When is Cyber Cyber? Insurance Coverage in Flux

When is Cyber Cyber? Insurance Coverage in Flux

The fear of experiencing a cyberattack is rightfully keeping businesses owners up at night. Not only would a cyber attack give your security team a headache , but could have profound and irreversible financial implications for your businesses. In fact, according to a report by IBM and the Ponemon Institute, the average cost of a data breach in the U.S. is a over $8 million. And with 30% of companies expected to experience a breach within 24 months, it’s no surprise that business are seeking coverage. The problem, however, is that businesses and insurance companies alike are still grappling over exactly what is and is not covered when a cyber event occurs.

Some businesses are learning this the hard way

Recently, a phishing campaign successfully stole the credentials of an employee at a rent-servicing company that allows tenants to pay their rent online. The phishers used the employee’s credentials to take $10 million in rent money that the company owed to landlords. The company had a crime insurance policy that covered losses “resulting directly from the use of any computer to fraudulently cause a transfer,” but soon found out their claim was denied. Among the reasons the insurer gave for denying the claim was that, because the funds stolen were owed to landlords, the company did not technically suffer any first-party losses and there were not covered by the insurance policy.

In another case, the pharmaceutical company Merck found itself victim to a ransomware attack that shut down more than 30,000 of their computers and 7,500 servers. The attack took weeks to resolve and Merck is now claiming $1.3 billion in losses that they believe should be covered by their property policy. The problem, however, is that the attack on Merck was actually a by-product of a malware campaign that the Russian government was waging against Ukraine and happened to spread to companies in other countries. The insurer therefore denied the claim, stating their property coverage excludes any incidents considered an “act of war.”

Silence is Deadly

The Merck example above also illustrates the concept of “silent”, or “non-affirmative” cyber. Basically these are standard insurance lines, like property or crime, in which cyber acts have not been specifically included or excluded.  Merck was filing the claims against the property policy because it sustained data loss, system loss and business interruption losses. Silent cyber is difficult for a carrier to respond to (which is why the carrier in this case is looking to the war and terrorism exclusion to deny coverage) and even more challenging to account for.  That’s one reason both carriers and businesses are looking to standalone cyber insurance, which provides both the insured and carrier with a lot more clarity as to what is covered.  (Although, carriers can deny coverage in situations where the attestations about the quality of security up front do not measure up at claim time.)

Predicting the Unpredictable

It’s commonly said that insurers will do anything to avoid paying out claims, but the issue with cyber insurance coverage goes much deeper. Instead, the problem centers around a number of uncertainties involved in categorizing and quantifying cyber risk that makes comprehensive policy writing a near impossible task. For one, cyber insurance is a new market dealing with a relatively new problem. There are therefore not as many data points for insurers to accurately quantify risk as there are for long-standing forms of insurance.

The real problem, however, is that cyber incidents are extremely difficult to predict and reliably account for. Whereas health and natural disaster policies, for example,  are based on scientific modeling that allows for a certain degree of stability in risk factors, it is much harder for insurance companies to predict when, where, and how a cyber attack might happen. Even Warren Buffett told investors that anyone who says they have a firm grasp on cyber risk “is kidding themselves.”

Reading the Fine Print

It’s important to understand that, despite the relatively unpredictable nature of cyber incidents, there are plenty of steps businesses can and should take to understand and mitigate their risk profile. Organizations with robust risk management practices can significantly reduce their vulnerability and a strong security posture goes along way towards minimizing their risks and providing a strong defense when a claim strikes.

Unfortunately, this puts a lot of the responsibility on individual businesses when evaluating their cyber exposures and the insurance coverages which might be available to respond.   A good insurance broker who has expertise in cyber is essential.  Much like the threat landscape, cyber insurance coverage is constantly evolving, and it is to all parties, from businesses to carriers, to keep up.

The Human Factor of Cyber Threats

The Human Factor of Cyber Threats

We’re number one! (Oh, that’s not a good thing?)

Yes, sometimes it’s better not to be recognized.  Especially if it’s in the Verizon 2020  Data Breach Investigations Report which shows new and emerging trends of the cyber threat landscape.  Anyone who is anyone in cyber wants to get their hands on it as soon as it’s published (and we are no exception).   As has been for many years, one of the key reasons behind data breaches involves what we do (or don’t do).  In fact, this year’s report shows that 3 out of the top 5 threat actions that lead to a breach involve human’s either making mistakes or being tricked. Below is a closer look at those 3 threat actions, and the human factors they rely on.

1. Phishing

In this year’s report, phishing attacks lead the cyber threat pack for successful breaches. It it also the most common form of social engineering used today, making up 80% of all cases. A phish attacker doesn’t need to rely on a lot of complicated technical know-how to steal information from their victims. Instead, phishing is a cyber threat that relies exclusively on manipulating people’s emotions and critical thinking skills to trick them into believing the email they are looking at is legitimate.

