☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

Cybercriminals Exploiting Coronavirus

Posted on by

Public concern and working-from-home mandates are providing opportunities for cybercriminals.

This CFC advisory provides some background on these risks along with some easy-to-implement steps that businesses can follow to avoid falling victim.

COVID-19 increasingly being used in phishing attempts

As new cases of the COVID-19 Coronavirus continue to be reported daily, cybercriminals have been leveraging the situation to take advantage of those looking for information on the outbreak. Scams include the following and are changing each day:

  • The Sophos Security Team has spotted emails impersonating the World Health Organization (WHO). The emails ask victims to “click on the button below to download Safety Measure”. Users are then asked to verify their email by entering their credentials, redirecting those who fall for the scam to the legitimate WHO page, and delivering their credentials straight to the phisher.
  • Interpol has warned of a large increase in fraudulent websites claiming to sell masks, medical supplies and other high demand items that simply take money from victims and never deliver the promised goods. It is advisable that internet users purchase items only from established and reputable sources.
  • There have been reports of airlines and travel companies being impersonated by fraudsters in a bid to either obtain sensitive information, like passport numbers, or install malware on victims’ computers. They may say they want to advise you of COVID-19 infected passengers on past flights you’ve taken or offer discounts on future flights. When in doubt, we advise users to be vigilant when clicking on any links, delete any suspicious emails, and not disclose sensitive information if you are approached unexpectedly.
  • Fraudsters are also developing fake charitable donation campaigns which claim to help individuals and communities impacted by the Coronavirus. Any money donated is sent to fraudulent accounts. Again, if you are wanting to support relief efforts, make sure to research the organizations you are looking to donate to.
  • A Twitter user has identified another malware campaign purporting to be a “Coronavirus Update: China Operations”. The emails have attachments linking to malicious software.

As global concern about the coronavirus grows, it is likely that threat actors will continue to abuse this outbreak to their advantage.

Increased remote working can open gateway to hackers

Remote desktop protocol (RDP), when set up correctly, is a great tool for remote working. However, using it without multi-factor authentication (MFA) enabled or on an insecure network can open the gateway to hackers. In fact, in 2019, 80% of the ransomware attacks we handled were initiated through RDP.

Businesses that start using RDP for remote working during the outbreak should be aware of some of the cybersecurity risks it can pose and ensure it is being used securely. Employees should always log on within a trusted network and ideally work with their IT department to secure personal devices – and implement MFA – prior to remote working.

CFC recommendations

We suggest implementing the following steps to bolster security:

  1. Test remote log-in capabilitiesNot only should personal devices be configured for secure remote working, but business should ensure that multi-factor authentication (MFA) is set up immediately. MFA is an authentication process that requires more than just a password to protect an email account or digital identity and is used to ensure that a person is who they say they are by requiring a minimum of two pieces of unique data that corroborates their identity. Implementing this significantly reduces the chances of cybercriminals being able to log into a business’s RDP. For more information on MFA and how to implement it, click here.
  2. Train your employees on how to spot a phishing emailAs a CFC cyber policyholder, you can get free access to a range of risk management tools, including CyberRiskAware, an e-learning tool focusing on phishing attacks. This valuable tool teaches people within your business to be more vigilant when in comes to opening attachments, clicking on links, transferring money, or sending sensitive information. To find out more about it, including instructions on how to access it, click here.
  3. Prepare for operational disruption in advancePut simply, prepare for the worst. As with so many cyber incidents, time is of the essence so ensure you have an incident response plan in place, a template for which you can access for free as a CFC cyber policyholder. And as ever, if you believe that one of your employees has fallen victim or that you are experiencing any kind of cyber event, notify CFC as soon as possible so that we can help you.
  4. Finally, be vigilantWhat’s becoming clear as this pandemic plays out is that cybercriminals are shifting tactics daily. If you see something on social media or receive an unsolicited email that seems too good to be true, it probably is. Aside from learning how to spot phishing emails, make sure to do your research, use reputable companies, and follow-up requests for money or information with a phone call using a number from a separate, trusted source.

Source: www.cfcunderwriting.com

How to Stay Safe Online

Posted on by

The last couple of years has seen a surge in cyber events affecting businesses of all sizes. With the growing volume and sophistication of online threats like viruses, ransomware, and phishing scams, it’s important to know the proper practices to stay safe online.

From paying attention to browser warnings to being mindful of app permissions, a few small changes can make a big difference when it comes to cybersecurity. That’s why CFC’s in-house cyber claims and incident response team has assembled this handy infographic, which contains oodles of easy, actionable tips on things you can do – today – to become more secure.

Click here to download the full infographic below.

Source: www.cfcunderwriting.com

Anatomy of a Cyber Policy

Posted on by

Cyber insurance policies tend to be modular in nature, meaning that they consist of a variety of different coverage areas and, for many, that has led to confusion around how exactly this cover fits together to create a uniform whole.

To help explain this further, CFC has dissected their cyber policy section by section to show how each part of this body of coverage functions.

Click here to download the full info-graphic below.

Source: www.cfc.com

 

Small Retailer Loses Business-Critical Data after Cyber Attack

Posted on by

Over the past two decades, technology has transformed the way businesses operate, and most depend on their computer systems in one way or another. Even traditional businesses, such as retail stores and wholesale distributors, utilize computer systems and the data held on those systems to ensure the day-to-day running of their operations. If those systems become unavailable or cease to function properly as a result of a cyber attack, it can have a detrimental impact on the business in question and result in substantial financial harm.

One of CFC policyholders affected in such a way was a home improvement store, which operated from a single store. The store sells a wide range of domestic goods, including outdoor furniture and sheds, garden equipment, kitchen utensils, bathroom fixtures and fittings and DIY tools and equipment. Customers can buy in-store or have larger items delivered to their houses upon request. The business has a large warehouse connected to the retail store which is used to store stock that can then be used to replenish stock on the shelves, or in the case of larger items, brought out for customers to collect or have delivered.

Employee falls hook, line, and sinker

The incident began when an employee fell for a phishing email. The email stated that there was a financial statement attached that needed to be verified. Even though the email was not directly addressed to the employee, had numerous grammatical errors and appeared to come from a suspicious email address, curiosity got the better of the employee and he clicked on the attachment. Upon clicking on the attachment, a ransomware variant was downloaded onto the business’s server and began encrypting files and programs across the network, including the insured’s back-ups, which had not been stored externally.

With the server encrypted, the business wasn’t able to access any of the systems that it used every day, including the point-of-sales system and information relating to sales, deliveries and stock management.

Urgently needing to regain access to these systems and databases, the policyholder reported the matter to CFC’s cyber claims and incident response team. With the insured’s back-ups having been encrypted by the ransomware, our claims and incident response team considered the other options available. The first step was to establish which ransomware strain had been used in the attack by looking at the ransom note and a sample of encrypted files. In this case, the ransomware used was a well-known and well-established strain and the team was able to find a freely available decryption key online. Using the decryption key, the team began the process of decrypting the business’s programs and files.

In most cases involving ransomware, once a business’s data and programs have been decrypted and the ransomware has been removed, the business can continue to use its computer systems as normal.

However, things aren’t always as straightforward as this. Unfortunately, cybercriminals don’t have the same approach to product due diligence that law-abiding businesses do, and those who create ransomware won’t have gone to the effort of testing how compatible their ransomware strains are with every conceivable type of file or program. As a result, ransomware can lead to unintentional and sometimes irreparable damage to electronic files and computer programs.

In this case, although the majority of the business’s data was accessible following the decryption process, a database containing six months’ worth of information relating to stock levels and delivery statuses was corrupted. In spite of numerous attempts to reconfigure and restore the database, the files were deemed to be beyond repair, rendering them inaccessible to the business.

Corrupted database causes long delays

Without access to the database, the business faced numerous difficulties. Staff on the shop floor were unable to check the most up-to-date database to see if a particular item was in stock. So in the event that a customer asked if an item was available, the only option was for a member of staff to contact a member of the warehouse team and ask them to trawl through the warehouse to see if the item was there, leading to significant delays to the service. The lack of information on stock levels also meant that the business didn’t have an accurate overview of which items were low in stock and needed to be re-ordered from suppliers, resulting in a shortage of popular items. In addition, without access to delivery information, the business lost track of the delivery status of certain items, which resulted in items either not being delivered to the customer on time or in some cases being delivered twice.

