Vol: 44 Issue: 3 | Oct 2021
COVID-19 has transformed the way people all over the world live and work — and those changes have presented new and expedient opportunities for cybercriminals.
‘The greatest risk vectors are still phishing emails and ransomware,’ says Peter Bailey, general manager of Aura Information Security in New Zealand. ‘However, there are a lot more attacks, and criminals are extracting much greater sums of money from their victims.’
With more people working remotely, often using their own devices and on home networks, there’s less opportunity for businesses to monitor and mitigate cyber risks. Plus, employees working out of the office can’t as easily check that a manager’s email request — or a link they’ve been sent — is legitimate.
Bailey says that cybercriminals are now operating in a way that is akin to a traditional business model. ‘Cyber attacks used to be quite ad hoc. Now, criminals know what kinds of attacks work best and they’re looking for efficiencies,’ he explains. ‘Cybercrime has become commoditised. You don’t need to be a coder — you simply buy code online, or someone can run an attack as a service. Some cybercrime organisations even have contact centres to help victims of ransomware attacks pay their cryptocurrency ransoms.’
A particularly high-profile example of ransomware as a service (RaaS) was the hacking of United States oil pipeline company Colonial Pipeline, in May 2021. Criminal hacking group DarkSide gained entry into the networks of the nation’s largest fuel pipeline, causing major disruptions and fuel shortages for several days until the company paid the ransom of US$4.4 million in bitcoin. US authorities have since recovered more than half of the ransom.
Singapore-based Jennifer Tiang, Willis Towers Watson’s regional cyber leader in Asia, says companies also continue to be targeted by ransomware attacks through their supply chains — that’s when a threat actor infiltrates the system through an outside partner or provider that has access to the organisation’s systems or data.
‘This was the case with SolarWinds, a company that produces a network and applications monitoring platform called Orion,’ says Tiang. ‘A sophisticated hacker group produced and distributed trojanised updates to the software’s users, affecting upwards of 300,000 users.’
The SolarWinds incident, which began in early 2020 and went undetected for months, could cost insurers an estimated A$116 million in forensic and response costs alone, and many organisations affected by the attack did not have cyber insurance in place.
Marsh New Zealand’s head of cyber specialty, Jono Soo, points to new vulnerabilities via the Internet of Things (IoT) as a growing risk. ‘Cyber-physical risks are on the rise — in other words, the ability for a cyber incident to have physical, real-world consequences, such as property damage or bodily injury.’
Such was the case in February this year, when hackers attempted to poison the water supply of a city in Florida by remotely accessing a computer controlling the water treatment system and increasing the amount of sodium hydroxide.
The prevalence of cryptomining malware has also been on the rise for some time.
In 2018, a number of government websites in Australia, including the Victorian Parliament site, were the target of a hidden cryptojacking attack — and it’s a format that’s been increasing even more in COVID-19 times.
‘Cybercriminals access devices and mine for cryptocurrency,’ explains Susie Amos, a principal at Finity. ‘The motive is profit, but unlike many cyberthreats, cryptojacking is designed to stay completely hidden from the victim.’
Asia Pacific in the hot seat
According to Check Point Research, Asia Pacific experienced a 168 per cent year-on-year increase in cyber attacks in May 2021, with ransomware attacks alone increasing by 26 per cent in the first few months of this year.
Tiang says: ‘We’re a highly digitised economy, a manufacturing hub and centre of innovation. The APAC region leads in the IoT market and has pioneered the way for machine-to-machine technology. However, cybersecurity [in all senses of the word: people, processes and technology] is struggling to keep pace with these rapid developments.’
Tiang says a complicating factor is the risk culture in Asia, which generally veers away from disclosure and transparency.
‘Instead, the reported trend has been for organisations to keep issues in house and, for example, simply pay the ransom to avoid letting the problem become public knowledge. Having experienced a positive hit rate in Asia, hacker groups are increasingly targeting the region.’
Bailey points to a similar increase in cyber attacks on Australian and New Zealand businesses. ‘We believe it’s because both countries have been in the global news, talking about how well we’ve done during the pandemic,’ he says. ‘That’s brought us to the notice of cyber attackers, who say: “Their economies are doing well; let’s have a poke at them and see what happens.”
‘New Zealand businesses have started to realise that our geographical isolation makes no difference online. We are as vulnerable as any other organisation when we are on the internet.’
Bailey adds that while in 2016/17 the main targets of cybercrime were small businesses, criminals are now targeting larger organisations.
When it comes to the industries or sectors seeing the most attacks, Amos says: ‘The three industries that were targeted pre-COVID continue to be the prime targets now — health care, finance and education.’
‘Healthcare organisations have been a target for a long time,’ agrees Bailey. ‘They store personal data that’s interesting and valuable to cybercriminals because it can be sold on the dark web. By attacking healthcare organisations like the Waikato District Health Board in New Zealand and the Health Service Executive in Ireland, attackers stand to make a lot of money.’
Insurers step up
In response, cyber insurers are reviewing existing policies, repricing risk and offering new types of cover. Soo says: ‘Cyber insurers are urgently managing their capacity, appetite and premiums with a goal to achieve a more sustainable cyber market in the long term. What was a buyer’s market for a long while has quickly contracted.’
For insureds, that’s led to greater scrutiny around cybersecurity and bigger costs.
‘Premiums have increased by 20 to 40 per cent in Australia, with even higher increases globally,’ says Amos. ‘Next year, I expect that some players will struggle to get cyber cover.’
Tiang says insurers are approaching risks with far more due diligence in their underwriting, and are operating with stricter pricing and retention guidelines.
‘Insurers will now avoid risks if poor cybersecurity maturity is evident — that is, where it is perceived that a baseline of cybersecurity is not being achieved,’ she says. ‘For example, we are now seeing insurers decline cover if a company cannot confirm there is multifactor authentication for all remote access to corporate resources. This is due to the high claims frequency they’re witnessing due to weak authentication protocols.
‘It is also now commonplace for an insurer to decline providing terms if there is an insufficient amount of underwriting information put forward.’
Further, Soo says ‘insurers require comprehensive detail around cyber risk management controls, in particular incident response plans and overall business continuity, before agreeing to provide or renew cover, especially for high-risk industries and sectors’.
Insurers may also be in a position to help clients mitigate cyber risk. ‘We are aware that some insurers are using ongoing scanning technology that can proactively detect issues in an insured’s network,’ says Soo. If insurers pick up early warning signals, they can notify the policyholders so they have the chance to stop a potential cyber incident in its tracks.
Separating cyber cover
Amos says many insurance policies that businesses take out have traditionally provided some ‘silent’ cyber coverage, so there has been a lot of cyber risk sitting in existing cover.
‘Insurers in Australia and New Zealand have been slow to separate out cyber cover as an explicit policy, but they are starting to do that now,’ she says.
‘They have been making clear changes in the most recent renewal period, with lots of thought going into policy wording and containing risk.
‘Cybercrime is constantly evolving. But while the risk vectors may change, insurers can focus on mitigating the outcomes of a cyber attack, such as business interruption. Changes in the frequency and severity of cyber incidents should flow through to the pricing and underwriting responses.’
Apart from the familiar cyber insurance policies for businesses, Amos says a number of insurers have launched personal cyber insurance products, including cover for cyberbullying (for instance, to pay for therapy and economic losses). Other insurers have included cyber cover in their home insurance policies, largely because of the interconnectivity of IoT devices.
With the Asia Pacific still firmly in cyber attackers’ sights, 2021 is not the time to be complacent about your cybersecurity, warns Bailey.
‘Many organisations moved to a mixed-model workforce as a result of COVID-19, with some employees in the office and some working remotely,’ he says. ‘If you didn’t have time to assess your cybersecurity at the start of the pandemic, go back and do it now. Then, revisit it at least every 12 months, looking at your tools, your patches, your staff education — and identify the gaps. Cybersecurity can never be a set-and-forget.’
The top three industries that have seen the largest increases in cyber attacks this year are:
- utilities ― up 39%
- internet service providers / managed service providers ― up 12%
- software vendors ― up 6%
Source: Check Point Research, May 2021
Stand and deliver?
In May 2021, AXA said it would stop writing cyber insurance policies in France that reimbursed customers for extortion payments made to ransomware criminals. Will this dissuade cybercriminals or just add insult to injury for the ransomware victims?
‘No-one wants to encourage or reward criminal behaviour, but we also need to consider the practicalities,’ says Susie Amos, a principal of Finity.
‘The aim of insurance is to prevent businesses from collapsing in the event of an incident. That could occur if there is a ransomware attack and the organisation isn’t set up to run from its back-up systems, or it can’t risk data being published or sold.
‘However, if ransomware attacks are frequent and severe, ultimately insurers are within their rights not to offer coverage.’
Jono Soo, Marsh New Zealand’s head of cyber specialty, says: ‘The fight against ransomware could be reaching a tipping point. The US Government has been considering both military and diplomatic options to respond to the problem and to seek out those behind the attacks.
‘It will require a co-ordinated, government-led approach in conjunction with the private sector to potentially turn the tide against ransomware attacks.’