How to underwrite 2019's emerging cyber risks

Every year, At-Bay’s security research team shares predictions for cyber insurance loss in the following year, and how to adjust and focus the underwriting organization.

Last year, we predicted a shift in ransomware; from generic small exposure attacks to tailored, high-exposure attacks. We’ve been proven right, as generic ransomware has gone down by 30% in 2018, according to Kaspersky.

On the other hand, two targeted ransomware campaigns, SamSam and Ryuk, sprung up in 2018, targeting critical assets of large organizations and very high ransoms.

What will be out main underwriting focal points in 2019? Here’s how we plan to handle underwriting for mid-market companies ($100 million to  $5 billion in revenue) this year:

The rise of ‘spear-ransomware’

Similar to the evolution of phishing, targeted, sophisticated and high-ransom attacks will have a higher impact on loss than generic endpoint ransomware. With endpoint ransomware, the cost of remediation is often low, and to a large extent covered by retentions. Spear-ransomware targets operational technology or centralized services that could bring a company to a halt. Not only are the ransom requests 1,000 times higher, the cost to remediate and the loss of productivity can be crippling. The $300 million damages sustained by Maersk and FedEx in 2017 created a blueprint that the attackers behind Ryuk are now exploiting, for example, when hitting the Los Angeles Times.

How to underwrite: Identify which organizations have meaningful operating technology or centralized operating services (e.g. ERP systems), and also have vulnerabilities to hacking (for example, running vulnerable web servers) or to social engineering (for example, weak email protection technology and no anti-spoofing configuration).

CryptoJacking will go after your IoT

Cryptomining malware was the most underrated story of 2018. According to Kaspersky, CryptoJacking grew by over 40% in 2018 becoming the number one attack in most countries. Its rise is directly related to the decline of ransomware. Attackers realized people are not paying ransom and have decided instead to use victim computers to mine cryptocurrency for them.

The principles of this attack are straight forward: The more machines they can control, and the longer they can control them,  the more crypto-coin they can mine. That’s why toward the end of 2018, we saw attackers starting to go after IoT devices. A good example was the attack on MikroTik routers that hit over 200,000 routers in August 2018.

It makes sense ;  there are far more IoT devices than desktops, and they are far less protected. Why is this bad for insurance? IoT is not well monitored and controlled. It is also a nightmare for incident response work.

How to underwrite: Identify IoT systems in the underwriting process, and whether your coverage is explicit or hiding under a business Interruption policy. Also, make sure you price for it. (Side note: If your network security and BI base rates are still a derivative of your data privacy rating, then here is another great reason to move to independent modelling.)

EternalBlue is still a HUGE deal

It’s been 18 months since Shadow Brokers leaked NSA cyberattack tools (EternalBlue was the most important one), which gave rise to WannaCry, Not-Petya and other malware. These tools are incredibly powerful because they target a prevalent networking protocol (SMB), and are also highly viral and can spread quickly from one victim to another.

Even though it has been 18 months, many organizations have still not patched their systems. Attackers are still wreaking havoc in mid market businesses across the country, leveraging EternalBlue. For example, Malwarebytes found two malwares exploiting EternalBlue, infected over 11,000 enterprises in the US in December 2018 alone.

How to underwrite: Don’t sell insurance to companies who are vulnerable to EternalBlue exploits, until they fix it. It’s as simple as that. These exploits can be detected from the outside by automated scanners. These companies are waiting to get hacked.

Windows 10 stands out, Office365 gets worse

Malware infection via phishing emails is one of the most common attack vectors and advanced endpoint protection can be a very effective counter measure.

Windows 10 is expected to bring advanced protection to all endpoints by default in 2019. This is highly impactful for the mid-market, where many times, businesses don’t have the budget or awareness to purchase great endpoint protection. It follows that having advanced protection by default in the operating system will be a huge boost to security.

Office365 can be incredibly secure, if configured properly. However, the default installation is not secure at all, and many organizations upon migrating from Office to Office365, unintentionally depreciate their security settings. Therefore, we’ve seen Office365 targeted by hackers and significantly over represented in incidents. While Microsoft is making an effort to advance awareness to Office365 security settings, with its security score and recommendations, it is not enforcing security, and therefore we expect Office365 to continue and experience a higher frequency of incident than alternatives.

How to underwrite: Identify which operating systems your customer is using, adjust pricing accordingly and recommend they move to Windows 10. Do the same for Office365 : Increase price for coverages that are highly impacted by email attack vectors and recommend your client to upgrade their default office365 security settings. Microsoft offers this tutorial.

GDPR penalties will make the exposure real

Big GDPR penalties will make this new exposure a reality. Explicit or silent, most forms cover GDPR penalties, but few underwriters adjust meaningfully to these exposures. The main issue is that more and more cyber underwriting is done by following a pricing table without meaningful analysis.

How to underwrite: Identify the global geographical footprint of the digital assets of a company, as well as of its users, and adjust your rating accordingly.

Rotem Iram is the founder and CEO of At-Bay (formerly Cyberjack). He can be reached by sending email to rotem@at-bay.com. These opinions are his own.

Also by this writer: WannaCry and the dawn of large-scale business interruption