The last two years have brought significant upheaval in the cybersecurity insurance market, and the vast majority of the blame can be laid at the feet of successful ransomware attacks.
The earliest simple ransomware attacks typically involved a single machine, immediate encryption, and a relatively low ransom (e.g., $500 USD worth of BTC). This simple attack pattern has evolved to employ tactics previously used by Advanced Persistent Threat (APT) actors.
When a single machine obtains a toehold through an exploit, instead of immediately starting the encryption/lockdown process, the attacker immediately reaches out to as many systems in parallel and establishes a firmer beachhead by enlisting as many systems as possible with the same exploit.
By this means, persistent access may be maintained unless all systems are cleaned. When many systems have been exploited, the attacker quietly waits for the appropriate time to encrypt systems en masse. This is usually initiated on the first evening of a long holiday weekend – while support staff may be unable to respond with the same speed as expected during the work week.
Whereas a single exploited machine that’s quickly encrypted may be easily restored with minimal data loss so long as some backup rigor is in evidence, the effort to restore many (conceivably thousands of) systems while an external attacker maintains access and control is difficult.
Even if excellent backup systems exist, it may be difficult to confirm the integrity of the restored data as the attacker lay in hiding during the successive backup cycles. If your Domain Controllers and/or your Backup systems have been exploited, the path is even more difficult. As a result, many times the exploited enterprise ultimately chooses to pay (often after a cycle of negotiation) the ransom. These ransoms could easily sit in the seven-figure zone.
As well, the original authors of the ransomware software itself chose to open marketplaces where they could sell ransomware as a business. No longer did an attacker need to understand how to develop malicious code or find vulnerabilities within operating systems. All that is needed is access to the marketplace.
In the early days of cybersecurity insurance, insurance companies discovered that it was a very profitable product. Before the spectre of ransomware, the financial damage from cyberattacks was generally small. Indeed, there were attacks, sometimes involving the loss of personally identifiable information (PII) but actuaries could build risk models to provide policy guidance that could be successfully underwritten.
Companies in the mid-market concerned about their exposure could easily purchase millions of dollars worth of coverage for as little as fifteen to twenty thousand dollars per year. The insurance company, confident in their models, could be practically guaranteed to make a healthy profit with few payouts and it was this way for well over a decade.
When ransomware evolved from individual systems to higher-profile attacks, that model was upended. Along with the higher ransom payouts, the Advanced Persistent Threat (APT) flavor of ransomware required the enlistment of Incident Response teams, further increasing the price to restore the company to its regular state.
Secondly, insurance companies tend to build models based on geographic and vertical diversity. For example, fires do not occur everywhere simultaneously. Actuarial data can be analyzed to determine the frequency and the severity of occurrence, underlying factors that may increase or decrease probability, and the true cost of recovery.
The new version of APT-styled ransomware forced insurance companies to abandon their old models. It is not possible to hedge cybersecurity insurance based on geographic diversity; on the Internet, we are all neighbors. With the spate of new cybersecurity insurance claims, insurance companies were (as per contract) obliged to pay claims in a manner they had never needed to before. Their profit margin decreased abruptly and significantly. They were forced to review their practices and began to deny claims.
There are three main points that I generally need to point out regarding cybersecurity insurance:
- First, there has never been a way to underwrite a company’s reputation. An underwriter would be unlikely to create such a policy, and if that were the case the premiums would be extortionate.
- Second, a claim of contributory negligence (where the policyholder’s behaviour contributed to the success of the cyberattack) could negate any potential claim payout.
- Third, acts of war are generally excluded from coverage. By its anonymous nature, it is very difficult to identify the source of an attack. If a government institution chose to label any specific attack as a “nation-state” in nature, insurance companies could invoke that clause to negate a potential claim payout.
In addition, insurance companies started to perform deeper investigations into the cybersecurity stance of potential policyholders. Due diligence that was previously cursory at best was now considerably more onerous. Insurance companies began to rely more heavily on sources of “external threat intelligence” that had scanned the vulnerabilities of external-facing Internet infrastructure, map it to specific companies and provide a scorecard.
Companies that had previously enjoyed relatively inexpensive cybersecurity insurance discovered that they did not qualify because they fell below a specific “score threshold” as stated by a third-party snapshot.
Some insurance companies have chosen to entirely leave the cybersecurity space.
So, in 2023, given this rather difficult situation, what is a company (i.e., the policyholder) to do? I have several specific recommendations to improve the chances that your organization will be able to obtain improved cost-effective cybersecurity insurance:
- Minimize your company’s direct external presence, especially all personally hosted applications and systems, to ensure that your external attack surface is as small as possible. This should specifically include mailservers and webservers.
- Require the use of multi-factor authentication (MFA) for all systems and user accounts. There is absolutely no reason that in 2023 the use of static usernames and passwords is acceptable for any external access.
- Ensure that all remote access is encrypted and effected through secure, audited, sanctioned, and modern means.
- Recognize what data is held and used within your organization. Critical data (including PII) will require stronger defenses and access control, so segregate and defend it as appropriate.
- Ensure that your data backup process is appropriate to the recovery needs of your company. Confirm that data backed up is encrypted and segregated. Regularly perform formal “spot tests” of partial restores to ensure data fidelity and integrity.
- Ensure that all systems are running a modern, regularly updated Endpoint Detection and Response (EDR) solution, regularly updated. Old-school (often “free”) antivirus solutions simply do not suffice.
- Decommission legacy software since vendors rarely continue to create security updates for outdated applications and operating systems.
- Conduct annual penetration testing engagements so you’re aware of your security gaps and vulnerabilities.
- Enable your employees to undergo Phishing and Security Awareness Training (PSAT) to build user resilience and ensure your employees can recognize the signs of advanced phishing techniques.
- Ensure that regular infrastructure vulnerability scans are performed against both the external and internal perspectives. Ensure that patches are tested and installed as per an agreed-upon and reasonable process as part of a comprehensive Vulnerability Management program.
- Build an in-house Security Operations Center (SOC), which can be cost-prohibitive to build, staff, and maintain. A better option may be to outsource SOC capabilities to an external service provider so you can defend your organization from known and unknown threats that can bypass traditional security technologies.
- Leverage a 24/7 multi-signal Managed Detection and Response (MDR) solution that provides proactive real-time threat detection, containment, and response against cyberattacks. Ensure that your MDR provider relies on a multi-signal approach that allows you to monitor your endpoints, network, log, and cloud environment. Constant security monitoring and rapid response capabilities provide the comfort that should an incident occur, dwell time will be limited, and lateral spread mitigated.
- Set aside time to prepare for the eventual attack by creating an Incident Response plan. Regularly (quarterly) run tabletop scenarios to encourage defensive muscle memory needed during an attack.
When you can document and demonstrate that you are taking reasonable and defensible steps to defend your organization, it should be considerably easier to obtain cybersecurity in this new age.
If you want to receive a more valuable and cost-effective policy, along with strengthening the technical stance of your environment, you will need to enter a deeper relationship with your insurance provider. It will be worth it and in 2023, it is necessary for your mutual benefit.
