PL Risk Blog

The Evolution of the Cyber Breach: What we have learned for 2022

Written by Drew Smith | Nov 30, 2021 3:00:00 PM

Cyber breaches are increasingly more sophisticated and more expensive to tackle. In 2021 alone, we have seen attacks on vital infrastructure like the SolarWinds, Microsoft Exchange, Kaseya and the Colonial Oil pipeline. With many attacks occurring on vital infrastructure, many are unsure what to do or how to diagnose a breach

2014 vs 2021 Attacks: What’s Changed?

For many people, the first time a significant cyber event came to public consciousness was Black Friday of 2013. In a coordinated attack, Target had 47 million of their credit card numbers compromised. This first publicly wide scale breach made people pause and take notice that the increased reliance on the internet and cyber data meant that they were vulnerable to these hacks. Back then and through 2016, most people had to worry about hackers stealing their data, or Personal Identifiable Information. (PII)(1)

Fast forward to 2021, and attacks have become more frequent and more sophisticated. Where the damages have occurred has also changed. Whereas before, most of the costs were related to notification and credit monitoring, now ransoms and business interruptions contribute the most financial loses to your company. With attacks on infrastructure and other large companies, it has become increasingly more likely for a cyber breach to do considerable damage to vital infrastructure and public facilities and supply lines. These attacks have global consequences and cost billions of dollars in insurance costs and other damages.

What hasn’t changed is the steps to take after a breach, including notifying affected individuals, performing forensics, dealing with regulators and in general corporate chaos. Nowadays, with social media, the breach of a major company or piece of infrastructure is made public on Twitter, Facebook or other social media within the hour. The speed of these hacks and company responses had only increased since these became public.

What is Business Interruption? How does a Cyber Breach cause it

Business Interruption occurs when a business is partially or completely inoperable due to an event. This can result from disasters such as hurricanes and floods to cyber-attacks. In cyber, many attacks can cause your business to pause while responding to a cyber attack for a period of a few days to several weeks. For example, the Emotet virus, a program targeting computer endpoints, can shut down your company for several weeks because it’s an incredibly hard virus to remove or contain. Business interruption coverage intends to reimburse the policyholder for loss of revenue and extra expenses incurred while responding to a cyber breach.

Did the Pandemic cause Issues?

For most, 2020 was a year to forget. But was the pandemic responsible for the increase in cyber-attacks? It played a part yes. When many companies forced everyone to work remotely, it created a significant risk as many people had to move onto secure home networks and untested streaming applications. Hackers had a field day going after the so called “low-hanging fruit,” companies and other individuals with less-than-ideal cyber security measures. Jeff Boogay, Partner of Mullen Coughlin, LLC, a firm specializing in cybercrime and insurance revealed that the number of cyber claims increased exponentially. “We’ve seen an increase in the number and severity of events since the start of the COVID-19 pandemic. At least some of this is likely related to transition to remote work and the increasing reliance on internet access by employees.  This allowed cybercriminals more opportunities to take advantage of the increase in connected devices and remote connections to gain unauthorized access to networks.  Threat Actors continue to exploit the added system stresses of increased remote work throughout the US. “

 

What causes Breaches? Then vs. Now

Cyber breaches, despite being so prevalent, have surprisingly similar beginnings and goals. In 2014, with many people unaware of how vulnerable their data was, phishing and cyber engineering were the most prevalent intrusion methods followed by disgruntled employees.

While not much has changed in 2021, the paradigm has changed. According to the Verizon 2021 Data Breach investigations report, employee error accounts for 80% of all claims.(3) Despite the new methods and levels of protection being available, such as multi factor authentication (MFA) and endpoint detection, some of the same mistakes continue to drive the increase in claims activity, such as opening an infected email or using an unsecure network.

In a potentially scary case, a water treatment plant in Tampa was compromised because hackers had used their remote desktop protocol, something that many companies were forced to use in the pandemic to access their systems until it was discovered it was an easy way for hackers to enter their systems.

IT Teams are Overwhelmed and Create Their Own Risks

With the significant increase in the number of breaches, many IT teams are stretched thin. Frequently, IT teams cannot stay ahead of the curve in best practices and methods which creates an even more significant risk. The evolution of the managed services provider (MSP) has helped but also created more risk as was evidenced by the Kaseya breach which targeted MSP’s and affected some 1500 MSP’s and 42,000 clients. In this breach, the threat actor asked for $70 million in ransom and then went dark. Many companies and MSPs were left vulnerable as this breach played out

How Responses Have Changed Since 2014

Today, responding to a cyber breach has never been faster or more comprehensive. In 2014, when the worries were cryptojacking and social engineering, most were worried about getting their systems online as soon as possible, so they paid the ransoms, which were often very small and usually in untraceable Bitcoins and got their systems restored very quickly. Now, several things have improved and changed:

  •         Many governments have started to implement measures to ensure that companies take proactive steps to protect their customers such as Europe’s General Data Protection Regulation (GDPR) or California’s Consumer Protection Act (CCPA)
  •         Governments are also getting involved, with the US for example developing a bureau dedicated to cyber security in their state department. (CNN)
  •         Considering the increase in the number of breaches and costs associated with them, many insurance companies have begun reducing their exposure by reducing the limits they offer as well as limiting certain coverage such as ransomware, contingent business income or bricking
  •         Insurance carriers are now requiring certain controls be in place, or they will not offer terms or will offer significantly reduced terms at high prices. Such requirements include multi factor authentication, endpoint detection and response as well as segregated backups.
  •         Forensic teams are much faster to get involved. Whereas before it could take up to a week before forensics is called or sent out, now some insurance company response teams will be in the breached company’s systems within the hour trying to assess and mitigate damage. Response times can easily be two hours from the first report of ransomware to a couple of weeks of the more sophisticated attacks
  •         Banks have been getting more sophisticated with each other to recover funds. According to the Coalition in their annual claims study, they reported they now recover funds in about 27% of their cases and in those cases, they recover on average of 95% of the funds

What’s next?

What happens next all depends on regulators, insurance companies’ corporations and the hackers. These hacks are not going to stop, however as companies create increased awareness, develop stronger systems and commit more resources we hope this area of risk can stabilize. The middle market seems to be in a better spot than a year ago. However, backers are now trying to focus on the less valuable but easier to breach “low hanging fruit.” And supply chain companies can disrupt many companies at one time. It is estimated that the cyber insurance market will continue to evolve exponentially.

For more insights, contact Mullen Coughlin: https://www.mullen.law/and Axis Insurance Services, LLC: (Axis)