Are companies finally getting the message to prepare for ransomware attacks? With the pandemic’s arrival and more people working from home, the number of attacks grew and with it came more awareness of the problem, something Taylor Downhour (pictured), Lead Underwriter – Cyber & Tech, at Tokio Marine HCC – Cyber & Professional Lines Group (CPLG), a member of the Tokio Marine HCC group of companies based in Houston, Texas, believes is a positive sign but not one that should lead to complacency.
“We noticed a decline in ransomware frequency in quarter two of this year. We have seen previous quarterly fluctuations and they are usually temporary so we’re hoping this decreased frequency will trend into 2023,” she said. “But we know ransomware isn’t going away and will continue to be a threat.”
Indeed, while there has been a decline in ransomware incidents, there has not been a decline in the severity of those incidents.
“We still see limit losses into the millions,” Downhour said.
New targets and new methods
Criminals have been targeting smaller companies, and holding them hostage until a ransom is paid. CPLG is now seeing double extortion attacks where hackers take things a step further.
“In addition to the encryption of systems and data, hackers are also now exfiltrating the data,” said Downhour. “Threat actors are taking that data outside of the network, and threatening to either sell or publish that stolen data. This can lead to an increase in notification and/or breach support and credit monitoring expenses, thereby increasing the overall cost of a ransomware loss. The industries hit hardest include manufacturing and distribution.”
“If a target’s systems are encrypted, they can’t access their data, or if their assembly lines are down for a period of time, they can experience business interruption,” Downhour said. “Healthcare is another industry largely targeted with ransomware attacks, due to the large amount of personal health information (PHI) stored.”
When an assembly line goes down, that has an economic impact. But if a healthcare system is affected, the consequences could be dire.
“If a hospital or a healthcare entity suffers business interruption, it could be critical to someone’s safety,” Downhour said. “Given the safety critical aspect associated with business interruption and the large amount of PHI available for extraction, the healthcare industry has a high motive to pay the ransom and/or work towards resolving the issue as quick as possible.”
Rather than wait to fall victim to an attack, there are steps that both insureds and insurers can take to protect themselves.
“EDR (endpoint detection and response) and MFA (multi-factor authentication) can help prevent ransomware, whereas immutable and off-site back-ups don’t necessarily prevent ransomware, but they do help reduce the cost and severity of a ransomware attack,” Downhour said. Companies can also stay up-to-date on common vulnerabilities and exposures (CVEs) and education.
“We educate our clients on common attack vectors such as RDP (remote desktop protocol) and phishing,” she added.
CPLG has a Cyber Threat Intelligence Team that monitors and scans their insureds’ network for common vulnerabilities and exposures (CVE).
“It is made up of a group of cyber threat intelligence analysts,” she said. “And they monitor our portfolio. If there’s a critical CVE, they will scan and determine if any of our clients are vulnerable to that CVE and then alert them.”
They can also help remediate or refer them to a company that can offer a solution, if they do not have their own IT department or resources.
“When I started in this industry, CPLG didn’t have a Cyber Threat Intelligence Team. In today’s day and age, with the evolution of cyber, it very much is something that is needed to help reduce risk,” Downhour said. “We really want our policyholders to feel like they’re in a partnership with us.”
So what is the next threat she sees on the horizon?
“It’s a little hard to predict. Cyber is constantly evolving and changing and new technology is emerging which may lead to new threats,” she said. “What exactly those are is hard to predict. With the new hybrid work-from-home environment, there is potential for more data breaches and stolen laptops. We have individuals who used to work solely in the office and would never take their systems home with them. Now, they might be commuting back and forth to their house a couple of days a week. That poses a new threat into 2023.”
She said she also expects to see more CVE exploitation, business email compromises, and new hacker groups rising up to replace Conti, which ceased operations last May. However, there is one emerging threat that has caught her eye in particular.
“Widespread (catastrophic) malware events are a cause for concern,” she said. “An attack on a cloud computing provider, an email security provider, or a high-profile managed services provider (MSP) could be detrimental to not only that said provider, but to all their clients as well. This creates an aggregation exposure for insurance carriers. A loss stemming from a widespread malware event could easily reach into the tens of millions of dollars.”
Still though, there is hope.
“Being aware of the known threats and having the adaptability to respond to the unknown threats is key,” Downhour said. “This is what is going to help both insureds and insurers.”
For more information on CPLG’s cyber insurance solution, click on: https://www.tmhcc.com/en-us/products/netguard-plus-cyber-liability
Taylor Downhour is a Lead Underwriter within Tokio Marine HCC’s Cyber & Professional Lines Group and has been with the company since 2018. Taylor is based out of the Atlanta office, where she provides client support and account servicing for the Southeast region. She specializes in first and third-party Cyber and Technology Errors and Omissions coverage. Taylor holds a B.S. in Finance from California State University Northridge.