The only way to tackle this issue was to manually re-create the current stock inventory. In order to do this, employees had to go through each item in stock, both in the warehouse and on the shop floor, create an identification number for each item and then scan it back onto the database. The business also needed to gain a better understanding of the delivery status of all items. To avoid delays and duplication, staff were required to go through all open sales and see how these corresponded with hard copies of delivery receipts to establish which items had been delivered and which items were still awaiting delivery.

Given the size of the store and the amount of stock and sales data this involved, this was a significant undertaking and staff were required to work overtime, but this alone wasn’t sufficient. The business also had to bring in contractors to assist with the task. In total, it took two weeks for the business to fully rebuild this database. This came at a cost of $20,858 made up of employee overtime and contract staff costs.

Although the store remained open during the entirety of the recovery period, disruptions to the service did result in a reduction in sales. For the month in question, the business had forecasted sales of $460,031, but the actual sales for the month only came to $353,611, a shortfall of $106,420. Applying a rate of gross profit of 20% to the shortfall, the insured’s business interruption loss was calculated at $21,284.

The role of human error and other lessons

This claim highlights a few key points. Firstly, it illustrates how human error plays a key role in many cyber incidents. Lots of businesses refuse to buy cyber policies on the basis that they have good IT security in place. But this reasoning doesn’t take into account the fact that the majority of cyber incidents are the result of human error. In this case, the incident was triggered by an employee clicking on a malicious attachment. Businesses should look to ensure that employees are educated about the risks posed by phishing emails and are made aware of how to spot them.

Secondly, it highlights how dealing with a ransomware incident is not always a straightforward matter of carrying out the decryption process and the business in question automatically regaining access to their systems and data. In reality, there can be all sorts of unforeseen complications. In this instance, even though the data and applications were decrypted using a freely available decryption key, the ransomware itself had corrupted one of the business’s key databases, which had a detrimental impact on the insured’s operations.

Thirdly, it demonstrates the importance of having data re-creation cover on a cyber policy. Many cyber policies only provide cover for the costs to recover or restore from back-ups, but not the costs to re-create or re-enter lost data from scratch. A sizable portion of the insured’s claim came about from the labour costs associated with staff and contract workers having to manually scan and re-enter data to ensure that the stock inventory was correct and up-to-date, and brokers should be sure to check that their clients have this important cover in place on their policies.

Finally, it reveals how almost all modern business have some form of cyber exposure. Even though the business in question was a household goods store that did not solely rely on its systems for the business to operate, the business still relied on its computer systems and data to manage the store effectively and to provide efficient customer service. When some of the business’s data was corrupted, it had a negative impact on overall operations and having a cyber policy in place provided a valuable safety net for the company.

Source: www.cfcunderwriting.com

Third-party Downtime Leads to First-party Business Interruption Loss

Posted on by

An HR service provider lost contracts due to a cyber attack suffered by one of its supply chain partners.

Over the past two decades, technology has transformed the way businesses operate, and most now depend on their computer systems in one way or another. Rather than having to deal with everything in-house, many businesses choose to outsource elements of their IT infrastructure to third party providers, whether that be in the form of website hosting, data storage or application level services.

In many cases, outsourcing IT can prove to be a more efficient and cost-effective way of doing things, with businesses benefiting from the expertise of their third-party providers. However, outsourcing is not without risks. In a cyber insurance context, dependent business interruption describes a situation in which a third-party organization that supplies a policyholder with goods or services is affected by unexpected downtime as a result of a cyber event or system failure. Even though the policyholder’s computer systems may not be directly affected by the incident, the loss of the goods or services provided by the third-party can still have a major impact on the insured business’s ability to operate effectively. This means that a business can still suffer a business interruption loss even when its computer systems are unaffected.

One of our policyholders affected by this type of loss was a small company providing outsourced human resources services to a variety of different businesses. The organization provides a range of services to its customers, including payroll processing, employee benefits and health insurance and assistance with compliance and regulatory issues.

Third-party downtime, first-party problems

The business provides its payroll processing services through an online application, which in turn is owned and hosted by a third-party provider. Their customers gain access to the payroll application through a link on their website, which then takes them through to a landing page hosted by the third-party where they can then log in to the application. Once these customers log in to the application, they are effectively operating on the third party’s computer systems, even though their contracts are with our policyholder.

The issue began when the third party responsible for providing the payroll processing application was hit by a ransomware attack. This ransomware attack managed to encrypt the servers hosting the application, which meant that neither our policyholder nor its customers could gain access to the application. As the application was hosted by this third-party, however, our policyholder was powerless to control the situation and had to rely on the application provider to respond to the incident. The only thing they could do was to explain to its customers that the application was unavailable due to a cyber attack affecting the application provider and that regular status updates would be provided.

In the meantime, the third-party provider went about trying to deal with the issue by decrypting the affected servers, removing the ransomware and returning the application to its normal functionality. After three days of downtime, it looked as though the issue had been resolved and the insured and its customers were able to login to the application once again. However, this breakthrough proved to be short-lived. During the encryption process, the ransomware had damaged the application and impaired its underlying functionality. This meant that while customers were able to log into the application and view employee data, they were unable to update the data or process any payments.

To remedy the problems caused by the ransomware, the application was taken down once more and it was only after a further five days of downtime that the application was fully restored. To make matters worse, the downtime occurred at the end of the calendar month, a time during which most of our policyholder’s customers would ordinarily pay their employees.

Frustrated customers lead to lost contracts

With the payroll processing application rendered inaccessible as a result of the ransomware attack, some of their customers were unable to pay their employees on time. Although they were able to pay their employees once the application was up and running again, the delay in payment was a source of great frustration for both the businesses and employees affected. As the customers that were impacted only had contracts with the insured rather than the application provider, it was the insured that bore the brunt of this anger.

Indeed, eight customers chose to cancel their contracts and take their business elsewhere. All of these customers sent individual letters or emails to our policyholder, explaining their reasons for cancelling. In each case, these cancellations came down to a combination of two factors: firstly, the delay in paying employees as a result of the ransomware attack and, secondly, a concern that the ransomware attack meant that sensitive data stored on the payroll application might not be secure. This served as confirmation that these customers were lost as a result of the cyber attack as opposed to regular customer churn.

The total value of these annual contracts came to $72,554 and despite the insured’s attempts to placate these clients and win them back, unfortunately none of these customers decided to reinstate their contracts, meaning that over the course of the 12-month indemnity period, the insured suffered a business interruption loss of $72,554.

While these losses are potentially recoverable from the application provider, this can be a costly and lengthy process and in the meantime the insured would suffer from cashflow issues due to the drop-off in income. Fortunately, however, the income loss from these cancelled contracts was covered under the dependent business interruption section of the company’s cyber policy with CFC, which covers business interruption losses arising as a result of a cyber event or system failure at a policyholder’s supply chain partner.

Dependent BI and other takeaways

This claim highlights a few key points. Firstly, it underscores the importance of having dependent business interruption cover in a cyber insurance policy. Some cyber insurers will only provide cover for business interruption losses as a result of cyber events that directly affect an insured’s computer systems. However, in this instance, at no point was the insured’s computer systems directly impacted by the ransomware – it was the application provider’s computer systems that were affected – and yet it still resulted in a sizable business interruption loss. By having dependent business interruption cover in place, the business was able to fully recover its financial loss.

Secondly, it illustrates the value of longer indemnity periods. Many cyber insurers only offer 3-6-month indemnity periods as standard. However, this ignores the fact that the financial impact of a cyber event can be felt for much longer than a 3-6-month indemnity period would allow for. In this case, the cancellation of annual contracts meant that for each cancelled contract, the insured lost 12 months’ worth of income. By having a 12-month indemnity period in place, they were able to reclaim quadruple the amount that they would have been able to claim on a policy with a 3-month indemnity period and double the amount they would have been able to claim under a policy with a 6- month indemnity period.

Finally, it highlights that businesses that receive their income on a contractual basis could be more exposed to business interruption losses, as the cancellation of monthly or annual contracts could very quickly result in sizable financial losses being incurred. Accordingly, businesses that receive their revenue in this way should consider factoring this in when selecting an appropriate limit for their cyber policy.

Source: www.cfcunderwriting.com

 

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN