2020 brings new challenges to businesses and institutions as cyber criminals’ method continually evolve with increasing sophistication in the delivery and impact of ransomware.
“These types of regulations mean that companies face large penalties and settlements when they fail to protect their data,” said Matthew Magner, the managing director in the cyber underwriting group with The Hartford. “Ransomware is the cause of many cyber attacks today because it makes it possible for cyber criminals to extort and receive payment in a nearly anonymous way,” Magner says.
What Is Going on in the Market Today With Ransomware
Ransomware attacks have evolved from the traditional spam-based approach to cyber criminals using more sophisticated hacking methods to compromise the system, learn what sort of infrastructure exists in the system and deliver ransomware in a more targeted way.
“These attacks are able to shut down the operations of the victim company. As a result, cyber criminals are able to demand very high ransom amounts, and now these amounts are frequently in excess of $1 million,” Magner explained.
Not paying the ransom is an option, but this can effectively cripple the network, and efforts to recreate the data can be very costly and revenue loss from the resulting interruption substantial.
“Some companies are very good at maintaining up-to-date backups of their critical data, while other companies are not as diligent,” Magner noted. “Even with a very recent backup, a company may not be able to recover all of its data”
Measuring the full financial impact of ransomware is difficult because we lack market-wide statistics similar to those gathered from data breaches, where reporting to the authorities is required.
“It’s hard to say exactly how severe the problem is, but we know it’s extremely widespread. We see it in reports from other carriers, as well as in our own portfolio. We are trying to get a better sense of how often attacks occur and the severity of losses at an industry-wide level, but it’s challenging,” Magner said. “The issues are real, and it’ll be hard to imagine that it won’t have some sort of impact on the cyber insurance market as a result.”
Resources and Support for Policyholders Who Run Into Trouble With Ransomware
The Hartford offers its customers a suite of proactive solutions to help prevent an attack as well as reactive services in the event an attack does occur. One of the most important preventative services offered is anti-phishing training. Phishing, or sending malicious spam email, is one of most common techniques used in ransomware attacks and it’s getting more sophisticated.
“Training employees and IT administrators to recognize a phishing attack and ingraining the importance of not revealing login credentials can help mitigate the risk of ransomware attacks,” Magner said. “Another important service we have relating to leaked credentials is dark web scans.”
Batches of stolen passwords and logins are for sale on the dark web. There are passwords available such as manufacturer’s default passwords to network devices and services and even admin passwords for sale.
“The solution we offer with our insurance policies is a dark web scan and report. The report shows the company if they have had any credentials leaked or stolen and are available or sale on the dark web, which allows the company to change any compromised passwords,” says Magner.
Customers of The Hartford are also offered risk assessments that provide, scans to show the outside perimeter of a company’s network.
“With this service, clients learn of their potential vulnerabilities, giving them an opportunity to address their weaknesses, whether that is changing a configuration to remove that vulnerability, disabling unnecessary network services or applying a specific patch,” Magner said.
Regulatory Changes Have Affected Data Breach Costs
GDPR can lead to substantial fines and CCPA has made it easier for consumers to take legal action against companies that fail to protect their information and suffer a data breach as a result.
“Data breaches are going to get much more expensive for companies doing business in California and the EU, and beyond that we are generally seeing an inflation trend in data breach enforcement actions from the FTC and other agencies,” Magner said. “The most profound change introduced by the CCPA is that consumers are potentially no longer required to prove actual harm, which has been a major challenge for plaintiffs in previous data breach litigation.”
Cyber Coverage With The Hartford
There are changes coming in the insurance market when it comes to cyber risk. Silent cyber coverage, policies that don’t specifically cover or exclude cyber risk, is gradually being replaced with coverage that affirms or excludes cyber coverage.
“Just like other established carriers, the silent cyber issue is not new to The Hartford. For some time, we’ve been offering our customers add-ons to our standard insurance policies, that provide coverage for incidents, such as data breaches and ransomware attacks,” Magner said. “This gives our customers the flexibility to choose how they want to purchase cyber coverage, either as an add-on or as a dedicated cyber insurance policy.”
La información proporcionada en estos materiales brinda información general y de asesoría. It shall not be considered legal advice. The Hartford does not warrant that the implementation of any view or recommendation contained herein will: (i) result in the elimination of any unsafe conditions at your business locations or with respect to your business operations; or (ii) be an appropriate legal or business practice. The Hartford assumes no responsibility for the control or correction of hazards or legal compliance with respect to your business practices, and the views and recommendations contained herein shall not constitute our undertaking, on your behalf or for the benefit of others, to determine or warrant that your business premises, locations or operations are safe or healthful, or are in compliance with any law, rule or regulation. Readers seeking to resolve specific safety, legal or business issues or concerns related to the information provided in these materials should consult their safety consultant, attorney or business advisors. All information and representations contained herein are as of June 2022.