A recent cyber-attack demonstrates a new approach to ransomware and is an example of how aggregation might occur in Cyber Risk Insurance (also called Data Breach, Privacy and Network Security insurance coverage). Ransomware has been effective for hackers, as noted in this InfoWorld article (see here):
The tremendous success of ransomware infections over the past year showed cybercriminals that holding data for ransom is the key to making money from online attacks. Ransom-based attacks are evolving, and if enterprise defenders aren’t careful, they are going to soon see more ransom notes popping up on their servers, databases, and back-end applications.
This recent attack has targeted unprotected databases hosted at an online database provider, and it appears that a large number of the databases have been stolen and the owners are being extorted. This attack is unprecedented in scale, and has a number of unique characteristics. According to Brian Krebs, Krebs on Security (see here), approximately 20,000-29,000 databases may have been stolen and are being held for ransom, and many of the owners may not even know the databases are (were) unprotected (essentially public). And because of the public aspect of the databases, some (many?) of the ransom demands may not even be from the original thieves.
According to Krebs, tens of thousands use the online database platform MongoDB and many leave their databases configured for public access without realizing it (an estimated 52,000 databases allowing for public access). Hackers have figured this out and replaced an estimated 20,000-29,000 databases with ransom notes. In addition, other hackers, who don’t even have the stolen databases, may have replaced some of the original ransom notes with their own to try and intercept payments.
DarkReading noted (here): The bad guys take over these accounts, upload the data on the databases, delete that data, and replace it with a ransom demand. As noted by Risk Based Security (see here), this is not the first time that hackers have attacked misconfigured online databases.
Ransomware is moving in a new, more expensive, direction. DarkReading: in the future we should expect to see a shift from high-volume attacks toward lower-volume attacks with higher ransom amounts.
There are a number of lessons for and possible impacts of Cyber Risk Insurance (also called Data Breach, Privacy and Network Security insurance coverage):
- A cyber-attack, or even a near miss, may prompt a business to (finally) purchase Cyber Risk Insurance.
- An attack like this, where a very basic security choice was not appropriately set, may motivate underwriters to tighten up underwriting or coverage, in effect eliminating coverage for this type of error.
- If a significant number of the owners of unprotected MongoDB databases already have coverage, it is conceivable that this could cause a material bump in Cyber Risk Insurance claims for one or more underwriters. Unlikely, but possible.
In addition, this is an example of how a cyber risk claim could result in aggregation, and in a different form of aggregation from what it typically contemplated (see here, here & here for more commentary on Cyber Risk Insurance aggregation). “Aggregation,” or “accumulation,” in insurance is the aggregation of losses through multiple policies from one event. In this case, it is conceivable that one underwriter might have many different insurance policies issued to users of MongoDB who maintained unprotected access to their databases and are victims of this attack. In effect, the underwriter could sustain multiple claims through multiple policies from the attack – sort of like a hurricane. Sophisticated models are being developed to help estimate an insurer’s exposure to aggregation from cyber risk, much like property modeling, so underwriters are better prepared.
Krebs points out, ironically on the day before this story broke, that there are a few “Immutable Truths About Data Breaches.” (see here) In summary, they are:
- If you connect it to the Internet, someone will try to hack it.
- If what you put on the Internet has value, someone will invest time and effort to steal it.
- Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it.
- The price he secures for it will almost certainly be a tiny slice of its true worth to the victim.
- Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”
Krebs imagines that there might be an alternative Cybercriminal Code of Ethics, which would end with:
If you can’t or won’t invest a fraction of what your stuff is worth to protect it from the likes of us, don’t worry: You’re our favorite type of customer!
Cyber Risk Insurance underwriters don’t want to cover insureds who do not take even basic steps to protect their systems and data, but coverage is widely available and is not expensive. Cyber Risk Insurance is an essential coverage for businesses to provide financial protection from all types of cyber exposures, including ransomware.
Tennant Risk Services is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability and specialty insurance (E&O, D&O, EPL, Cyber Risk, Specialty). We excel at hard to place and complex accounts, particularly Cyber Risk Insurance and Technology E&O.
Comments