In a recent panel discussion, Trisura’s manager of professional solutions, Angela Feudo, shared insight about the cyber trends and issues the industry is facing today.
This interview is part of a special report published by Insurance Business Canada. You can read the full report here.
IB | How would you describe the state of the Canadian cyber insurance market? (Rates, capacity, coverage limitations, new buyers etc.)
AF | The cyber insurance market has, for the most part, continued to tighten over the last year. There have been numerous carriers who are reducing their capacity, increasing rates, restricting terms and implementing tighter underwriting controls. While capacity contractions generally are becoming more common, there has been a focus on limiting network extortion. There continues to be an increased number of ransomware events, which has led to this response from the market. As both the frequency and severity of claims have increased, the rates have also increased significantly to compensate. There has been a greater focus from insurers on their clients’ cyber risk management and security awareness. An increase in cyber security awareness and risk management will ultimately be beneficial for everyone. The awareness in cyber attacks has also brought an increased interest in cyber insurance. We are seeing more requests for cyber insurance from first-time buyers as ransomware attacks are no longer viewed as just a large organization concern. Smaller companies have become acutely aware that they too can be targeted.
IB | Ransomware is arguably the hottest topic in cyber insurance today. How have you seen the ransomware threat evolve in recent years, and where do you see this challenging risk headed?
AF | Ransomware has increased in the number of companies and type of companies being compromised. Ransomware as a service has allowed for an increase in the number of individuals that can launch a ransomware attack. Threat actors no longer necessarily need to be a technically skilled hacker to deploy ransomware because it is now more accessible than ever to utilize. Individuals and organizations have become more cyber savvy in their defences against cyber criminals, and many have concentrated efforts and resources in creating, maintaining and encrypting backups, as well as focusing on their restoration processes. Due to these efforts and, in the event that files were corrupted, companies didn’t necessarily have to pay the ransom. Threat actors have moved to engaging in double extortion, meaning that the hackers would threaten to release private information if the organization doesn’t pay. Threat actors are also using distribution denial of service [“DDoS”] attacks as well on their victims to put pressure on them to pay the ransom. Hackers have expanded ransomware into a business model will use the best method against the victim. This can include encryption, DDoS or releasing of private information to cause the most disruption.
IB | Which industries are most exposed to cyber risk, and are these industries buying cyber insurance?
AF | Any individual and organization that uses the Internet is exposed! Some industries and businesses, however, may be at a higher risk. Historically, the focus has been on healthcare, government, utility companies, schools and financial institutions. This has not changed; today, these industries continue to be at a higher risk, for different reasons. The health care industry has many older legacy systems that go unpatched. That, coupled with holding patient records, makes them an attractive target. Government, financial institutions and universities also hold a lot of confidential information. The larger organizations in these industry groups have been buying cyber insurance for years. Now, the smaller companies are also purchasing cyber insurance more regularly. We have also seen an increase in claims in the manufacturing, professional services and construction spaces. While there has been an increase in cyber purchases in these additional spaces, there are still a lot of companies who still do not purchase cyber insurance.
IB | How does the hardening market impact insurance brokers? What must they do in order to navigate this market successfully and secure the best solutions for their clients?
AF | The hardening cyber market has created additional challenges for brokers. With markets reducing capacity, it has left brokers looking for replacement markets for those towers. It is now even more important for underwriters to clearly communicate their appetite to brokers, so they know who might be a viable option for their clients. Cyber is no longer just privacy based; for example, the exposure that a manufacturer has versus that of a law firm is very different. It is critical that insurers understand their client’s exposure in order to develop a trusted advisor relationship with their client. It is important for brokers to stay on top of emerging cyber threats, as this will enable them to educate their clients on where the exposures are. A lot of markets are asking for more underwriting information; understanding where potential exposures lie allows markets to get ahead of risks and be proactive in preparing the necessary increased security measures. The better controls a company has in place, the more likely they will be able to obtain better terms. Better controls are beneficial for the client, as their systems will be better protected from exposure. With the evolving digital landscape, it can be difficult to stay on top of the market, particularly if you are not a cyber specialist. Finding a specialist you can trust to help navigate the market will help.
IB | What are the most common cybersecurity attack vectors and breach methods?
