August 23, 2021 by Canadian Underwriter Staff
Brokers must secure their client data to protect their trusted advisor status, a cyber insurance provider has warned.
“What many brokers fail to realize is that when customers engage them as a trusted risk advisor, it implies they’re also trusting them with their data,” said Vishal Kundi, CEO and co-founder of Toronto-based BOXX Insurance, told Canadian Underwriter. “You can’t be a trusted risk advisor if your clients can’t trust you with their data.”
Many brokers aren’t doing enough to secure the data they collect, he added. If a broker doesn’t back up files properly and loses all records in a cyberattack, clients will be legitimately upset.
“[A client] could argue that you’ve been advising them about their risk management controls for all these years but neglected to take your own advice,” Kundi said. “Now, you’re not only dealing with a costly data recovery mess but fighting to protect your reputation and client base.”
Further, cybercriminals are becoming increasingly sophisticated, making data recovery more difficult.
“Simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware [or other] attack,” Kundi said. “There’s a lot more to it, like how frequently you back up data (you should be doing this daily), where you’re backing up your data (for example, in the cloud or on hardware), and whether you have a procedure to regularly test your backups.”
Kundi said brokerages should review their data recovery protocols and look at the latest techniques hackers use to perform ransomware attacks. Brokers should be asking their IT teams or providers the following questions to help determine backup security:
Some products back up data to folders accessible over corporate networks. Many organizations use the default directory name created by these products to store their backups.
However, the default names are readily accessible in publicly available documentation. “Some creators of ransomware figured this out a while ago, and as part of their malware that finds and encrypts data on production servers, they also probe corporate networks for these default backup directories and encrypt the backups in these directories. In so doing, they increase the possibility that companies can’t recover from backups,” Kundi said.
When ransomware encrypts a brokerage’s data, the encryption generally occurs as soon as — or shortly after — the ransomware accesses the brokerage’s network. Newer ransomware, however, infects data immediately but does not encrypt it right away — thereby eluding immediate detection, Kundi explained.
“After days, weeks, or even months go by, [the ransomware] initiates the encryption of the corporate data. This is the worst type of ransomware attack,” he said. “Not only is all of a brokerage’s production data encrypted, the broker thinks it has ‘good’ backups. [But] when it goes to restore the data, the restored data encrypts as well because it was infected when it was backed up.
“This may make it almost impossible for a brokerage to determine when it was initially infected and which of their backed up data they can reliably and confidently restore.”
A number of backup software editions have their own application programming interface (API) available to developers, including ransomware creators, who can also access these published APIs and use them to encrypt existing backups.
“By taking the time to review how their client data is being stored and protected, insurance brokerages can ensure their client data is available at all times and, more importantly, take another step to protect their most important asset: their clients’ trust,” Kundi said.