Cybersecurity is a growing concern for all industries, including insurance. In recent years, ransomware attacks have become more comprehensive, more frequent and more dangerous. Insurers are having to deal with both the surge in cybersecurity insurance claims and the threat of attack against their own systems. At the same time, new regulations are creating additional compliance issues. Put everything together and it’s clear that cybersecurity and risk management must be a top priority for insurers.
Ransomware attacks continued to increase in 2021. According to the NCC Group’s Annual Threat Monitor1, ransomware attacks nearly doubled in 2021 compared to 2020. Furthermore, more than half of these attacks (53%) were in North America.
The surge in incidents has had a significant impact on insurance. The Council of Insurance Agents & Brokers (CIAB)2 says that 81% of respondents reported an increase in cyber insurance claims in the fourth quarter of 2021, up from 77% in the third quarter. The average cyber insurance premium increased 34.3% in the fourth quarter of 2021.
The insurance industry has been focused on gathering and leveraging data. Big data promises many rewards, but it also creates an attractive target for hackers. Insurers don’t just have to worry about attacks on their clients, they also have to worry about attacks on themselves.
“Gone are the days of limited seven-figure ransom demands,” said Tim Nunziata, Associate Vice President and Head of Cyber Risk at Nationwide. “Now we’re seeing multi-million dollar demands regularly.”3
Media outlet Bloomberg4 says that CNA Financial Corp, a U.S. insurance company, paid hackers $40 million to restore their system after a ransomware attack. TechCrunch5 reported that Chubb, a cybersecurity insurance provider itself, was also hit by a ransomware attack that stole data they housed with an unnamed third-party service provider.
The FBI6 does not support payment of ransomware demands. Doing so can encourage more ransomware attacks, and it does not guarantee the safe return of data. Nevertheless, many victims pay up, and hackers are using new tactics to pressure them into doing so.
The Cybersecurity and Infrastructure Security Agency (CISA)7 states that hackers are increasingly using a strategy known as “triple extortion.” Instead of simply encrypting data – a situation that can be remedied if the victim has good backups – the hackers also take the following steps:
Cybercriminals use many tactics to gain access to systems and launch ransomware. According to CISA, three tactics are especially common:
IBM Security X-Force8 says that 41% of attacks used phishing in 2021, up from 33% in 2020, while 34% used exploitation of software vulnerability.
The Log4j flaw, that was recently discovered, is giving hackers another entry point. Microsoft9 says the open-source component is used in the software and services of many suppliers, and that attackers have been taking advantage of the vulnerabilities. For example, in early January, 2022, hackers used the vulnerability to deploy ransomware against internet-facing systems running VMware Horizon.
CISA says that cybercriminals have started focusing more on the software supply chain, which allows them to access multiple victims at once. In one example, CNN10 reports that the REvil malware was able to impact hundreds of corporate clients by targeting IT management companies.
Cybercrime is reaching crisis levels, and businesses are hungry for risk management strategies that can help contain the threat. CIAB says that 92% of survey respondents reported increased demand for cybersecurity insurance coverage in the fourth quarter of 2021.2 For insurance carriers who provide stand-alone cyber insurance coverage, there are opportunities to provide expanded options for things like response and recovery efforts, extortion, and business interruption.
However, insurers should remember that they can also be victims of ransomware, either through direct attacks or through attacks on their service providers. In addition to helping their clients refine their cybersecurity practices, they must take steps to mitigate their own risks.
Carriers will need to continue to expand their cybersecurity capabilities to detect, prevent, and respond to attacks, with many insurers incorporating an ecosystem approach to cybersecurity technology. As attacks increasingly focus on the supply chain and software providers, this will require a concerted effort.
Insurers that store sensitive personal data can be prime targets for hackers. Having sensitive payment data in your system increases your security risks and your compliance burden. At One Inc, we adhere to industry-leading security requirements that reduce your risk of exposure, simplify your network security and compliance practices, and help to protect your policyholders from payment data theft. As a Nacha Certified Third-Party Sender, we have met rigorous standards for risk management and compliance, demonstrating the strength of our corporate controls.