AF | We are still seeing a lot of losses arising from either weak or compromised credentials. Usernames and passwords continue to be exposed in data leaks and phishing scams. When this type of information is stolen or lost, the cybercriminals can easily access the company’s systems. If an employee uses the same password for both personal and business systems and the individual’s password gets compromised on their personal device, the hacker can use this opportunity to hack into the company’s system. Having good password hygiene, using multi-factor authentication or even biometrics can help combat this risk. Phishing continues to be a common method used by hackers, likely because it works. Cybercriminals are expanding on the methods they use in phishing; for example, during the pandemic, we’ve seen phishing scams where criminals are imitating health organizations or use the guise of providing relief money. Continued employee training, phishing tests and employing the principle of least privilege for access in systems can help with combat this risk.
It is important to also note that not all threats come from humans. Unpatched applications and servers are also a common vulnerability that can leave systems open to attacks. A good example of this is the January 2021 Microsoft Exchange Server attacks, which affected over 200,000 servers. Although patches were released by Microsoft in March, they did not retroactively remove any backdoors that might have been installed by hackers. Implementing software updates and installing patches as soon as they are available can help mitigate these vulnerabilities.
IB | In the growing threat landscape, what are some best practice cyber risk mitigation tactics that all companies (large and small) should implement?
AF | Cyber risk for both individuals and businesses has continued to increase since the inception of the internet. This will only continue to increase over time as we become more connected to the internet and cybercriminals find new ways to take advantage of vulnerabilities. Companies of all sizes are vulnerable to cyber attacks and they should be taking steps to help mitigate those exposures. Human error still remains one of the top factors in cyber breaches, and so, employee awareness training is key to help combat this risk. Multi-factor authentication is becoming a standard security measure that all companies should implement because it improves a company’s security by adding an additional step that a cyber criminal would have to breach to gain access to a company’s system. Employing a patch management process allows you to keep your software functioning properly and maintain good security posture. Being up to date with the most current security fixes to combat any known vulnerabilities in the software. Businesses should also have a current record management system, keeping only records the company needs and getting rid of old data that is no longer useful. If you hold the record, you will need to protect it. If all else fails, it will be useful to have current back ups of important data. Back-up strategies will be different for each company, but the data in the back ups should be current, encrypted and stored securely off-site.
IB | How has the COVID-19 pandemic impacted the cyber risk landscape?
AF | Since the COVID-19 pandemic started we have seen cyber criminals take advantage of people working from home. A lot of businesses did not have systems or the security designed to accommodate the majority of their staff in a work-from-home scenario. As a result, there has been an increase in phishing attacks and malware. Typically, devices at home are less secure, so multi-factor authentication, a focus on employee training and remote incident response plans are critical. COVID-19 has broadened out the cyber attack surface for cyber criminals to take advantage of due the increase in employees working from home. Many businesses realized the increase in exposure and invested in IT and additional cyber controls to help manage this risk. It is also important to look to the future of post-pandemic business models. It is expected that more businesses will allow for a more flexible workplace; whether that be a full work from home model or a hybrid that could include desk sharing. Technology, security and employee awareness training plans will need to be updated to ensure the best cyber security hygiene is in place for an organization. It will also be important to refresh the organization’s incident response plan to include how the company is currently conducting their business and where their employees are located.
IB | What cyber risks are lurking on the horizon?
AF | Cybersecurity staffing shortages is a concern for businesses and the insurance industry. As the number of attacks grow and the demand for cybersecurity professional increases, there has been a continued decrease of cybersecurity staff. According to an article from CNN, there is approximately 3.12 million unfulfilled positions globally. With unfulfilled cybersecurity positions, businesses are more vulnerable to breaches. Cybersecurity is a global concern not only because hackers can reside anywhere in the world, but also because they can use other companies’ systems to breach yours by utilizing DDoS, MITM (man-in-the-middle attacks) and cryptojacking techniques. Cybersecurity should be a group effort against cybercriminals. Additionally, as 5G continues to expand (it is faster and can support more devices than traditional networks), it will increase the cybersecurity risk, as there is much more software being used in the network and, therefore, the attack surface has expanded. The increased speed of 5G, while beneficial to users, can prove to be a challenge for cybersecurity professionals. With its ability to support more devices, 5G will allow for more IoT devices. Not all IoT devices are manufactured with security in mind. With billions of IoT devices connected—all with mixed security levels—there could be potentially billions of breach points.