2. Misdelivery

One surprising aspect of the report is the rise of misdelivery as a cause of data breaches. This is a different kind of human factored cyber threat: the pure and simple error.  And there is nothing very complicated about it: someone within the organization will accidentally send sensitive documents or emails to the wrong person. While this may seem like a small mistake, the impact can be great, especially for industries handling highly sensitive information, such as healthcare and financial services.

3. Misconfiguration

Misconfigurations as a cause of data breaches is also on the rise, up nearly 5% from the previous year. Misconfigurations cover everything security personnel not setting up cloud storage properly, undefined access restrictions, or even something as simple as a disabled firewall. While this form of cyber threat involves technological tools, the issues is first and foremost with the errors made by those within an organization. Simply put, if a device, network, or database is not properly configured, the chances of a data breach sky rocket.

So What’s to Stop Us?

By and large we all understand the dangers cyber threats pose to our organizations, and the amount of tools available to defend against these threats are ever-increasing  And yet, while there is now more technology to stop the intruders, at the end of the day it still comes down to the decisions we make and the behaviors we have (and which are often used against us).

We know a few things:  compliance “check the box” training doesn’t work (but you knew that already); “gotcha” training once you accidentally click on a simulated phish doesn’t work because punitive reinforcement rarely creates sustained behavior change; the IT department being the only group talking about security doesn’t work because that’s what they always talk about (if not blockchain).

Ugh.  So what might work?  If you want to have sustained cybersecurity behavior change, three things + one need to occur:  1) you need to be clear regarding the behaviors you want to see; 2) you need to make it easy for people to do; 3) you need people to feel successful doing it.  And the “+ one” is that leadership needs to be doing and talking the same thing.  In other words, the behaviors need to become part of the organizational culture and value structure.

If we design the behaviors we want and put them into practice, we can stop being number one.  At least as far as Verizon is concerned.

COVID-19 Loan Breach Exposes 8,000 Applicants

COVID-19 Loan Breach Exposes 8,000 Applicants

This week, reports surfaced that the Small Business Association’s COVID-19 loan program experienced an unintentional data breach last month, leaving the personal information of up to 8,000 applicants temporarily exposed. This is just the latest in a long line of COVID-19 cyber-attacks and exposures since the pandemic began.

The effected program is the SBA’s long-standing Economic Injury Disaster Loan program (EIDL), which congress recently expanded to help small businesses effected by the COVID-19 crisis. The EIDL is separate from the new Paycheck Protection Program, which is also run by the SBA.

According to a letter sent to affected applicants, on March 25th the SBA discovered that the application system exposed personal information to other applicants using the system. The information potentially exposed include names, addresses, phone numbers, birth dates, email addresses, citizenship status, insurance information, and even social security numbers of applicants

According to the SBA, upon discovering the issues they “immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal.” All businesses affected by the COVID-19 loan program breach were eventually notified by the SBA and offered a year of free credit monitoring.

A number of recent examples show that the severe economic impact of the pandemic has left the SBA scrambling. Typically, the SBA is meant to issue funds within three days of receiving an application. However, with more than 3 million applications flooding in, some have had to wait weeks for relief.

The unprecedented number of applications filed, coupled with the fact the SBA is smallest major federal agency —  suffering a 11% funding cut in the last budget proposal — likely contributed to the accidental exposure of applicant data. However, whether accidental or not, a data breach is still a data breach. It’s important that all organizations take the time to ensure their systems and data remain secure, and that mistakes do not lead to more work and confusing during a time of crisis.

COVID-19 Data Breaches Used to Fuel Disinformation

COVID-19 Data Breaches Used to Fuel Disinformation

The current onslaught of cyberattacks related to the COVID-19 pandemic continued this week. Tuesday night, reports surfaced that attackers publicized over 25,000 emails and passwords from the World Health Organization, The Gates Foundation, and other organizations working to fight the current COVID-19 pandemic. What’s more, this new data dump starkly shows how easily data breaches related to COVID-19 can fuel disinformation campaigns.

The sensitive information was initially posted online over the course of Sunday and Monday, and quickly spread to various corners of the internet often frequently by right-wing extremists. These groups rapidly used the breached data to create widespread harassment and disinformation campaigns about the COVID-19 pandemic. One such group posted the emails and passwords to their twitter page and pushed a conspiracy theory that the information “confirmed that SARS-Co-V-2 was in fact artificially spliced with HIV.”

A significant portion of the data may actually be out of date and from previous data breaches. In a statement to The Washington Post, The Gates Foundation said they “don’t currently have an indication of a data breach at the foundation.” Reporting by Motherboard also found that much of the data involved matches information stolen in previous data breaches. This indicates that at least some of the passwords circulating are not linked to the organizations’ internal systems unless employees are reusing passwords.

However, some of the information does appear to be authentic. Cybersecurity expert Robert Potter was able to use some of the data to access WHO’s internal computer systems and said that the information appeared to be linked to a 2016 breach of WHO’s network. Potter also noted a trend of disturbingly poor password security at WHO. “Forty-eight people have ‘password’ as their password,” while others simply used their own first names or “changeme.”

