The insurance industry has been working to educate policyholders about the cyber risks their businesses face for many years, but the increasing frequency of ransomware attacks on businesses and municipalities is elevating this ever-changing risk to a new level that experts, including insurers, are unsure how to handle.
Cybercrime is nothing new to cyber experts, but the sophistication of cyber attacks and the breadth of targets has evolved over the last 10 years, said Robert Anderson Jr., a former national security executive who served more than 20 years with the FBI and now works in the private sector as the CEO of cyber information security service provider, Cyber Defense Labs. Anderson spoke at Advisen's Cyber Risk Insights Conference in San Francisco in February, telling attendees that just 10 years ago, ransomware attacks were handled by the government, who could usually get the data back. But the last three years have brought a new reality for both public and private entities as cyber criminals' attack methods have advanced significantly.
"The hackers that are employing this [ransomware] doesn't just attack the client, doesn't just attack the partner, it attacks the managed service provider's network to make sure that they don't alert the client that they're being attacked or a ransomware attack is going to happen," Anderson said. "And by the way, it shuts off anything that they have to minimize that attack."
Anderson said insurers and their policyholders have to be thinking ahead to how these threats are carried out, either through different organizations, criminal, hacktivists, or nation states.
"And unfortunately, what I see ... that's not where we're at," he said. "We're focusing on today and now, and how these threats are affecting us."
Anderson said these incidents will continue to increase as criminal organizations globally learn from other attacks and figure out how they're going to infiltrate a company to make money. He said cyber hackers who launch these attacks are part of a multi-trillion dollar industry.
"People that say crime doesn't pay -- that's not true. It doesn't pay if you get caught, but if you don't get caught, it pays a lot of money," he said.
Anderson noted when he was in the FBI, he would never advocate to pay a ransom to a cyber criminal, but his tune as changed as our dependence on technology infrastructures has become critically important. Since starting his consultancy 4.5 years ago, he said he has been involved in paying 600 ransoms.
"Why? The sophistication of the attack ... cripples the company," he said.
"We all know we need to segment data, we all need to have redundancy data, we all need to have a plan for when an attack happens," he said. "[But] I have worked thousands of breaches since I've retired. I've been involved in all kinds of proactive risk assessments. I speak all over the world. We still aren't doing it."
Clients and the insurance industry, which Anderson says could also be crippled by these attacks, need to put preparatory response plans in place to handle the types of ransomware attacks happening to businesses and municipalities today.
"If you're looking at two years ago, you're missing it. You're missing the threat. You're not going to catch it," he said. "Nowadays, these attacks are much more strategical. They look at infrastructure that they know companies can't shut down; county governments can't stop functioning."
He said all entities that could be impacted by ransomware attacks, as well as their insurers, should be evaluating the vulnerability of the entire infrastructure and how broad an attack could be in terms of affecting or interrupting other services the entity provides.
"You can't just look at what's the threat today, but what part of that eco-structure are they in," he said. "The sophistication of the bad guys and girls nowadays is off the charts."
Anderson noted thousands of advanced hackers in places like China, Iran, Russia and North Korea are being hired to attack entities in other countries so they can steal data from the U.S. to be sold later.
All entities, particularly government and private corporations, need to be ready to respond quickly if attacked because these incidents will only get more sophisticated and costly.
"Hear what I'm saying to you on this -- it's not as simple anymore as just going, 'Breaches happen. This is what we're going to do,'" he said. "No, you have to have your head up, and you have to be thinking about why does this fit together."
Anderson said virtual currency is the payment method of choice for ransomware attacks, but the U.S. government is getting better at figuring out where that currency is being sent. As a result, ransomware attacks usually include a countdown clock or set amount of time for the victim to respond because the quicker the hacker gets their funds, the less likely they are to be caught, and they are likely attacking multiple entities at one time.
The use of virtual currency by criminal organizations should be significant to everybody "because it's eventually going to come to the group that we're working with and the clients that we're trying to protect," Anderson said.
Advances in artificial intelligence and machine learning are also making it less cost prohibitive for cyber hackers to execute attacks, which could increase their frequency.
"When we look out in front of where this threat's going, we can't just look at the totality. We have to look at who's going to be the victim, who's going to be attacking that client or that corporation or that government agency," he said. "It's a lot more complex nowadays. Five, 10 years ago it wasn't like this. Nowadays, it's absolutely like this."
He urged the industry to work with its clients on being more proactive at stopping attacks in the first place, and that involves doing more than just buying and selling a cyber policy that fits the budget and thinking that addresses the risk. Most companies, he said, are not "leaning forward" enough to avoid the devastation of what a ransomware attack could bring, such as costly lawsuits or the end of a business.
"I've been retained for a lot of outside expert witness cases, and I can tell you the first thing in these $500 million class action lawsuits that comes out of all the depositions is when did the head of the organizations know there was an issue? When did they know something needs to be fixed?"
In most of these lawsuits, companies knew they were vulnerable and deferred doing anything about it, and that puts the company in a worse position when defending itself, Anderson said.
"They're going to say, well, wait a minute, you were the head of the company," he said. "I don't care if you had cyber people sitting on your board. What are you doing to try to fix it? What are you doing to try to push it forward? What are you doing to try to be proactive in your company?"
He said insurers can help their clients by learning about the current risks they face and how those will evolve.
"An ounce of prevention goes a long way, and I think if we can get clients, partners, people inside the country -- whether it's private or government -- to be thinking about what's the next thing coming at them, it benefits everybody," he said.