransomware attacks. While the multi-million dollar fines and penalties seem to be reserved mostly for HIPAA fines levied against healthcare providers, fines and penalties may increase across the board.
Trickle Down Effect
Hackers and viruses alike have an innate ability for locating the weakest link and path of least resistance. It makes sense. As larger organizations employ stronger security and tighter controls, breach incidents will continue to trickle down to the mid-sized and smaller companies, which are softer targets. This trickle down effect will force smaller organizations to pay more attention to their network security practices and cyber risks/exposures.
With human error often being stated as the leading cause of intrusions, employee training will play an important role in security strategy. Some of the strict cyber controls and penetration testing once only employed by large companies and financial institutions will begin to work their way into mid-sized and smaller companies, and deservingly so.
Many studies already estimate 50 percent to 80 percent of companies that have experienced a breach are small and mid-sized companies, yet these same organizations have been very slow to adopt meaningful cyber frameworks/policies. The increase in regulatory oversight will likely help expedite the adoption of stronger controls, especially as regulators set their sights on the SMB sector.
Smarter Malware and Viruses
Those unfamiliar with tech and cyber security might assume that viruses and malware are relatively unchanging – a digital file just floating in cyberspace, but that notion is false. Just like mobile apps for your iphone, their designs are constantly improving and being modernized. Part of that improvement means the ability to bypass firewalls, easier execution and better deception methods.
These newer versions are less resource heavy, causing less computer lag and red flags to the user. As a result, those infected may have little to no knowledge that their systems have been compromised. Because they are better at remaining undetected, late discovery could result in more files being infected and/or stolen, and costs to organizations will rise.
Growing Cybercrime Marketplace
“Mask IP. Select file. Submit payment. Send.” This may be a gross oversimplification, but the truth is, deploying a directed hack today requires little more than an IP blocker and some bitcoin. The dark web used to be a secret corner of the internet reserved for governments and the elite of the tech underworld. A place where, among other things, personal information, viruses and leaked information could be purchased/exchanged freely on the black market with a strong degree of anonymity.
While the dark web is still bustling with activity, those marketplaces are no longer a secret. They have become increasingly accessible and user friendly with reviews and feedback from purchasers creating something akin to a Yelp for the cybercrime market.
The growth of the cyber black market coupled with the increased demand for fresh PII (personally identifiable information) and PHI (personal health information) will result in a flood of new malware and viruses, making it easier than ever for companies and their executives to be targeted.
When the average executive and mid-sized company hears the term “security breach” they immediately think of stolen PII but those familiar with cyber security know that criminals are thinking way beyond that. Stolen PII is just the tip of the iceberg. These perpetrators are well organized, and like any well performing business, are looking for maximum return on investment. Those at the top now have their eyes set on insider trading and market manipulation.
The year 2015 brought two such widely publicized breaches carried out by two separate groups. In one, hackers obtained credentials through sophisticated spear phishing attacks in order to access and “weaponize” confidential information regarding upcoming mergers. In another, hackers gained access to news media outlets accessing non-public corporate information, which included sensitive information such as financial restatements, and traded on that info prior to public release, making millions.
Due to the opportunity for significant payouts, it’s almost a given that these frauds will increase.
With most of these schemes executed through credential theft and carefully designed phishing campaigns, organizations should review their controls for preventing such attacks. Companies should also implement strong vendor security requirements to ensure that all partners and outside providers have adequate cyber security controls in place to detect, prevent and report any possible intrusions.
In the future, organizations will see an increase in intrusions that are better designed, trickling down to businesses that are less prepared to handle them. Even as regulators look on, cyber criminals will continue to exploit their success and venture into larger money making schemes such market manipulation.
So what can companies do to protect themselves? Organizations of all sizes should implement stronger controls such as employee training, intrusion testing, formal reporting procedures and vendor cyber security-requirements. These controls should be coupled with well-tailored cyber insurance policies.
It has been voiced before, but not all cyber policies are created equal. Generally speaking, organizations and their brokers should perform careful reviews focusing on (among other items):
- True first party coverage with loss of income;
- Robust regulatory defense and penalty coverage (with policy wording that would include coverage for regulatory actions related to ransomware attacks, if possible);
- Coverage for ransomware attacks/cyber extortion;
- Coverage for “transmission of viruses to others”;
- Coverage for “failure to disclose a privacy incident;”
- Avoidance of any self-propagating code exclusion;
- Avoidance of any requirements to maintain minimum security standards; and
- Definitions that include CCI (corporate confidential information) and PHI.
Bundschuh is partner and commercial lines head at GB&A, an independent insurance brokerage located in New York focused on insurance programs and risk management solutions for tech companies, financial and professional services, manufacturers and product-based businesses. Website: https://www.gbainsurance.com/cyber-data-breach