Ransomware in 2021: Three Trends Cyber Insurers are Seeing Now

Lauren Winchester is Vice President of Smart Breach Response for Corvus Insurance. In this role, Lauren guides policyholders of all sizes through cyber security incidents, ensuring efficient coordination of counsel, digital forensics firms, and other key incident response resources. She also manages Corvus’s risk mitigation services, such as tabletop exercises and incident response planning, that are designed to minimize the frequency and severity of data breaches. Lauren has handled over 1,000 cybersecurity incidents for organizations in healthcare, financial services, higher education, retail, professional services and more.

The nation-state hack of SolarWinds, thought to be an act of espionage, has stolen the cybersecurity headlines so far in 2021. But if your work involves cyber liability we don’t have to explain that it’s ransomware that remains the major story from the perspective of those in the trenches. This particular category of malware may not be responsible for the majority of claims filed under cyber liability policies, but the eye-popping figures associated with these claims means they are the focus of any insurer offering coverage for cyber events. (According to broker Lockton, in 2020 ransomware caused 15% of claims, but 95% of the amounts paid.)

As has always been the case with cybersecurity and cyber insurance coverage, the only constant is change. What presented the most concern to underwriters regarding ransomware in 2019 is not the same as it is now. Staying ahead on the trends can help underwriters, brokers and policyholders to make critical adjustments to coverage, risk mitigation steps and claims management. The following are three of the major trends in ransomware in 2021.

Rising demands, rising costs – but perhaps a break in the clouds

Growth in total numbers of reported ransomware attacks has thankfully not kept up the torrid pace observed in 2019. But costs have exploded. As NetDiligence found, in 2019 overall costs of a ransomware attack increased 57% — more if business interruption costs are added. The growth in cost was driven in no small part by the ransom demands themselves, as the average ransom grew by a whopping 276% (3.75x) to reach $175,000.

The latest data, going up through the last quarter of 2020, showed that this trend continued through most of the year, finally tapering off in the last quarter. A report from Coveware put the average ransom payment at $154,108 for Q4 2020, a significant 34% drop from the previous quarter, but still much higher than figures reported throughout previous year (Coveware’s data, different from NetDiligence, found average ransom to be less than $100,000 at the end of 2019).

It’s too early to say that one quarter redefines a more than two year trend, but it’s an encouraging sign that the average ransom payment may not continue to grow inexorably. In the meantime, the major story remains that the dollar figures we’re dealing with from ransomware operators are in a much different ballpark than they were just a couple of years ago. Corvus regularly sees demands in the 7 figure range, and 8 figure demands are unfortunately not uncommon.

Amid this gold rush of criminal ransom activity, the focus is increasingly on the largest ransoms — the ones really driving up the average, which sometimes reach into seven figures. These are amounts that would have made for the ransomware story of the year just recently. It’s rumored that Foxconn, the electronics giant, received a demand for $34 million in November 2020 — and that’s hardly the only eight-figure demand fueling the rumor mill.

With these figures, fewer of the victims are choosing to pay up, taking the risk of starting from scratch with whatever unencrypted data or backups that managed to avoid attack. In answer, some ransomware groups may start to pull demands back to earth; others however, instead turn to other tactics to leverage their demands, which leads us to the next trend: exfiltration.

Exfiltration

You’ll recognize the names from headlines if you follow cybersecurity: Ryuk, Sodinokibi, Maze. These were three of the most active strains of ransomware in 2020, whose operators have successfully stolen data from victims as a way to increase leverage in the ransom negotiation. (Maze later shut down as its operators moved on to using derivatives of the original software).

In some cases, attackers have been able to make money by auctioning off stolen data, even when they were thwarted in their attempt to get a ransom from the victim. Others have gone “back to the well” to get a second ransom by threatening to release sensitive data. A troubling new trend of using this exfiltrated data to contact customers or employees directly is starting to be reported (see next section). Exfiltration was used by roughly half of all ransomware attacks in 2020, according to Coveware.

While first experimented by a handful of ransomware actors, most notably the Maze group, the success of the tactic has led to others taking it up. Emisoft reports that at least 17 ransomware groups were observed using exfiltration (or at least threatening it) by the end of 2020. Nearly 30% of Corvus ransomware claims in 2020 involved a threat of data exfiltration.

Responding to situations where data was exfiltrated has created another layer of complexity in breach response, so, as ever, the selection of experienced teams or coaches in managing response is critical.

Harassment

Typically a ransom demand is communicated through the screen of a hijacked device — thus the only people who know the specifics of the demand are employees of the victim organization, and then perhaps only select employees. But we are seeing a new trend in the way that threat actors leverage their ransom demands: by going straight to broader groups of employees of the organization or their customers to create an environment of urgency and perhaps even panic among affected groups.

