Phishing, silent cyber and ransomware – the growing threats

Attacks targeting business email accounts have continued to climb in 2018, according to Beazley’s claims statistics.

Email accounted for 23% of incidents reported to the Beazley Breach Response services team during the second quarter of 2018.

The attacks were broadly distributed across industry sectors. Hardest hit were organisations using Office 365, the popular cloud-based productivity solution.

Business email compromises are efficient for the hacker because the compromise of a single account gives the hacker a platform from which to wage more targeted ‘spear phishing’ attacks within an organisation and externally.

Such attack methods have soared in popularity since the beginning of last year. According to Dasha Tarassenko of Mandiant, “phishing emails coming from compromised accounts are becoming more targeted and impressively crafted than ever. They’re not just sending thousands of spam emails. They’re doing reconnaissance within the compromised inbox and tailoring the next phishing email to the recipient.”

Disabling the ability for third-party applications to access Office 365 can halt an attacker’s ability to gain access to systems for reconnaissance. Two-factor authentication can also help, as can better training of employees.

Brokers take steps over ‘silent’ cyber

Most residential and commercial property insurance policies do not explicitly state whether they would pay out for a damage claim where cyber is the trigger. But as more ‘smart’ buildings are constructed, with the Internet of Things bringing new opportunities as well as threats, such losses could become a reality.

And at present, it is unclear whether such losses would be covered. This is the ‘silent’ cyber dilemma, according to Mark Synnott, global cyber practice leader at Willis Re, which is “a leading concern for the insurance industry at every level, including management, boards of directors, regulators and rating agencies”. The broker has upgraded its cyber risk portfolio modelling tool to include silent cyber.

There is a significant mismatch between the risks faced by companies and the cover available, according to Capsicum Re, with the bulk of cyber exposures proving to be within non-cyber covers.

“We have reached a point where cyber is a very real, tangible risk class,” said Ian Newman, Capsicum Re’s global head of cyber, in a whitepaper.

“It is understood quite widely that the threats are increasing in severity almost daily, yet the industry is still dealing with developments reactively and behind the pace of change of the risk. We envision a future where cyber is as significant a peril as property/casualty.”

Whether the cyber insurance market continues to remain a largely standalone market, or evolves so that cyber becomes an affirmative cover within traditional property/casualty policies, brokers are working with SME clients to help them understand where any gaps in cover might be.

What’s included?

“Some insurance products do throw in a little bit of cyber cover,” said Graham Whyatt (right), group head of affinity and SME at James Hallam. “As a broker you have to be clear what is and isn’t included and explain that to your client. Because if somebody is throwing a bit of cyber into a retail policy or a commercial combined it can be quite limited.

“It’s important to highlight which events are not covered and, if appropriate, suggest a standalone cyber and crime policy that would pick up all the other aspects.”

Ransomware tops cyber claims list

Last year was significant for ransomware, including the high-profile and widespread WannaCry and NotPetya attacks. Total economic losses associated with WannaCry alone are estimated at $8bn, with $500,000 of this attributed to business interruption.

This mode of cyber attack remains a big issue for SMEs, according to a claims report from specialist Lloyd’s insurer Hiscox.

It cites a ransomware attack which encrypted a restaurant’s server, affecting its point of sale registers with the result that it was unable to trade.

“Having exhausted all other options, it was clear that the most effective way to restore the restaurant’s systems was to pay the ransom,” Hiscox said.

In addition to the cost of the ransom and associated IT costs, the insurer also covered the restaurant’s business interruption loss. The total claim cost was £20,000. Among the lessons learnt, the insurer cites the importance of helping staff recognise suspicious emails and ensuring good back-ups are in place.

It is estimated that more than 80% of cyber insurance claims result from human error, highlighting the need for staff training. But investment in cyber security systems is also essential, says David Flandro (above), global head of analytics, JLT Re.

“In most of these situations you just don’t even want to get to the point where the humans have to make a decision,” he said.

“You don’t want to get to the point where somebody is looking at their screen and saying, ‘shall I open this attachment or not?’.

“You want to be the firm that has the technology in place that blocks it. And then you want to buy cover that protects you. And that cover will be cheaper if you can demonstrate that you’ve got the right operational risk management processes in place and the right kind of software frameworks to protect your systems.”

Vulnerable legacy systems

The aim is to avoid being the low-hanging fruit, particularly when it comes to the less targeted attacks, says Flandro.

“Healthcare organisations were vulnerable to WannaCry because many had legacy IT systems and might not have protected themselves in quite

the way they should have. So by default they became a target of ransomware attacks.”