Consequences

Whether the majority of the information is accurate or not, it does not change the fact that the alleged breach has successfully fueled more disinformation campaigns about the COVID-19 pandemic. In the past few weeks, many right-wing extremist groups have used disinformation about the pandemic to spread further fear, confusion in the hopes of seeding more chaos.

This episode starkly shows how data breaches can cause damage beyond the exposure of sensitive information. They can also be weaponized to spread disinformation and even lead to political attacks.

Hacks Against Healthcare Industry on the Rise

Hackers are continuing to use the coronavirus crisis for personal profit. We recently wrote about the increase in malicious sites and phishing campaigns impersonating the World Health Organization and other healthcare companies. But now hackers appear to be turning their sights to the healthcare sector itself. Here are two notable cases from the past few weeks.

WHO Malware Attempt

Earlier this week, the World Health Organization confirmed hackers attempted to steal credentials from their employees. On March 13th a group of hackers launched a malicious site imitating the WHO’s internal email system. Luckily, the attempted attack was caught early and did not succeed in gaining access to the WHO’s systems. However, this is just one of many attempts being made to hack into the WHO. The chief information security officer for the organization Flavio Aggio told Reuters that hacking attempts and impersonations have doubled since the coronavirus outbreak.

Similar attempted hacks against other healthcare organizations are popping up every day. Costin Raiu, head of global research and analysis at Kaspersky, told Reuters that “any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country.”

Ransomware Attack Against HMR

Unlike the attack on the WHO, a recent ransomware attack was successful in stealing information from a UK-based medical company, Hammersmith Medicines Research (HMR). The company, which performs clinical trials of tests and vaccines, discovered an attack in progress on March 14th. While they were successful of restoring their systems, ransomware group called Maze took responsibility. On March 21st, Maze dumped the medical information of thousands of previous patients and threatened to release more documents unless HMR paid a ransom. HMR has not disclosed how the attack occurred, but have stated that they will not pay the ransom.

Four days after the initial attack, Maze released a statement saying they would not target medical organization during the coronavirus pandemic. Yet, this did not stop them from publicizing the stolen medical information a week later. After the attack gained publicity, Maze changed their tune. The group removed all of the stolen files from their website, but blamed the healthcare industry for their lack of security procedures: “We want to show that the system is unreliable. The cyber security is weak. The people who should care about the security of information are unreliable. We want to show that nobody cares about the users,” Maze said.

Conclusion

 Times of crisis and confusion are a hacker’s delight. The staggering increase of hacks against the healthcare industry only help prove that.  The key to mitigating these threats is to ensure that security configurations are set to industry best practices, continuously scan your networks, lock down or close open ports, secure or (preferably) remove Remote Desktop Protocol, and require Multi-Factor authentication for any remote access.  And certainly, make sure you are testing your incidence response plan.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

A Breach of Breaches Past

A breach of breaches past has come back to haunt us. Last week, a cybersecurity expert discovered a that a collection of over 5 billion records from previous data dumps were left exposed and publicly accessible. What’s worse, the exposure reportedly occurred at the hands of a cybersecurity firm. Because all of the data was previously exposed, no new information was put at risk. However, the size and sensitive nature of the data involved could lead to renewed risk for victims of previous breaches

What was Exposed and How?

A UK-based firm created a database of exposed information from some of the biggest data dumps between 2012 and 2019. This includes records from well-known data dumps such as Adobe, Last.FM, Twitter, LinkedIn, and others. What’s more, the records within the database includes some highly-sensitive such as emails and passwords. The exact reason for compiling this database is not yet clear.

NOTE: Company’s data and customer records were not exposed, incident involved only previously reported data breaches collections.

The incident was not the result of any malicious action. Instead, the firm placed the records in Elasticsearch, an open source data and analytics search engine, and neglected to use any password protection or firewalls to keep the database private.

The lack of such basic protections may be because Elasticsearch’s security features are disabled by default. In fact, Elasticsearch has suffered a series of similar breaches within the past few years. Only two months ago, 250 million records of Microsoft customers were exposed through similar misconfigurations on Elasticsearch servers. Given amount and size of these exposures, it is unclear why Elasticsearch has not taken more steps to ensure the security of their services.

Consequences

Just because the data involved in this breach has all been previously leaked does not mean this incident isn’t something to be concerned about. According to reports, the records are extremely well structured, and the sheer size of the database makes the information easily accessible for hackers to use in phishing schemes or to resell online. This could lead to those whose records were previously exposed see a renewal of fraud attempts in the upcoming months.

Want to see if the breach of breaches past could come back to haunt you? We recommend going to haveibeenpwned.com. The website allows you to search any email address or passwords you have used to see if your information was exposed in previous breaches, including many of the breaches involved in this incident.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog