Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, the
nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the
company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.
For the sake of your clients, I hope you, and every other person who works at your firm, know full well what phishing attacks are and at least the basics of how these email attacks can be thwarted. If not, it’s way past time for everyone to come up to speed, and I strongly encourage you to do so posthaste! Here’s why. Phishing attacks also occur in the text messaging space. This type of scam is called smishing. Think SMS phishing. Just as with email, cyber criminals are applying social engineering tactics to text messaging and it’s a serious threat.
Smishing is particularly problematic because people are more inclined to trust a text message than an email and are less aware of the security risks surrounding text messages. Basically, what happens is cyber criminals obtain phone numbers that have been exposed as a result of a data breach, or they use web crawlers to gather numbers from social media sites, or they may even just use a random number generator. Then they start sending out text messages trying to trick recipients into clicking on a link or calling a number as they attempt to capture login credentials or have the recipient unwittingly download a malicious app. Making matters worse, the number the text message appears to originate from can be a spoofed phone number, meaning it appears to be coming from a reputable source when it actually isn’t.
In order to help you and everyone else at your firm from becoming yet another victim of a smishing attack, here are a few tips that can make a world of difference if taken to heart.
1) Remember smart phones are computers. They need to be protected with a security app just like all your other computers. If you don’t already have a reputable security app running on your smart phone, get one now.
2) Don’t trust text messages that attempt to get you to reveal sensitive information, especially if the text contains a portion of your credit card or bank account number. This kind of information can be obtained as a result of data breaches and is sometimes used to try to convince recipients that the text is legitimate when it actually isn’t.
3) Always log in to any online accounts through your phone’s browser or through a company’s mobile app that has been previously installed. Never click on an unexpected link in a text to start the log in process.
4) If the text appears to be coming from a reputable company, but still seems suspicious, call the company’s customer service number after looking it up on the official company website. If they confirm that it’s not from them, just delete the text.
5) Treat text messages with the same level of suspicion that should be in play with email, particularly ones that try to play with your emotions. In other words, stop and think before you click on any links or provide any information. If you let your emotions get the best of you, you risk enabling the download of a malicious app or you’ve just turned over sensitive information to someone who definitely doesn’t have your best interests at heart.
6) Don’t reply to suspicious texts even if the text itself says “text stop” to stop receiving messages. If nothing else, replies confirm that the phone number is an active number and more smishing attempts will surely follow.
7) Always be on the lookout for similar tactics in platforms like What’s App, Facebook Messenger Instagram, and the like.
8) And finally, use a VPN. VPNs can help spoof your actual location which may make it easier to spot a few text scams that rely on their appearing to be from a local number. In addition, by encrypting your data stream, even if your phone is, or eventually becomes, infected with a malicious app, the scammer may be unable to obtain anything of value because the data stream is encrypted.
John Merchant is Managing Director, Cyber and Technology Practice – North America for Optio Insurance Services, a global MGA specializing in over 13 classes of business. He is responsible for overseeing business development, digital distribution strategy, product development and vendor management. Prior to joining Optio, John was the Insurance Practice Advisory Leader and Cyence Risk Analytics and was responsible for the planning and execution of strategic customer initiatives. Prior to joining Cyence, John spent over 10 years in the insurance industry, primarily focused on cyber product development, strategy and underwriting. John has held positions at Nationwide, AIG and The Hartford. Before joining the insurance industry, he held various strategic sales roles in the technology sector. John holds a BA in Political Science from the University of Connecticut.
“I underwrite from my gut”. A statement no senior executive wants to hear from their lead cyber underwriter, or any underwriter for that matter. I can attest to hearing that statement, or something similar on occasion though. Although an extreme example, it’s hard to deny that a certain degree of empirical reasoning goes into many cyber underwriting decisions, as it should. To what degree empirical data, or gut instinct, influences underwriting decisions could be the difference between profitability and being in the red. Sometimes those decisions, although appearing to be gut instinct, are based on sound experience and are a crucial part of the decision-making process.
With any extreme approach an opposite must exist. In the case of cyber underwriting, a purely data-driven approach without any human underwriter involved doesn’t exist just yet (excluding cyber endorsements and other slot-rated products for very small entities). However, the industry has begun to more fully embrace a risk selection approach heavily influenced by externally collected and curated data. Investors have too. Five years ago, there were no insurtech Cyber MGA’s. Now there are over a half dozen and counting, and funding appears plentiful.
For this blog post I’d like to pose a question. Which approach is better? I’d argue a cogent case can be made for both, especially given the current market conditions. There’s no denying that data and analytics are here to stay. Predictive modeling and analytics have changed the landscape of several industries. For me, an industry most profoundly changed is professional baseball. Other industries have been changed materially as well, but baseball is more interesting to note than financial services. Apologies to all the quants out there.
The arc undertaken by baseball is reminiscent of the arc being taken by the cyber insurance market. A very old industry, set in its ways, being unexpectedly and somewhat begrudgingly forced to adopt the use of data to make decisions.
This shift from a game dominated by gut decisions, feeling and how a player looked to one dominated by predictive analytics was seismic. Who knew game decisions and multimillion dollar contracts would be made by acting almost solely on OPS, ISO, WHIP or wOBA. All acronyms I’d be happy to debate on the next sabermetrics Zoom. However, have these analytics proven to be superior or is the human element (meaning decision making by “informed instinct”) a necessary or even superior method in some cases?
Below are mini, non-lawyerly “cases” for a machine approach to underwriting vs. a human approach. I purposely avoided making cases against each as they are implied.
The Case for Machines
We’re already there. Auto, home, BOP’s…all underwritten by algorithms gathering internal and external data to predict profitability at the policy level. These are standardized products of course, but human touch is no long part of the process. This allows for lower acquisition costs and the ability to grow at scale. Cyber however, is anything but commoditized. I could argue the industry has tried a little too hard to commoditize a highly complex product, but that’s fodder for another blog. That thought aside, the introduction of externally collected and curated data to drive the underwriting decisions has exploded.
Data can be collected and analyzed at scale, providing threat intelligence which is simply impossible to ascertain through the traditional underwriting process. There is no way, at least from what I’ve seen, that an underwriter can quickly find out the number of publicly facing IP addresses, proper or improper configuration of the Sender Policy Framework (SPF), whether traffic to and from a website is encrypted and if that encryption is strong or weak, and finally, if any RDP ports are externally visible and therefore prone to exploitation by cyber extortionists. Underwriters could ask on an application, but good luck with that approach.
Our machine friends can also provide portfolio level intelligence to ascertain potential points of accumulation. With these points of accumulation identified, they can assist with building disaster scenarios, which up until recently were “built” by adding one’s exposed limits together. I’m sure many of my colleagues on the underwriting side recall the days when accumulation management meant asking what cloud providers a company used and then physically adding them to an excel spreadsheet. A tedious task, I assure you.
Are these models perfect. No, far from it. They’re all wrong to some degree but are certainly better than knowing nothing. To grossly oversimplify, I’d rather be told there’s an 80% chance it may rain this weekend and prepare appropriately than plan a beach day on what turns out to be a wash out.
To conclude the case for the machines, this data can be continually collected, and models trained to get better and more accurate. Economies of scale kick in and this approach becomes less and less expensive, in theory.
The Case for People
You can’t have a beer with a machine. Twenty years ago, that may have been a valid case. Kidding aside (sort of), models and the data and analytics that power them are only as good as their creators, who are people. Not underwriters, but people, nonetheless. Where underwriters come in is in the interpretation of the data. As pointed out, all models are wrong to some degree. That degree is ascertained by highly trained underwriters with years of experience in the market. Plus, the human brain is still the best decisioning engine ever created.
There are also several risk factors which can’t be gleaned from an external scan or continuous monitoring of a network. These include how (or if) companies train their employees, the experience level of their management and security team, the health of the industry class, the overall adoption of a security mindset, and their plans in the event of a cyber-attack. None of these data points can be gathered externally, but any claims rep or breach coach will tell you they’re directly correlated with losses.
To conclude the case for people, this is still a relationship business. Something I hope will not go away. Trust is arguably the most important asset an underwriter can have and is only gained through long-term relationship building.
The Case for Both
It doesn’t take a rocket scientist (or an algorithm) to predict where I was going with this blog post. However, it’s not quite that simple. It’s too easy to say that underwriters should simply merge their approach with that of a data only approach, attaining some level of cyber zen. This is where the real work comes in, and where I have some direct experience.
Having worked at a predictive analytics start-up prior to joining Optio, I saw first-hand how powerful these models could be. However, two common themes among my clients also struck me.
One was how much work the customer, in this case insurers and reinsurers, had to put in to glean real value from the model. There’s “heavy lifting” to be done on the part of the customer to make these solutions work. Often this additional work wasn’t anticipating by the customer, creating agitation and unwelcome extra work.
Second, and more importantly in my opinion, was the analytics telling an underwriter something they didn’t want to hear. Prior to 2019, incurred losses were in the 40% range, with actuals much lower. Unexpectedly seeing a profitable portfolio showing a modeled loss ratio 20-30 points higher instills almost immediate distrust in the analytics. Also, competing models may show materially different loss figures, adding to this distrust. On an individual risk selection level, for an underwriter to be told that a company they’ve been insuring for several years, without any notices, is suddenly a bad risk raises questions, as they should. It’s an underwriter’s job to question.
These issues can lead underwriters to use the good news and filter out the bad, effectively gaming the system. On the flip side, going solely by the numbers may have led to no growth and, not to be crass, but no bonus or job. Last time I checked those were important.
The case for both is a challenge to the cyber underwriting industry, both old guard and new arrivals. On one side a challenge to recognize that machine-learning and AI can be a tremendous competitive advantage but utilizing them is a major undertaking and some level of trust is required. On the other side, a challenge to recognize that pure data-driven underwriting with no, or very limited underwriter oversight can lead to losses at scale and increased distrust of technologies that are vital to a profitable cyber insurance market.
Thank you, and I welcome your feedback and opinions.
Kurtis Suhs Founder and Managing Director, Cyber Special Ops, LLC
Mr. Suhs serves as the Founder and Managing Director for Cyber Special Ops, LLC, a cyber risk company that provides its clients with Concierge Cyber®, a revolutionary new delivery solution for cyber risk services modeled on concierge medicine.
Many insurance professionals have compared cyber insurance to employment practices liability (EPL) insurance which took decades for organizations to adopt; however that is where the comparison ends. Cyber insurance is more analogous to catastrophic commercial property insurance, in which state-sponsored actors and sophisticated crime syndicates target and seek to burn down your building 24/7/365 days per year.
According to FM Global, the three main reasons sprinklered buildings burn are 1) design deficiencies, 2) system impairments before a fire, and 3) system impairments during a fire. Let’s evaluate how each of these causes compare with cyber loss.
Sometimes due to design deficiency or system impairment, an automated sprinkler system fails to suppress a fire sufficiently and thus a building burns despite the system.
Water supply Is the water source
—a public water supply?
—a fire pond?
Incident Response Is the data breach team
—an external third-party service provider?
—an internal legal and infosec team?
System design Is the system design adequate?
What is the system trying to protect?
Network Design Is the network architecture adequate?
What is the system trying to protect?
Changes in occupancy
Changes in electronic assets
The building (organization) was devastated by fire (a cyberattack). The cause of the devastation was multifaced. The water supply (incident response plan) was limited because a single connection from the public water main (a few data breach firms) supplied the entire sprinkler system (cyber insurance market). However, the water supply (incident response plan) was limited and the water flow (insured’s cyber insurance coverage and limit) to the automatic sprinklered system (network defense) was marginally adequate for the task. The sprinkler system (network defense) was designed for a facility (organization) that processed a specific amount and type of paper (electronic assets). The plant (organization) was changed to process a new and greater amount of hazardous coated paper (sensitive information). This change was made without reevaluating the sprinkler design (network design) or water supply (incident response plan).
The system (network) simply couldn’t generate enough water (cyber insurance) to mitigate this type of fire (cyberattack) and suppress it because it wasn’t designed for this use and didn’t have enough water (cyber insurance coverage and limit) for this type of fire (cyberattack). Furthermore, the local fire department (cyber insurer) wasn’t aware of the change in the amount and type of paper (the exposure basis) and thus didn’t know they were responding to a hazardous chemical fire (state-sponsored actor), which requires a very different firefighting response (incident response) as compared to a traditional uncoated paper fire (simple malware).
System Impairments Before a Fire
A fire that would normally be adequately controlled or suppressed completely can instead rage out of control and destroy the building.
There are three type of impairments that can occur before a fire (cyberattack) as follows:
renovation of building (network)
inadequate maintenance of property (network)
arson (state-sponsored actors and sophisticated crime syndicates).
Deliberate action by an arsonist (state-sponsored actor or sophisticated crime syndicate) can impair or disable an automatic sprinkler system (computer network) so the arsonist’s (threat actor) fire setting (cyberattack) actions will cause damage.
Arsonists (cyber attackers) learn how sprinkler systems (computer networks) work and find ways to defeat or overtax them. Limited only by their imagination, for example, they may close valves (software applications) or attempt to overtax the system (all computer servers) by setting multiple fires (cyberattacks) designed to circumvent, damage or destroy the building (organization).
System Impairments During a Fire
System impairments that can occur during a fire are often the result of human action that cause a protection breakdown.
The most common system impairment that can occur during a fire (cyberattack) is premature closure of a sprinkler system’s control valve (network defenses).
Another common system impairment is the inadequate monitoring of the sprinkler control valve (network defenses).
Call to Action:
For most businesses, the five most important categories of risk are tied to 1) theft of intellectual property, 2) business interruption, 3) theft or corruption of personally identifiable information, protected healthcare information, 4) credit and debit card data and 5) diminished cash flow. But which of these is a priority, to what degree, and for which organization assets?
If we really want to make cybersecurity better, we first need to ask what do we need to protect within the organization? All of this is highly dependent on the business, the internal network structure, and the other security controls that are in place premised upon the zero-trust information security model.
Organizations will never outpace the sophisticated cyber threat actor. Remember, the cyber adversary only has to be right once while your organization has to be right 100% of the time.