Insights for Insurers - PDF document

Cyber Insights for Insurers Welcome t
Cyber Insights for Insurers Welcome to Cyber Insights for Insurers, from the Cyber Practice Group for Aon’s Reinsurance Solutions business. As always, we aim to equip you with relevant trends and analysis to enhance your cyber insurance underwriting, portfolio management and claims handling, plus prepare you for changes in privacy law, the regulatory environment and the threat environment. Key themes this quarter ▪ Ransomware continues to dominate the cyber insurance conversation, with increases in frequency and severity. ▪ Although most ransomware victims have been targets of opportunity, insurers must also consider the potential for ransomware aggregation events. ▪ Software supply chain attacks also pose significant aggregation risk, as advanced persistent threats (APTs) target ICS manufacturers. Cyber incident trends Ransomware continues to hit businesses of all sizes and sectors, although some industries appear to be targeted more than others. Source: Risk Based Security, Aon analysis. Data as of Feb 2020. Ransomware continued to dominate the cyber insurance discussion with carriers fielding more claims emanating from ransomware infections than in previous years. Total ransomware incidents recorded in 2019 increased 135% over 2018 levels. 0.01.02.03.04.04Q181Q192Q193Q194Q19Data BreachRansomwareQ4 Review, March 2020 Exhibit 1: Cyber incident rates by quarter 2018-19 (Index: Q4 2018 = 1.0) Cyber Insights for Insurers – March 2020 2 In Q4, observed ransomware infections rose slightly relative to Q3; however, both quarters saw record attritional ransomware attacks relative to Q4 2018. Exhibit 2: Industries targeted by ransomware (2018-2019) Source: Risk Based Security, Aon analysis. Data as of Feb 2020. Ransomware infections affected all industries, although some more than others. Healthcare, public administration, and education experienced the most incidents, according to publicly available information. But we believe these industries are more likely to report incidents – either because they are compelled to do so or because it is in the public interest. Ransomware attacks affecting other industries, especially small businesses in those industries, may be underreported. While we believe that most ransomware victims are targets of opportunity, there are several exceptions. Ryuk focuses primarily on public entities, and the Maze ransomware appears directed at big game hunting. According t

o Crowdstrike, Wizard Spider, the gr
o Crowdstrike, Wizard Spider, the group behind the Ryuk ransomware, continues to target public entities including local school districts and municipalities. Crowdstrike noted at least 22 public entities impacted by Ryuk throughout 2019. Ryuk generally relies on the Trickbot or Emotet trojan delivered via spam/phishing campaigns or brute-forcing remote desktop protocol (RDP). In a modus operandi twist, the actor behind the Maze ransomware variant, Twisted Spider, not only encrypts data on infected machines, but also threatens to publicly release any sensitive data exfiltrated during the attack. This unique MO suggests that the actors behind Maze are more interested in “big game hunting” (i.e. lower frequency, high severity attacks). Unlike Ryuk, Maze utilizes the Fallout exploit kit to initially compromise infected machines. Fallout has also been linked to the GandCrab v5.2 ransomware variant, which has been made available to virtually anyone via Ransomware as a Service (RaaS). Fallout generally relies on social engineering, including phishing to redirect victims to “malvertisements” hosting the exploit kit. Recent iterations of Fallout exploited a known (and patched) Adobe Flash vulnerability (CVE-2018-15982). Operational technology (OT) is also being targeted by ransomware. Manufacturing, oil and gas, as well as utilities may fall victim to ransomware attacks, which could result in significant business interruption to their core business operations. The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) reported a U.S.-based natural gas compression facility experienced a significant ransomware infection that impacted their IT and OT environment. Human Machine Interfaces (HMIs) and other OT assets were infected. The victim shut down its operations for an unspecified period, resulting in business interruption and other expenses. CISA reported improper network segmentation allowed the adversary to traverse the IT/OT boundary. 0.2%0.4%0.4%1.1%1.1%1.1%1.1%1.3%1.3%1.6%2.0%3.4%5.8%7.4%8.1%18.2%22.4%22.9%Mining, Oil & GasBusiness ServicesWholesale TradeAccommodation & FoodAdministrative & SupportFinance & InsuranceUtilitiesEntertainmentConstructionRetailTransportationOther ServicesManufacturingProfessional ServicesInformationEducationHealthcarePublic Administration Cyber Insights for Insurers – March 2020 3 Ransomware severity continues to increase. Continuing the prior quarter’s trend

