Biometrics and Financial Firms, Ransomware Variant Among Latest Cyber Trends: Chubb

August 28, 2019

State biometrics laws, a new ransomware threat and the targeting of financial institutions are among the recent trends in cyber risks, according to insurer Chubb in a new report.

The insurer cites a recent surge in lawsuits over biometric privacy. The situation is most evident in Illinois, which adopted its Biometric Information Privacy Act more than a decade ago to regulate the collection and use of a person’s “biometric identifiers” including face or retina scans, fingerprints and voiceprints. The law requires firms to notify customers and employees before collecting any biometric data and impose limits on the use and sale of the data. The Illinois law is currently the only state biometric law that provides for a private right of action, according to Chubb. Individuals can sue without needing to prove that they suffered actual damages. Earlier this year, the Illinois Supreme Court ruled that a suit can be brought even for a technical violation. Victims can receive statutory damages ranging from of $1,000 to $5,000 plus attorneys’ fees and costs. “Illinois courts have now seen an increase of BIPA-related litigation,” Chubb says, warning businesses in that state.

But the risk extends beyond Illinois. The insurer notes that biometric data regulation varies by state and that federal and international regulators have also shown interest, “so it is imperative that companies understand the legal requirements of each state and of the countries in which they conduct business.”

Earlier this month, a federal appeals court in San Francisco rejected Facebook Inc.’s effort to undo a class action lawsuit claiming that it illegally collected and stored biometric data for millions of users without their consent. The lawsuit was initiated in 2015 by Facebook users in Illinois.

The second cyber risk Chubb is warning about involves newly detected ransomware variant—iEncrypt. It is spread through existing malware, such as Dridex or Emotet. “Generally, the bad actor then explores the victim’s computer systems extensively before deploying iEncrypt. Once deployed, iEncrypt then acts to encrypt files individually, while also targeting and encrypting the victim’s backups,” according to Chubb.

This type of event can cause business interruption and potentially leave an organization with difficult options. “Given the ability to target and encrypt backups, victims of iEncrypt are often put in a position to either completely lose their data or pay the six to seven figure demands,” the insurer says.

Chubb says malware detection and regular backups of main systems are increasingly important to protect against data being held hostage.

While cyber risks exist for all businesses, the amount of financial transactions and the corresponding monetary opportunities for cyber criminals make financial institutions a prime target for bad actors. Chubb says that proprietary claims data from its Chubb Cyber Index shows that the median cost of a cyber incident has doubled for financial institutions in the past three years.

“Financial institutions were some of the early adopters of cyber security technology and training due to their central role in the economy and the need to protect their clients’ sensitive data,” said Michael Tanenbaum, head of Chubb Cyber North America. “However, we are seeing cyber criminals continually evolve in their methods of attacking the industry—meaning that the financial services space is still fertile ground for bad actors looking to exploit any gaps that they can find.”

Compounding this concern is that many of these attacks are preventable. Human error tops the list of cyber attacks hitting the industry, tied with hacking, accounting for 21% of cyber claims for Chubb’s financial institution clients in 2019. Rounding out the top three sources of cyber attacks is phishing and other forms of social engineering at 18%.

“In general, financial institutions are at the cutting edge in terms of cyber security software and processes,” added Anthony Dolce, vice president, Chubb Cyber Claims. “However, every day we see situations where one stray click on a well-targeted phishing email can result in losses of millions of dollars.”

Another report from Chubb earlier this year said that the average price tag for a business to recover after a cyber attack is $400,000, which the insurer added may be fatal for small-and-medium-sized enterprises. This hefty cost of repairing the business and its reputation is exacerbated by the frequency of cyber attacks, which are reaching 4,000 per day since Jan. 1, 2016, said Chubb, quoting FBI statistics.

Related:

Was this article valuable?

Here are more articles you may enjoy.