By involving customers, or the employees of the organization, the threat actors hope to effectively recruit an army of individuals afraid of their data being publicized or experiencing fraud to further pressure a victim organization to comply with their demand. Messages sent by attackers even include calls to action, such as: “Call or write to this store and ask to protect your privacy!” The threat actors attempt to paint companies as irresponsible to their customers for not meeting their demands and potentially putting personal data at risk.

This data that enables this kind of tactic is normally sourced from attacks where unencrypted data is exfiltrated (stolen) from a company’s network. That data then becomes a tool extortionists use to broaden the scope of their attack. BleepingComputer reported on ransomware actor “Clop,” who used the tactic of directly emailing customers at a bank, a maternity store, and a manufacturer of jets. In the case of the jet manufacturer, Bombardier, Clop threatened to go to journalists first — but Bombardier had already been public about the hack. That’s when the threat actor decided to escalate the situation, and emailed customers directly.

We’re likely to continue to see a push and pull between attack trends and defenses. As more companies work to mitigate the impacts of ransomware by implementing IT security measures that limit how attackers can move within their systems, attackers are coming up with novel ways to increase leverage with whatever encryption or exfiltration they can accomplish.

Why technology is about to revolutionize the specialty commercial insurance market

Jonathan Sherling is the Head of Financial Institutions at Corvus Insurance. He has extensive experience working as a senior leader in professional lines, from commercial management liability to financial institution products. At Corvus, he leads the team working to broaden its portfolio of Smart Commercial Insurance products to include Smart FI Insurance. He is based in the New York City office.

 

It’s impossible to ignore how software has changed our world in the past decade — we now use ride-hailing apps for transportation, turn to streaming services for limitless entertainment, and track our food deliveries through third-party apps. Companies are pioneering new and evolving technologies as well as infrastructure to remain competitive. If they don’t, they fall behind — Blockbuster and cab companies can attest to the struggles of staying afloat once they’re competing against software-focused, industry disruptors. The marketplace envisioned by Marc Andreesen when he wrote that “software is eating the world” back in 2011 is becoming evident in every part of our working and personal lives.

There are exceptions, however. Notably reluctant to evolve, most commercial insurers have shrugged off technological disruption, and remain behind the curve of incumbent businesses in other industries who are in some cases already several years into wholesale digital transformations.

The lagging pace in our industry is not for a lack of inspiration from closely-related fields. The past decade has seen the explosive growth of “Fintech”, with enormous investments in the banking and finance sectors. And within insurance there’s been significant tech investment in personal lines: at the time of writing, Lemonade has a greater market cap than The Hanover, Kemper, RLI and other household names. Hippo, Metromile and Root are notable additions to the insurtech push in this market. These success stories in banking, finance, and personal lines insurance have proven overwhelmingly that venture-backed, technology-driven businesses can penetrate highly regulated industries.

So why did commercial insurance get left behind? Let’s explore what has happened in other industries as a lens to see where opportunities lay ahead.

When Insurance and Finance Parted Ways

While the majority of the insurance industry remained stagnant from a technology perspective in the 1990s, we saw a dramatic shift in the functionality of tools employed in the banking sector during that time. Banks capitalized on software to enhance efficiency, while markets progressed to fully electronic trading. With the digitalization of portfolio management, as well as software simulations of trading positions and adverse events, the financial industry was able to redefine how it worked. The birth of “fintech” shortly followed, particularly in consumer-facing markets. We are now starting to see the marriage of fintech and traditional models as recently evidenced by companies like SoFi.

It’s notable that within fintech the businesses that have seen the most success are those that have acknowledged and embraced regulation. While there is some history of those within the fintech industry to be blind to regulation — with a mantra of “we are not financial institutions” — those that have instead blurred the lines and coordinated with banks and regulators have been able to work collaboratively to create regulations specific to their offerings. It was long believed, both in finance and insurance, that if something was complicated enough, it was immune from the disruptions of the tech world. We can see that is no longer the case, especially if the tech is making complex processes easier.

Meanwhile, insurers in specialty commercial did little to invest in new technology to aid better risk analysis, risk selection, mitigation, modeling, stress testing and event simulation. Today, many insurers are not capitalizing on technology for underwriting, and some lines in specialty insurance continue to utilize processes that are completely manual. Looking at the success of Lemonade and others, we can assume that software and the use of data science for analytics and decision making will not be long in coming for specialty insurance.

