Cyber security: getting ahead of the hackers
However familiar the (re)insurance industry may have become at covering cyber exposures, recent ransomware attacks have highlighted the sector’s own vulnerability to these risks
Cyber security: Need to know
• Data theft is the leading concern for businesses, followed by ‘man in the middle attacks’ and ransomware
• Remote working due to coronavirus has accelerated digitisation of the insurance industry, opening it up to greater cyber security risks in the process
• Ransomware attacks have increased in both frequency and the size of ransom being demanded
• The rise in the use of video-conferencing has increased the threat area for cyber attacks
• A patchwork of legacy systems, built up through M&A activity, may heighten cyber exposures
• Nation-state attackers and cybercrime organisations offer the most serious threat, as they are likely to be highly skilled and well-resourced
• Email is still the preferred mechanism for distributing first stage threats and phishing attacks
• Data theft is a major concern for many firms, with the data stolen in cyber attacks taking many forms - LinkedIn has been used by ‘bad actors’ for intelligence gathering in order to improve phishing attacks
Cyber is one of the fastest-growing lines of insurance business of recent years, but the dangers of cyber crime can be even more immediate for the (re)insurance industry, when they relate not only to the aggregation of insurance risk and potential claims spikes, but also to threats to companies’ own data security, reputation and financial stability.
The insurance industry, like any other, has exposure to cyber risks via a number of avenues. Proprietary software, company websites and industry-wide placement platforms have all proved vulnerable to cyber attack, and interactions with clients and customers typically result in companies becoming the custodians, however briefly, of confidential data that – if compromised – can open them up to legal action and financial penalties.
And everyone in the company, from the CEO to the postroom staff, can leave the company open to attack, merely by clicking on a link in a phishing email.
However, it’s not all Mr Robot out there. While hackers like those featured in the USA Network series certainly exist, there are practical steps companies can take towards lowering their exposure to a range of cyber risks, improving their resilience in the event of an attack, and increasing their response and recovery times during and after an event.
According to Alastair Dickson, UK and Ireland enterprise sales manager at cyber security firm Sophos, data theft is likely to the biggest concern for firms, threatening major repercussions in regulatory and reputational terms, plus damages and loss of trust from customers and business partners.
Second on the list of top cyber threats are so-called ‘man in the middle’ attacks, where criminals use fraudulent websites to intercept legitimate financial transactions and steal user’s credentials and funds.
Next comes ransomware. Research by Sophos found that 48% of firms in the global financial services sector were hit by ransomware attacks in 2019, with 21% of firms affected choosing to pay the ransom.
Dickson also highlights ‘insider threats’, which are typically accidental but can also be both intentional and malicious, where a rogue actor within a secured network is seeking to steal and possibly sell information.
Lastly, there are distributed denial of service (DDoS) attacks, where millions of IP addresses accessing a specific website at the same time can be used to overload the server and make it crash, preventing users from accessing their online accounts. However, DDoS attacks tend to be less prevalent these days, says Dickson.
While there have been a number of high-profile cyber incidents involving retailers, banks, hotel groups and internet service providers, there are also recent examples of companies in the insurance sector which have come under attack.
Most recently, Arthur J Gallagher & Co was hit by a ransomware attack in late September, which disabled its servers and forced the broker to take its global systems offline as a precautionary measure.
Back in July, DXC Technology, parent company for London market back-office services provider Xchanging, confirmed it had been hit by a ransomware attack, but said it was confident that the incident was isolated to certain Xchanging systems and that it didn’t have “any indication at this time that data has been compromised or lost”.
And earlier, in March, Chubb confirmed that it was looking into a potential cyber security incident, following a report from technology news website TechCrunch that the carrier had been attacked by ransomware group Maze.
“In the wider industry, we have seen the rise of ransomware variants that exfiltrate data prior to encrypting the system, such as Maze,” says Adelle Gruber, senior underwriter in the global cyber, privacy and technology team at Brit Insurance, who notes that, “Based on information in the public domain, Chubb’s cyber event was actually due to a third party provider, highlighting the need for good vendor management.”
While the Covid-19 pandemic has been something of a game-changer in accelerating the insurance industry’s move towards a digital future, it has also increased firms’ exposure to cyber threats with the sudden and widespread move to remote working.
“This presents a new challenge for businesses and their IT departments to allow enough access to ensure the smooth operation of the business remotely, whilst trying to prevent unauthorised access into their environment,” says Brit’s Gruber.
She says that, against this backdrop, there has been a marked increase in ransomware events, with both the frequency of events and the size of ransom being demanded.
“Over half of the organisations we recently surveyed admitted to being victims of a ransomware attack,” admits John Shier, senior security adviser at Sophos.
Andy Ng, cyber partner at consulting firm EY, cites EY’s latest Global Information Security Survey, in which it found that firms in the insurance industry, in common with many other sectors, have adopted “specific new technologies in response to mass remote working”.
“According to the research, 60% of companies surveyed accelerated or bypassed standard privacy and security reviews, and 52% of compliance leaders said the most-increased third-party risk for their organisation is cybersecurity,” Ng says.
One of the most obvious ways in which companies have introduced potential cyber risks through adopting new technologies is the move to a variety of video conferencing platforms.
“Meetings and conversations which would have previously been undertaken face to face are now occurring via the internet using IT platforms, some of which have had security vulnerability concerns publicly raised,” notes Gruber.
However, a firm’s own systems may also be vulnerable to attack, and its employees may inadvertently become the agents of a cyber incursion.
According to Bernard Regan, head of forensic technology in the global forensics consulting practice at business advisory firm Baker Tilly: “A lot of the cyber-attacks that we’re seeing in the market today are [against] huge interconnected networks spanning the world, [where] it’s very hard to maintain a security profile across every single site.”
The situation is further complicated by growing dependence on cloud computing. “The cloud is great, as long as it’s configured correctly and the security is implemented in the correct manner,” says Regan. “But don’t rely on cloud providers to do the security on their own, because they don’t understand your business.”
Ben Hobby, a partner at Baker Tilly with a focus on physical and non-physical damage business interruption risks, says it’s not only the size, but the way a company is structured that can complicate its cyber security, when you have “various different applications that have been shoe-horned together to talk to each other”.
“You also have businesses that have been built up over time by different investment decisions and acquisitions, with different applications, and they’re all being forced to try and talk to each other – so it is a bit of a house of cards.”
Hobby says the means by which ‘bad actors’ (i.e. cyber criminals) get into a company’s systems is typically because “an employee has done something they shouldn’t have done”.
“The level of sophistication that exists among these bad actors to encourage people to click on things that they shouldn’t do is consistently being amplified.”
Regan notes that with more employees working from home, the nature of firm’s cyber exposures has also changed.
“With people’s broadband at home maybe not being great, they are going to cafes and coffee shops, so laptop losses are still happening. There is also the traditional eavesdropping and shoulder-surfing. And people are more relaxed at home, so if that one email comes in with a dodgy link you might click on it.”
Shier says the cyber threat landscape has largely stabilised as - with a few exceptions - the prominent threat groups, threat types, and delivery methods have remained consistent for the past couple of years.
“The nation-state attackers are the most difficult to defend against, if it's even possible,” says Shier. “They are extremely highly skilled, endlessly patient and enjoy limitless resources. We can, however, learn from their past tactics and tooling, which ultimately end up in the hands of organised cybercrime.”
This second group are almost exclusively financially motivated, he says, and are responsible for most of the threats his firm encounters.
“Many of them are highly skilled and well-funded. They are continually looking for the next edge in defeating our defences - both tech and humans. They operate botnets and create most of the malware in the wild.”
The third group identified by Shier is low-skilled opportunistic groups and individuals, who largely “contribute to the rest of the noise and distraction in the threat landscape”, relying mostly on automation and older, over-used, and detectable tools.
He says that email continues to be the preferred mechanism for distributing first stage threats, whether from infected attachments or malicious links. Email is also responsible for phishing attacks where the goal is to harvest credentials for resale or use in potentially targeted attacks against organisations.
“Many large botnets, such as Emotet, are also used in spreading malware like banking trojans and ransomware,” he adds.
Data theft is a major concern for many firms, with the data stolen taking many forms: intellectual property, credentials, financial information, personal information, customer lists, state secrets, and so on.
Each type of data can be used to further the attack, published to harm the company, or sold to third parties. Or, as a double whammy, can occur in conjunction with a ransomware attack.
“Other threats, such as, credentials stealers, keyloggers, and phishing attacks all play a role in abetting data theft. As with ransomware, sometimes these threats operate in concert with each other,” Shier says.
Who is responsible?
The problem that many organisations face is that there is no clear allocation of responsibility for cyber security.
However, as Gruber notes: “Cyber security is not just an IT concern: it is a concern for all employees from the boardroom down. It is key to maintain regular training of staff on the emerging threats, including what to look out for and what to do if they spot something suspicious.”
The need for training is highlighted by the fact that social engineering campaigns have become more sophisticated, according to Gruber, “with bad actors using social media such as LinkedIn to improve their phishing attacks”.
EY’s Ng says that part of the problem is that cyber security is often regarded as just a bolt-on to existing physical security protocols.
“Our research suggests that only 36% of firms say cyber security is involved right from the planning stage of a new business initiative – anecdotally, this is lower within insurance - and this needs to change,” says Ng.
Historically, says Baker Tilly’s Regan, the responsibility for tackling cyber security has fallen to the chief risk officer, head of IT or perhaps the chief technology officer or chief information officer.
“I firmly believe that the cyber buy-in process is not being taken [seriously] from a business standpoint – it’s a hot potato,” he says.
Given the enterprise-wide risk presented by cyber exposures, it make sense for security procedures to be determined and managed by a taskforce.
“We need IT, we need finance, we need marketing, we need business development people, we need strategists, we need the COO, the CFO,” says Regan. “It needs to be more collaborative, rather than passing it around individual people in their siloes.”
There are additional practical steps that can be taken to improve an organisation’s cyber security.
Gruber suggests “working towards a security framework”, such that proposed by the US National Institute of Standards and Technology (NIST), which she says “would go a long way to improving [a company’s] resilience”.
EY’s Ng adds: “Knowing where your data is, is paramount, as is validating that understanding regularly with quantitative measures.
“It is also key that insurers have an up-to-date understanding of all the devices employees are using and what services and data they are accessing – this is particularly timely post-pandemic because of the new ways of working.”
Gruber says that Brit helps insureds to prepare for a cyber event with cyber fitness checks, training courses for employees, and incident response planning resources – including guidance on managing vendor risks.
Meanwhile, Sophos’s Shier lays out the requirements for a “solid foundation of security basics” in relation to a company’s cyber resilience,
Firstly, he emphasises the need for “training and awareness programmes, repeated security assessments, and code reviews”.
“It's not just about developing and deploying secure code, which is paramount, but also making sure that everyone knows they play a part in making sure Sophos is secure.”
He also advises making the most of existing security features in software used by companies, enforcing multi-factor authentication, and providing tools and applications for remote access and networking to avoid employees and third parties seeking these on their own.
And of course: “Make backups a priority, do it frequently, and periodically test them for efficacy.”
There are also various technologies that can be used to beef up your company’s cyber protections.
EY’s Ng references enterprise data loss prevention which, he says, “continues to provide critical insight into where data is and how it’s being used”.
“It doesn’t eliminate risk entirely, but it enables more intelligent decisions around timely breach notification, and can help accelerate [regulatory] compliance and measure user adherence to data security policy.”
Ng says another area to consider is AI and robotic process automation. “There are numerous opportunities to leverage AI algorithms, which can improve fraud detection and help analyse, predict and mitigate risks.”
However, he warns, privacy and ethical considerations must remain a priority in this regard.
Baker Tilly’s Hobby says another solution currently being discussed is behavioural analytics software, which monitors the activity of files in a computer network and, where they display aberrant behaviour, puts a stop to it.
As Hobby admits, the software is not cheap, but in the context of a large, multinational insurance company, with interconnected global systems, one ransomware attack has the potential to affect a significant proportion of the global business.
“For a large incident, recovering from ransomware will take six months at least – [consider] the business interruption costs of that versus the cost of implementing behavioural analytics,” he says.
He suggests that, too often, the C-suite looks at IT investment in terms of what it is going to add to the bottom line, rather than how the bottom line might be affected by a cyber attack.
“Ultimately, if it reduces your financial exposure, there is a tangible ROI on this type of [investment],” he says.
Sophos’s Dickson adds that many organisations are starting to consider so-called ‘human-led threat hunting’.
“Cyber attacks are becoming more complex and stealthy, and are often operated by human adversaries. It takes humans to hunt humans, to spot the anomalies and activity that advanced algorithms can’t,” he says.
So what approach should companies take before, during and after a potential cyber attack?
Ng suggests that, as a general plan, there should be a cyber “playbook and decision tree, which has been defined and rehearsed, and which feeds in to appropriate courses of action relating to triage, containment and neutralisation”.
He also advocates setting “roles and responsibilities within the firm to deal with the event; a strategy for issuing appropriate communications to employees, shareholders, customers and regulators; and a set regime for documenting the process”.
“How a company responds to a cyber incident is almost as important as avoiding one,” he says.
In the event of a cyber attack being discovered, says Brit’s Gruber: “This is the point where the company should activate their breach response plan, as detailed in the NIST framework above.”
“When deciding how to respond, it is important to note that there is some anecdotal evidence that payment of ransoms, which some companies believe to be the most economical way of getting their operations back online rather than restoring from back-ups, actually makes them more likely to be a target for another attack,” she says.
According to Gruber, there is a prevailing theory that the willingness of companies with cyber insurance to pay ransoms has been a contributing factor to the increase in ransomware activity.
“The more prepared a company is to recover from a cyber incident, the less likely they are to have to contemplate paying a ransom in order to continue trading,” she concludes.
Cyber security: Some practical steps
• Establish roles and responsibilities for internal actors who will respond to a cyber event and secure input from all areas of the business that may be affected
• Have a clearly defined and documented contingency plan for the triage, containment and neutralisation of cyber threats and the aftermath of any such incidents
• Know where your data is and validate regularly with quantitative measures
• Good vendor management is the key to managing third-party risks
• Keep track of all employee devices and services and data they are accessing
• Keep abreast of regulatory, privacy and ethical requirements, whether management and use of data or general monitoring
• Backup, backup, backup – and keep your backups secure (with at least one offline backup)
• Keep software and systems updated and consider turning on as many automated security systems as are practical
• Take advantage of your insurers’ cyber health check, staff training and crisis response offerings
• Consider further technological investment and measure the cost against prospective business interruption losses