☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

Cyber Lessons from the Ashley Madison Affair

Posted on by

A new Netflix series has revived one of the most controversial cyber attacks in history, serving as a stark reminder of the data privacy issues faced by consumer technology companies—the Ashley Madison data breach.

It’s hard to convince people to hand over their personal data without assurances it will be kept safe; something the founders of infamous dating website Ashely Madison were well aware of.

A website for infidelity and married dating, Ashley Madison promised anonymity and privacy for its millions of users, billing itself as ‘100% discreet’. To access its services users handed over personal information including their names and email addresses, their privacy concerns no doubt eased by the dating website’s message of discretion and security. Except in the world of cyber, every business is at risk—particularly those that hold extremely sensitive, personal information.

In 2015 the worst happened; hackers under the name Impact Team infiltrated Ashley Madison’s systems and threatened to release details of its entire user base to the public. In what can be described as a moral attack, Impact Team demanded the owners of Ashley Madison and its companion site to take both websites offline. The owners refused to comply, and the hackers made good on their threat by publishing the stolen data online.

Navigating the fallout: An alarm call for all tech companies
Almost a decade on, the impact of this data breach is more relevant than ever. As portrayed in the popular Netflix docuseries, the hack disrupted the lives of many of its victims, leading to resignations, divorces and, tragically, suicides.

While names and email addresses are not typically classified as highly sensitive, the nature of the website in question placed greater weight behind the need for privacy. Even users who took precautionary measures when signing up to Ashley Madison, such as using fake names and phone numbers, found themselves exposed as Impact Team published credit card details—with other users able to be identified through data such as their height, weight or personal preferences on the site.

It didn’t take long for cybercriminals belonging to other threat groups to take advantage. Sextortion refers to a highly personalized extortion scam, where the threat actor emails individuals their data from a data breach and claims to possess personal videos or photos which they will distribute unless a ransom is paid. The Ashley Madison breach was the perfect breeding ground for this type of attack, with many of its victims being targeted even 5 years after the breach—not only resulting in the stress of managing a ransom demand, but resurfacing the scandal as a whole.

This entire episode raises critical questions for all types of business—not least tech companies storing user data. Do you manage, store and use data? Are you following the privacy laws? Can you do more to keep data safe?

Cyber security: Why it should be top of the agenda
Unfortunately where user data is concerned it’s easy to run into trouble. Earlier this year company review site Glassdoor was found to have attached real names to profiles without the user’s consent. Again, names are not considered sensitive data. But the context of the website makes this data more sensitive, as users may fear retaliation from an employer should they be identified. While Glassdoor claimed that users can choose to remain anonymous, since the website now requires and stores the names of all users, a data breach could see them being linked to their reviews.

This data risk is everywhere. Grindr, a dating website for the gay, bi, trans and queer community, allows the option for users to share their HIV status with other users. While this is a fundamental step in creating a safe community, it’s not information the that user would necessarily share beyond that context. Grindr are currently facing litigation from hundreds of users alleging the company shared their private information, including their HIV status, with third parties without consent.

Like Ashley Madison, all platform and tech providers that hold personal or sensitive information on clients come with significant cyber risk. These companies need to be incredibly mindful of how they collect, store and use information, following data privacy laws and giving customers confidence that data privacy is a priority.

Mitigating cyber risk: Steps for today’s tech companies
Who can say how many companies that store data know how to protect that data. What’s certain is that cybercriminals are becoming increasingly cunning in their tactics, able to steal vast volumes of data at rapid speed and at big consequences. Ashley Madison faced no financial ransom given the moral motive, yet the majority of data breaches do culminate in a hefty demand. This alone can be a huge burden for any business working alone to bear, and when you consider the additional costs that come with a cyber incident—remediation and recovery, restoring data, legal fees, reputational harm, business interruption and so on—it’s no surprise that for some businesses there’s no coming back.

Data breaches are of course just one type of cyber incident. High-profile cases like the Ashley Madison hack demonstrate this risk, however it’s vital that businesses understand the full picture of cyber risk—with ransomware, social engineering and theft of funds attacks growing in frequency and severity—and take steps to protect themselves and their customers.

That’s why comprehensive cyber cover is a vital part of risk management for all technology companies. If you’re responsible for large amounts of data, including third-party data, cyber insurance can offer robust network and privacy liability protection, also providing cover for a wide variety of cybercrime events. More than that, the best policies also come with cyber security and incident response services that can stop cyber incidents from happening in the first place.

Source: www.cfcunderwriting.com

Five Reasons to Buy Cyber

Posted on by

Making the case for cyber insurance can be tough even if it’s clear that nearly all companies would benefit from it. So to help your conversations, CFC has put together the top five reasons to buy cyber.