One notable exception to this long-brewing dynamic is worth mentioning. Cyber-focused insurtechs have pioneered the use of public-facing security information about insureds to inform underwriting, risk selection and pricing while also providing security recommendations to aid with risk mitigation. As models like those used by tech-enabled MGA’s continue to build sophistication by leveraging an increasing number of data sources, the marginal benefit to the combined ratio via lower loss and expense ratios will become increasingly evident. Traditional insurers will be hard-pressed to ignore these advancements when their businesses are held up to the light against the competition.

Tech, Meet Insurance

Insurtechs have seen success with new underwriting models and techniques driven by predictive modelling and harnessing real-time data. This allows them to view risk in an entirely new way, often more effectively. There’s no reason this approach must remain limited to lines like Cyber Liability.

D&O, for example, has decades of actuarial data and experience. Underwriters are drawn to measuring company solvency, sector exposure, the competitive landscape and so on. The underwriting information available to measure those metrics (in the case of private companies) is sometimes one or two years old, and may not be reflective of the current risk that company carries. Insurtechs are establishing new underwriting models and techniques that can harness real-time data, apply predictive modelling to that data and view the risk in a new paradigm.

Skeptics will assert that using different models to assess risk outside the existing framework is only worthwhile if it outperforms the existing framework it seeks to replace. That is a fair position; but we are well past the point in technological progress where the ability to harness data to better predict underwriting losses over time is in question. If such models haven’t been successfully demonstrated in real-world underwriting for a particular product, the question now is not if, but when, they will. Fintechs and insurtechs may have taken on simpler or more data-rich targets first, but with the concept now proven, there’s a playbook for more ambitious applications.

Even if one remains doubtful that technology will overhaul existing underwriting frameworks, there are a number of ways to harness data science while working within them. For example, insurers can use machine learning to digest material, such as the priorities document and subsequent updates or trends in SEC enforcement, as they are released, and automatically apply that logic to their underwriting model. A product manager now has more time to spend elsewhere: educating, drafting language, reviewing referrals and simulating the impact of hypothetical adjustments to underwriting appetite on the current or historical portfolio.

Although the technology described would surely allow overwhelmed underwriters and product managers to shift their focus beyond data gathering, data entry, and basic analysis to the more technical aspects of their roles — negotiating and executing complex transactions — the benefits extend beyond time efficiency. As the algorithms become more sophisticated, underwriting managers are able to better position their portfolios and aid product development. The utilization of data can help identify products, coverage sectors, attachment strategies and pricing elasticity — all of which can be simulated to establish the optimums in a predictive manner.

D&O, Ready for Tech

Traditional carriers risk being left behind as startups in specialty commercial insurance enhance the use of AI and data-science based tech to overhaul the underwriting process. At Corvus, we’ve seen how specialty insurance and technology work collaboratively and cohesively to provide brokers with actionable information that assist with risk management. We use data to provide our distribution partners and clients feedback on their risk, exposures and transparency into our underwriting assumptions.

In other industries, we’ve witnessed how working with the rise of technology and software has enabled companies to innovate and succeed. We’ve also seen how a resistance to our evolving insurance marketplace has been commonplace (and still is) for many carriers. But if we look back at the evolution of fintech — where many startups are now collaborating with the banks themselves — we can see how the integration of technology and intricate processes is the future.

For more information on what Corvus has to offer in these areas, please visit our website.

Checklist for Becoming Cyber Secure

Mark Bassingthwaighte, Esq.

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, the
nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the
company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.

NOTE: This material is intended as only an example which you may use in developing your own form.  It is not considered legal advice and as always, you will need to do your own research to make your own conclusions with regard to the laws of your jurisdiction.  In no event will ALPS be liable for any direct, indirect, or consequential damages resulting from the use of this material.

Checklist for Becoming Cyber Secure

This checklist is intended to help those who have a desire to become more cyber secure know where to start. It may also be helpful in identifying areas of concern that can and should be discussed with IT support personnel. Most importantly, be aware that cybercrime attack vectors will continue to change and evolve as will the sophistication of the attacks. Becoming cyber secure is an ongoing process, not a once and done effort. That said, here are the basics; and note that when the word “devices” is used, this word is meant to include computers, servers, all mobile devices and any home computers that are being used for work.

____ Cyber criminals often target older devices and software, so keep hardware and software as current as possible because newer devices and applications typically include improved security features. Also note that software which is no longer supported, meaning security updates are no longer issued, cannot ethically be used.

____ Keep your server in a locked room because physical security matters!

____ Install robust Internet security software suites on all devices.

____ Utilize effective intrusion detection systems.

____ Use a spam filter.

____ Disable popups through browser configurations and/or install an ad blocker on all devices.

____ Keep all software on all devices up to date by promptly installing all critical security patches as they are released.

____ Determine where all office data is stored by creating a network diagram and make sure this diagram remains current because it will be useful to digital forensic experts in the event of a security breach.  In addition, this diagram can and should be used to create a security policy that responsibly addresses every situation where any data resides.

