The rise of ransomware – and the critical controls needed to combat it
As low-end cyber criminals increasingly joined the fray with RaaS schemes, the payouts they received encouraged sophisticated hackers to become more active with RaaS for large-scale windfalls. In recent years, ransomware attacks have become significantly more targeted, with criminals spending more time on research, reconnaissance, system penetration and system exploration before dropping the malicious code and demanding huge ransoms for decryption. This has resulted in a dramatic increase in the severity of cyber losses and has placed some pressure on the cyber insurance marketplace.
“The cyber insurance market has rallied around the need for more sophisticated ways to mitigate ransomware,” said Andy Maher (pictured above), head of large accounts, North America Cyber, AXIS Insurance. “The market is hardening in many lines of specialty insurance, but, in the cyber world it’s largely because of ransomware and the fact that small attritional losses aren’t so small anymore. From an underwriting standpoint, markets are taking a closer look at retentions and attachment points. If we’re seeing regular seven-figure ransom demands, are the current self-insured retentions enough to provide a long-term, stable market? Waiting periods on the business interruption side also need to evaluated by the market, the average of 10 hours doesn’t provide enough protection when the average downtime from ransomware is significantly longer than that.”
Read next: Patching up problems with innovative cyber solutions
Insurers have also increased their focus on the technical controls and securities that organizations should have in place to prevent or mitigate ransomware attacks. AXIS Insurance has developed a ransomware supplemental form which enables AXIS’s cyber underwriters to perform closer inspection and better selection of the risks.
“When a warehouse is built, it must have a sprinkler system to mitigate fire damage and is thus necessary to obtain property insurance. As a cyber insurance market, we need to move to that kind of approach with certain ransomware controls, whether that be requiring multi-factor authentication (MFA) or network segmentation,” Maher commented.
There are some cyber security controls that become very difficult to implement and audit, according to Sharif Gardner (pictured directly above), head of Cyber Training and Advisory Services, AXIS Insurance. For example, network segmentation varies by network, but there are certain controls that companies like AXIS Insurance are starting to impose as minimum standards when underwriting cyber. Forensically, insurers and cyber security experts are able to identify whether or not these controls were implemented properly when a cyber incident occurs, enabling insurers to gain better underwriting insights.
IBA Talk: Understanding this critical moment for the cyber risk & insurance market
“Security awareness training is another critical control,” said Gardner. “With phishing emails, for example, asking the end-user not to click on a phishing email is just one part of that solution. Companies need to look at email authentication and sender policy frameworks that can be implemented by IT teams to block suspicious domains. There should not be phishing emails that come through to employees that ‘appear’ to be legitimately from their own employer. You simply cannot stop every member of staff clicking on something if it appears to be legitimate, but you help prevent those phishing emails at IT system administrator level. So, it’s some of those controls, along with failure to implement other critical controls, such as multi-factor authentication, that are really starting to highlight themselves as not being implemented correctly.”
This presents a huge opportunity for insurance brokers and agents to advise their clients around best practice cyber risk management tactics. As Gardner pointed out: “All security starts with education – it’s part of the buying process” and brokers are a key part of that process. To help AXIS broker partners and their end-clients improve their cyber security preparedness, the insurer provides a range of tabletop crisis simulation exercises – including a ransomware readiness assessment – through which delegates learn about cyber security via gamified scenarios. The insurer has also partnered with a third-party technology firm to provide security awareness and phishing simulation training, and it works with an IT consulting firm to offer IT-specific, system administration tabletops.
“The work that Sharif and the AXIS cyber training and advisory services team do is extremely valuable. It’s imperative that all parts of the market continue to grow in their understanding and mitigation of cyber risk,” said Peter Smith (pictured directly above), Underwriting Manager, Cyber & Technology, AXIS Insurance. “They also do a lot of training in-house as well, using insight and expertise from our in-house experts to prepare our underwriters to train our partners on how to best handle this risk.”
Smith continued: “Ransomware is the rising threat in the network security risk landscape, and underwriters have greater acumen today than ever before to handle the risk appropriately through education, risk mitigation and other services provided through insurance policies. We know that mitigation techniques such as multi-factor authentication (MFA) and immutable backups are leading the way so that companies can protect against this ever-growing cyber threat, and a key part of that protection is the services and knowledge an insurance policy and its’ backers can provide.”