Cyber insurers weigh in on latest cybersecurity trends, threats
The numbers speak for themselves: more companies are opting in for cyber insurance coverage than ever before. According to the U.S Government Accountability Office, the rate of businesses purchasing cyber insurance has doubled in recent years, from 26% in 2016 to 47% in 2020.
That increase has given experts at insurance firms unique insight into cybersecurity trends and the vulnerabilities that are plaguing businesses the most — they get a behind-the-scenes look at attacks whenever a customer files a claim.
Tommy Johnson is a cybersecurity engineer at cyber insurance firm Coalition, a firm with about 160,000 customers and backing from insurance giants like Allianz, Lloyd's of London, Swiss Re and more.
Isabelle Dumont is a vice president at cyber insurance provider Cowbell Cyber, a newer firm focused on serving small and medium-sized businesses. Both chatted recently with The Record to share their key takeaways from recent cyber insurance data as the industry continues to expand.
Remote Desktop threats
Remote Desktop Protocol (RDP) attacks continue to be a prevalent tool for hackers, and have led to a substantial amount of claims for insurers.
“Technology gets deployed to improve the business without any security consideration,” Dumont said, including RDP.
Throughout 2020, Coalition identified a large number of claims arising from threat actors who were able to compromise RDP, which allows remote access to workplace resources.
While many organizations use Virtual Private Networks (VPNs) to protect against RDP attacks, Johnson said the vulnerabilities affecting the VPN architecture of SonicWall in 2021 left dozens of organizations around the world defenseless.
Threat groups quickly exploited the vulnerabilities, with Coalition seeing a 123% increase in claims frequency related to the exploitation of RDP and significant losses among businesses big and small.
“Due to the ephemeral nature of the [RDP], it can be difficult to manage the risk from an insurance and scanning standpoint. We have seen companies open RDP intermittently to haphazardly administer machines, and threat actors take advantage. We continue to send the message that exposing RDP comes with critical risks, but sometimes these warnings fall on deaf ears,” Johnson said.
Case in point: this March, Coalition saw a claim where a company used RDP for its call center in Southeast Asia, which threat actors exploited in order to deploy ransomware.
Ransomware, business email compromise and phishing
Ransomware continues to have a dramatic effect on cyber insurance claims, according to Dumont and Johnson, driving costs upwards for companies.
Johnson said the average ransom demand made against their policyholders increased by one-fifth in the latter half of 2021, while the number of claims increased 10%.
Coalition did not find that any industries in particular stand out as targets of ransomware groups. Rather, Johnson said, threat actors are interested in exploiting insecure technologies organizations use, regardless of sector, or the employees themselves.
“With ransomware, cybercriminals are no longer focused only on stealing data that can be sold on the dark web. Ransomware attacks give them a means to target any business sector to receive a ransom payment,” Dumont said.
One of the keys to a successful ransomware response, according to Johnson, is the use of offline backups, which gives users the option to restore their system without paying a ransom.
In February, Coalition dealt with two companies attacked by the Hive ransomware group.
“The key difference is one company was able to restore from offline backups, and the other had to pay the full ransom,” he said. “The difference between the two claims is a stark $460,000 — a substantial sum of money.”
While ransomware and business email compromise garner a lot of attention, Coalition found that phishing remains the primary attack vector for nearly half of all claims.
Microsoft Exchange and Log4j
The number of attacks that resulted from exploit of internet-facing applications or the supply chain dropped, Johnson explained. Yet even so, certain vulnerabilities remained an issue and dominated the data.
Microsoft Exchange especially remains an avenue for exploitation.
“Microsoft Exchange has proven to be a long-tail threat because Exchange is more than email — it's tightly coupled with calendar functions, and that's critical for many organizations,” Johnson said.
First disclosed by Microsoft in early 2021, attacks on Exchange email server arise from four vulnerabilities that can be chained together, providing attackers a way to authenticate on Exchange servers as an admin user and to then install malicious programs.
“The initial vulnerability we detected with Exchange impacted roughly 1,000 policyholders,” Johnson said. “Within a week of the March 2021 disclosure, our team at Coalition notified and remediated the vulnerability for 98% of our affected policyholders. However, additional Exchange vulnerabilities continue to surface.”
The problem was so severe that Coalition developed a scanning engine that can determine which version of Exchange is running in a system, the exact patch level and which outstanding vulnerabilities remain.
The company now notifies policyholders in real-time when there is a new patch.
Another issue Dumont identified was the use of open source components “without deploying a rigorous patch management process,” like Log4j, a vulnerability that affected multiple policyholders.
Johnson told The Record that throughout 2022, Coalition has seen some adversary activity against VMware Horizon, using the Log4j vulnerability to deploy ransomware and target any backups that would allow for restoration of the device.
This attack has been devastating to organizations unprepared for it, because companies that employ VMware Horizon expose it on the internet to allow their distributed workforce to connect to their work machines, he added.
For 2022, Coalition’s claims data suggests that small- and medium-sized businesses suffer ransomware events far more frequently than larger accounts. The second half of 2021 saw a 40% increase in ransomware attacks on organizations under $25 million in revenue, compared to the start of the year, and a 54% spike in incidents related to the compromise of business email.
This February and March, all but one of Coalition’s reported ransomware claims came from their small- and medium-sized enterprise program.
Data shows that the groups behind ransomware attacks have no qualms about attacking any sector.
“Cyber criminals are opportunistic, particularly when it comes to small and midsize organizations, and the technology and processes that organizations use are far more key to their risk than what their industry is,” Johnson said. “No company is too small to be an enticing financial opportunity for attackers.”
Still, Johnson said, some industries have experienced notable increases in claims in the past year. There was a 40% increase in claims severity in the second half of 2021, compared to the first, for consumer staples businesses, and nearly a one-quarter spike in claims severity for energy-related firms.
He added that small businesses typically lack dedicated IT or security staff, leaving patch management in limbo and incident response plans unfinished.
Dumont noted that in recent months, more companies have begun to take a business-like approach to cybersecurity due to processes mandated during the insurance process.
Risk assessments are now required by many cyber insurance providers. Dumont said part of what helps lessen the severity of attacks for some companies is preparation, using resources provided by insurance firms.
“It is important to keep in mind that immunity against cyber attacks does not exist,” she said. “100% of businesses, regardless of size and industry, can be faced with a cyber incident.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.