____ Identify all laws and regulations which may apply to your data in order to make sure you are in compliance with these laws and regulations. For example, does your firm hold data which is governed by HIPAA, HITECH or Sarbanes Oxley? Do you hold personally identifiable information?

____ Password protect all devices.

____ Use two-factor authentication when and wherever possible. This is particularly important with all banking and financial sites.

____ Develop a password policy that mandates the use of strong passwords (or passphrases) if the device or application will accept them.  Strong passwords are defined as being 16 characters or more in length using a combination of uppercase and lowercase letters, numbers, and special characters.  Note: Every application and device in use should have its own unique password and no password should ever be reused once changed.  The use of a password manager can make this task easier and more secure than, for example, storing passwords in a file labeled “passwords” or writing them down and placing that list in a desk drawer.

____ Prohibit the sharing of user IDs and passwords with anyone, to include others within the firm.

____ Have your IT support person change the default values, for example default passwords, on all wireless routers, server operating systems, etc. because these values are freely available on the Internet.

____ Wireless networks should be set up with proper security to include enabling strong encryption. This means you must disable WEP and WPA encryption and require WPA2 encryption. If the router supports WPA3 encryption, use it. Do not overlook home networks if home computers are being used for work.

____ In order to prevent access to your firm’s confidential data, setup a properly configured wireless guest network.  No guest should ever have direct wireless access to your firm’s network.

____ Backup all data, periodically do a test restore of the backup, and store the backup in accordance with a disaster recovery plan because floods, fires and ransomware attacks happen. Backups must be encrypted if taken off site or stored in the cloud, and if using a cloud vendor, the vendor should not have access to the decryption key.

____ Any mobile device that goes off site and contains any client confidences must be password protected, should have the ability to be remotely wiped if lost or stolen, and should be encrypted. This includes jump drives, external hard drives, laptops, smart phones, and tablets.

____ Limit privileges and access as appropriate. For example, does everyone in the office need access to the firm’s financial or employment records? Can everyone download and install anything they want on any device they have access to? Can everyone make changes to the system configuration? Don’t make it easy for cybercriminals. Place limits on what people can do. Such limits can either be set up electronically via file permissions or physically via a locked door or cabinet.

____ Encrypt any email if it contains confidential information or use a secure client portal.  Check with your IT support for help with proper installation and configuration of your selected solution.

____ Encrypt all data you place in the cloud. Some cloud companies advertise that they encrypt your data but only do so while the data is in transit. You must make certain your data is encrypted “at rest” as well. Better yet, don’t rely on the cloud provider for this at all. Encrypt your data before placing it in the cloud to enable you to have control over the encryption key.

____ Read the terms of service of any third-party vendor that will hold your confidential data.  Remember, the standard of reasonableness applies. At a minimum, you need to know and understand what happens to your data while in the hands of an outside vendor in order to allow you to responsibly address any concerns.

____ Mandate that all work-related Internet sessions be encrypted and prohibit the use of unsecured open public Wi-Fi networks. This does mean that access to the office network must always occur using a VPN, MiFi, smartphone hotspot or some other type of encrypted connection.

____ Prohibit the use of any public computer for any reason. This would include the use of computer stations made available in the business center of a resort or hotel just as one example.

____ Have a policy that prohibits the jailbreaking of any mobile device that will be used for work. Jailbreaking is defined as modifying the operating system from its original state.

____ Never allow a non-employee to have access to your network absent appropriate oversight. In a similar vein, immediately cut off all avenues of access to the network for anyone who has been terminated. Terminated individuals should never have access to any office computer or network plug, even if it’s to simply download personal files, absent a trusted escort.

____ Provide mandatory data security and social engineering awareness training to everyone at the office at least every six months.

____ Develop a cyberbreach incidence response plan and provide the necessary training. At its most basic, if anyone suspects a device has been breached, teach them how to immediately disconnect from the Internet and/or the office network and instruct them to contact IT support immediately. They should never try to resolve the problem themselves!

____ Purchase a cyber liability insurance policy.

____ Check your internal and Internet-facing network security at least annually to make sure your network is secure. This can be done by having a vulnerability assessment or penetration test done.

____ Properly dispose of any device or digital media that has or had any business-related data on it. Don’t overlook digital copiers, digital cameras, memory cards, CDs, DVDs, jump drives, backup tapes, etc. All devices and media must be digitally wiped clean and/or physically destroyed. This does mean that devices cannot be given away for personal use, donated, recycled, or sold unless the entire drives have been overwritten.  Note: a restore to factory default settings is not an acceptable alternative to wiping a drive.