, severity – expressed both in do
, severity – expressed both in downtime and ransom demands – increased relative to previous quarters. According to Coveware, the average ransom doubled in Q4 from $41,198 to $84,116, with at least one firm reporting losses approaching $100 million when accounting for business interruption, incident response costs, and other associated expenses. Average downtimes vary between 6 days to well over two weeks depending on the report. Aon Analysis: Companies large and small continue to be impacted by ransomware, regardless of their industry. Regardless of threat actors’ specific attack strategies, the clear majority of initial compromises occur either by phishing or by exploiting weak authentication (RDP) or other known vulnerabilities. Cyber insurers should be vigilant in encouraging robust anti-phishing capabilities as well as helping insureds identify internet-exposed misconfigurations and vulnerabilities. Finally, if Maze-style ransomware / breach hybrid attacks become more commonplace, insured losses will continue to grow. Aggregation risk monitor Cloud outages during the quarter were minimal. U.S. market leaders experienced very little downtime for the fourth quarter in a row. Exhibit 3: Cloud provider downtime during Q4: Top US providers vs. other regions Source: Cloud Harmony, analysis by Aon Ransomware has also been targeting single points of failure that could lead to aggregating losses. Although ransomware attacks against high profile victims garner the most headlines, we have also seen attacks against single points of failure that could lead to potential claims aggregation for insurers. Several notable attacks in Q4 highlight the potential issues. The REvil ransomware variant infected several managed service providers (MSPs), some of which boasted over 1,000 clients, including Fortune 1000 companies. REvil claimed another datacenter victim, CyrusOne, in December. According to ZDNet, multiple MSP customers utilizing CyrusOne’s New York-based data centers were impacted by the ransomware infection. In addition, ransomware variant Snatch infected web-hosting provider SmarterASP, impacting an unknown portion of its customers. According to CrowdStrike, SmarterASP was able to decrypt their customers’ data in relatively short order – roughly two days – limiting the potential for contingent business interruption (CBI)-type claims. Aon Analysis: Ransomware threat actors are targeting these single points of failure presumably to ma

ximize their ransom demands. Althoug
ximize their ransom demands. Although attacks on cloud providers have been infrequent, a successful attack on a top five cloud provider could be a major insurance aggregation event. An Iranian-backed group has been targeting industrial control systems (ICS) manufacturers. Following the killing of Iranian General Qassim Suleimani, information security professionals warned of potential Iranian retaliatory cyber attacks against U.S. businesses and critical infrastructure. However, troubling trends have also surfaced that likely preceded the recent escalation in U.S.-Iran tensions. The Iran-affiliated advanced persistent threat (APT) 33 specifically targeted manufacturers of industrial control system (ICS) components. According to FireEye and Wired, APT 33 began conducted credential stuffing attacks against unnamed ICS manufacturers in hopes of gaining a foothold on their Cyber Insights for Insurers – March 2020 4 networks. It was unclear if the group’s attempts were successful. APT 33’s interest in ICS manufacturers presents an increased risk to critical infrastructure, including entities in manufacturing, oil and gas. Aon Analysis: Software supply chain compromises remain a concern, especially when the targets include ICS components. Such an attack, if successful, could potentially result in physical damage at sites, power outage, and downstream impacts for those who rely on these technologies and products. Contact Information Craig Guiliano, CISSP Director of Threat Modeling Aon | Reinsurance Solutions +1 312 381 1566 craig.guiliano@aon.com Jon Laux, FCAS, MAAA Head of Cyber Analytics Aon | Reinsurance Solutions +1 312 381 5370 jonathan.laux@aon.com Catherine Mulligan Global Head of Cyber Aon | Reinsurance Solutions +1 212 441 1018 catherine.mulligan@aon.com Luke Foord-Kelcey International Head of Cyber Aon | Reinsurance Solutions +44 (0)20 7086 2067 luke.foord-kelcey@aon.com About Aon Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance. Disclaimer This newsletter is made available for informational purposes and is not intended to be a substitute for professional or legal advice. No attorney client relationship is formed or implied between you and the authors(s) or Aon.