Here are the top five reasons every business should have a cyber insurance policy.

Cyber security and incident response services come free
Cyber insurance doesn’t just cover financial loss when an incident occurs. A good policy offers proactive protection to stop attacks from happening in the first place, and reactive support to respond efficiently and effectively when they do occur.

From the moment a CFC cyber policy is bound, their global team of cyber experts works around the clock to detect and alert customers to cyber threats targeting their business. If they discover a cyber security issue, their team notifies the impacted business through their app, Response, and takes steps to remediate the threat before it escalates.

The value these services offer to small businesses in particular might just be the greatest benefit a cyber policy can provide.

Cybercrime is growing rapidly
Our increasing reliance on technology and the internet is exposing any business that uses a computer to a world cybercriminals—who work around the clock to identify vulnerabilities and launch attacks. You’ve likely heard of ransomware, but social engineering scams are also on the rise, leading to significant losses for companies of all types.

At the forefront of protecting against this new wave of crime, cybercrime provides invaluable cover for a wide range of electronic perils, from wire transfer fraud to ransomware.

System downtime is missed by standard business interruption insurance
When computer systems are brought down, a traditional business interruption policy is unlikely to respond. Considering how almost all businesses rely on technology to some extent, this can result in significant financial loss the business has to bear alone.

Cyber insurance can provide cover for loss of income and extra expenses associated with a cyber event, including legal fees, the cost of remediating the incident, the hiring of expert teams, reputational harm and so on.

Your data is not covered
Data is one of today’s most important business assets, often worth many times more than the equipment it’s stored upon. Yet business owners are often unaware that a standard property policy would not respond if data is damaged, lost or destroyed.

Taking out a cyber policy is a great way to get comprehensive cover for data restoration and even re-creation in the event of a loss.

Complying with breach notification laws cost time and money
Breach notification laws are now commonplace across many territories, and require businesses that fail to protect personal data to notify affected individuals or risk hefty fines and penalties. Australia’s Notifiable Data Breaches Act, Canada’s Digital Privacy Act, Europe’s General Data Protection Regulation, and numerous US state laws make it a legal obligation to notify, and there is also a growing trend towards voluntary notification in order to protect your brand and reputation.

Cyber policies can provide cover for the costs associated with providing a breach notice even if it’s not legally required, and can also cover associated regulatory fines and penalties.

Source: www.cfcunderwriting.com

Six Things Successful Cyber Brokers Know

Posted on by

The case for cyber insurance gets stronger by the day, as cyber incidents grow in cost, cyber attacks become more frequent and cyber policies offer more innovative and effective services. But cyber is still a new market. Businesses often aren’t aware of their cyber risk or the role cyber insurance can play in protecting them. So how can you educate your customers about cyber?

CFC sat down with some of their top-performing cyber brokers to discover their secrets to success. Here are six things they say every broker selling cyber should know:

  1. How to explain cyber exposure simplySince lots of businesses are new to cyber, jumping straight into granular detail can feel unrelatable and unconvincing. Businesses don’t need to know the difference between the Cobalt Strike infection and the Log4Shell vulnerability. They care about how they’re at risk, the potential consequences of that risk and how they can prevent it. So stick to the basics and avoid unnecessary jargon.

    It helps to ask the right questions. What cyber security practices do you have in place? Do you consider data privacy? Have you been impacted by a cyber attack before? Your client’s answers will paint a picture of their cyber exposure, so they can understand their risk and how cyber insurance is here to help.

    And there’s nothing better than a strong statistic to back up your points—did you know 72% of businesses worldwide have been impacted by ransomware in 2023?

  2. Key factors that influence the priceCyber insurance provides great value for businesses big and small, but in many circles its cost is a topic of discussion. Those new to cyber may point to the price of cyber insurance coming close to more traditional lines, so it helps to know the three big factors that influence the cost:

    1.    Cyber incidents, particularly against SMBs, are the top business risk for the fifth year running
    2.    The average cost of a cyber claim is significant
    3.    Today’s cyber policies offer sophisticated technical services that would be too pricey for SMBs to get on their own

    Learn more about why cyber insurance is a great investment for any business, plus a breakdown of cyber incident costs, in this quick read.

  3. How to handle these top objections“I already invest in cyber security.”
    Cyber insurance provides a different service to cyber security, it’s not a question of either/or. Good policies will support the business’s internal IT team or external managed service provider with an expert incident response and business recovery team, while being there to cover financial loss if the worst happens.

    “Cyber attacks only affect big businesses.”
    While it’s attacks on household names that make the news, any business can find itself hit by a cybercriminal. And since smaller businesses tend to have less mature cyber security practices in place, cybercriminals often see them as the more attractive target.

    “We don’t collect sensitive data.”
    Two of the most common and costly cyber attacks we see are actually ransomware and funds transfer fraud, which aren’t necessarily aimed at stealing data. The cost to contain threats, repair networks and restore business operations—or to recover stolen funds—are the insured’s biggest worry. Thankfully, both types of incident are covered under CFC’s cyber policy.

    Use this checklist to find answers for more common objections.

  4. Security assessments don’t tell the full storyBusinesses often use third-party risk reports and vulnerability scans to evaluate their cyber risk. While these assessments give a good snapshot of network health at a specific time, IT environments can change any day. This means assessments don’t reveal much around the level of security across a network, potentially presenting a far more positive picture than is the case.

    Fully understanding when and how risk reports are beneficial will help your clients understand their risk and purchase the correct coverage. We explain risk reports in more depth here.

  5. Good policies offer proactive and reactive servicesCyber insurance doesn’t just cover financial loss when an incident occurs. A good policy offers proactive protection to stop attacks from happening in the first place, and reactive support to respond to the incident efficiently and effectively.

    From the moment a CFC cyber policy is bound, their global team of cyber experts works around the clock to detect and alert their customers to cyber threats targeting their business. If they discover a cyber security issue, their team notifies the impacted business though their Response app, and takes steps to remediate the threat before it escalates.

    The value these services offer to small businesses in particular might just be the greatest benefit a cyber policy can provide.

  6. The perfect analogy that shows the true value of cyberTaking out property insurance in case of a fire is seen as standard practice. Alarms and sprinklers can reduce fire damage, but they can’t remove the possibility of you facing a costly bill and business interruption. It’s the same principle for cyber.

    The most advanced cyber security available can still get caught out by a new vulnerability or threat. Without cover, the impacted business won’t receive support in their incident response and recovery, and it’ll bear the financial burden alone.

    CFC’s cyber policy is the full package. For a smoke alarm they offer proactive cyber attack prevention, for a sprinkler system the largest in-house team of incident responders in market. And at the end they cover any damage and loss of income, helping policyholders get back on their feet.

With today’s cyber policies broadening their cover and protection, and cyber risk escalating at an alarming rate, cyber insurance is set to play a bigger role than ever before. By helping your clients to understand their cyber risk- and how cyber insurance is such a gamechanger – you and CFC can help protect businesses and perhaps even turn the tide on cybercrime.

See how you can best speak to your clients about cyber risk and insurance in CFC’s on-demand webinar.

Source: www.cfcunderwriting.com

Does Cyber Insurance Cost Too Much?

Posted on by

We often hear that cost can make cyber insurance a non-starter for businesses. We get it; broad coverage comes at a price given the value of services provided with a policy these days.

So, CFC has listed below the 5 key reasons a cyber insurance policy, is worth the financial investment.

Cyber is a business’ largest exposure
We’re in a digital age and businesses no longer rely on paper trails and filing cabinets. This digital reliance has shifted a business’ assets from tangible to intangible, making them wildly accessible and opening even the smallest of businesses to a whole new era of risk.

Subsequently, most companies today state that cyber risk is in their top three, if not their number one business risk given their reliance on technology. Since the frequency of loss is that much greater for a cyber event than traditional perils, such as a fire – it makes sense that the cost of cyber insurance today will mirror a business’ largest exposure.

CFC has created a cyber risk heat map, which explains the varying levels by industry. Hint, nearly no business is safe!

Premiums are a fraction of the cost compared to a cyber claim
The price of cyber insurance may seem higher than expected given many still consider it a discretionary purchase, but when you compare the thousands, hundreds of thousands, or even millions in costs that cyberattacks can incur for business, it’s an easy decision to make.

And the severity of those claims continues to rise. According to the latest Coveware report, it’s been noted that fewer victims are paying ransomware demands, so threat actors are demanding more money to compensate for the lower hit rate, making individual claims more expensive.

This lower hit rate on ransomware has also meant hackers are pivoting back to previous attack techniques, with the likes of business email compromise attacks showing an increase of 147% across the second half of 2022 (for SME businesses).

A good cyber policy should offer proactive protection from attacks
At CFC, from the minute the policy is bound, their cyber security team works around the clock to protect businesses against cyber-attacks.

This is a proactive, protective service that identifies potential threats using insights from a variety of sources, including public and private threat intelligence feeds that go well beyond the usual outside-in scanning tools available to insurers. If a cyber security issue is found, their team will reach out through their Response app to work with a potentially compromised business, to eliminate the threat before it can cause harm.

To pay for this level of monitoring externally, a business would need multiple providers, all individually costing upwards of thousands every year. Whereas, all of this work is done for free, as part of the standalone CFC cyber policy, as well as expert incident response and recovery.

Expert incident response and recovery
One of the other critical elements of a cyber policy is the availability of in-house cyber incident response. At CFC, their team of cyber threat analysts, digital forensic specialists and incident responders, CFC Response, is available 24/7 to triage incidents, contain threats, and repair networks if a cyber incident occurs.

Cyber policies cover a lot
A good, stand-alone cyber policy, such as a CFC cyber policy, includes comprehensive coverage.

Many small businesses do not have access to enterprise-grade security teams, threat intelligence feeds that can inform them of whether they are listed on a threat actor’s target list, or access to a multi-disciplinary team of experts who know how to respond to cyber-attacks and compliment existing IT personnel.

Equally, should the worst happen, cyber insurance policies cover cyber incident response costs, including IT forensics, legal, breach notification and crisis communications to cybercrime costs that include social engineering, theft of personal funds and cyber extortion.

All told, this can cost anywhere from thousands to hundreds of thousands, and there is no limit to the range of support required during a cyber incident. CFC’s security team estimates that the average downtime following a ransomware attack can be up to 2-3 weeks, and that’s only with the expert assistance of a cyber incident response team provided by an insurer. With a broad policy, the insured can focus on getting their business back up and running, rather than worrying about what will and won’t be covered by their insurer.

It is estimated that that cyber-attacks will cost the globe $8 trillion dollars in 2023. Yet, we estimate, only less than 20% of businesses have taken out a cyber insurance policy as of today. Cyber insurers are not just there to step in after an attack has taken place, ready to pay the many external teams a business needed to pull in to recover.  Instead, coverage from a cyber insurer like CFC protects and prevents attacks on businesses from the minute they bind a policy.

Cyber insurance is not expensive, cyberattacks are. And with the right cyber insurance product, it should be the easiest purchase a business has ever made to cover its largest exposure.

Source: www.cfcunderwriting.com

Beware of “BazarCall” Ransomware Attack Method

Posted on by

The new attack method has been growing in use among well-known ransomware groups and was responsible for 10% of malware incidents last quarter.

What is it?

BazarCall is a new attack methodology, known as a T.O.A.D (telephone-oriented attack delivery), which utilizes a phishing email to trick the victim into phoning a call centre – rather than clicking a link – and instructs them to download malicious file which infects their computers. By doing so, the BazarCall attack subverts common cyber security controls and allows the hacker to carry out a ransomware attack undetected.

The phishing emails usually refer to a subscription, for instance an antivirus software, which the victim never requested. The phishing email falsely claims that the only way to cancel this fake subscription is to phone the call centre.

From there, the hacker verbally guides the victim through the process of downloading a malicious Excel file with macros and then enabling those macros, which in turn infects the computer with malware.

Why is it critical?

Because the BazarCall method doesn’t require the user to click a link (as you would expect in a normal phishing email) common cyber security tools like email security filters can’t detect it. The method also subverts security controls because the user is downloading the malware themselves, unlike some more typical cyber attacks where the hacker must first penetrate the network.

Workplace security awareness education about phishing emails and social engineering doesn’t often include warnings for telephone-oriented attacks, which makes this attack more lucrative for hackers and more challenging for businesses.

What has CFC seen?

In early 2022, CFC’s cyber threat analysis team, which is responsible for analyzing and responding to cyber threats on behalf of CFC’s cyber insurance clients, first observed an increase in adoption of this technique by a variety of well-known ransomware groups.

In response, CFC analyzed its cyber customer base and found that BazarCall accounted for 10% of successful malware infections detected across its cyber portfolio in the last three months.

However, by intervening quickly, to date CFC has detected and removed every case of this malware within its impacted customers, at no cost to them. This intervention can happen at three stages:

  • By identifying whether a specific victim has received the phishing email, but not called the phone number
  • Whether they’ve called the phone number within the email
  • Whether they’ve installed the malware

How to mitigate

In order to protect your business from such attacks it’s important you’re implementing the following:

  • Keep all software and firmware up to date: Every device needs antivirus software. If an employee downloads a malicious application like the one from Bazarcall, or if an application becomes infected, antivirus software along with modern, up-to-date firewalls will help to secure the device and remove the infection.
  • Implement multi-factor authentication (MFA) on all remote connections: MFA can help reduce the amount of lateral movement and privilege escalation hackers can achieve within your systems. Even if your password is in the hands of the criminal, it is unlikely they will have your other forms of verification too. For more on MFA best practices, read our cyber tips piece on multi-factor authentication.
  • Employee security awareness training: The majority of cyber attacks are the result of human error, particularly employees who inadvertently click on malicious links or fall victim to social engineering attacks like BazarCall. Carry out regular security awareness training with your employees and ensure it covers all types of social engineering attacks.

For other ways to keep your employees safe read our article, Staying Safe Online.

Source: www.cfcunderwriting.com

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN