In the crosshairs: Why insurance remains a target for cybercriminals

Cybercriminals are now specifically searching for terms like ‘insurance’ when looking for data, a partner with Norton Rose Fulbright Canada LLP said during an industry event last week.

“They’re not just looking for any data. They’re actually quite smarter,” says Imran Ahmad, a partner at the law firm and head of technology/co-chair of data protection, privacy & cybersecurity. “The data they’re looking for, they will look for search terms like ‘insurance,’ interestingly enough. They will look for ‘HR,’ they will look for personal information, customer data and pull that information out.”

Ahmad was discussing ransomware and why it is such an issue in today’s cyber market during Resetting Cyber Risk, a session at the Insurance Institute’s GTA Virtual Symposium.

Some in the P&C industry have observed that if cybercriminals know their victims are insured for ransomware, they may be able to extract larger ransom payments from insureds.

In addition to searching for specific terms, another trend over the past six months involves cybercriminals taking huge quantities of data. “They’re not taking small amounts of data. That was early on, we saw a couple of gigs of data, which is not relatively concerning in itself,” Ahmad says.

“But now we’re seeing terabytes of data, which are huge quantities, meaning that they’re able to get into an IT environment and unbeknownst to the victim organization, pull that data over a period of days, weeks, if not longer.”

Imran Ahmad (top row, third spot), a partner at Norton Rose Fulbright Canada LLP, and head of technology/co-chair of data protection, privacy & cybersecurity, speaking during a panel at the Insurance Institute’s GTA Virtual Symposium.

This has complicated the analysis from a legal perspective and how Norton Rose Fulbright advises clients, Ahmad says. He points to three scenarios where a client may want to consider paying a ransom:

• Data is encrypted, and it’s having a significant operational impact on the organization. “But for the decrypter, you’re dead in the water,” Ahmad says. “You’re losing money on a day-to-day basis, and the quantum where the amount of the ransom is ‘reasonable enough’ to pay so that you get operations back up and running.”
• You may be able to restore from backups, but the data is really sensitive. This may affect business-to-consumer focused clients who hold consumer, health or financial data collected in large quantities over multiple years, Ahmad says. Clients may be incentivized to pay for the data to be deleted or recovered, even though they may be able to recover it themselves.
• The client has good backups and is able to restore the data. The data is not particularly sensitive, but it is embarrassing. “You don’t want it out there,” Ahmad says. “You certainly don’t want the name of the company or the organization to be out there, so you may be willing to pay a ‘nuisance payment.’

For example, if a ransom demand is $1 million, a company may be willing to pay $100,000 “for this to just go away,” Ahmad says. The problem, he adds, is this is typically not covered under insurance because it’s a “convenience payment.”

Even if a client decides to make a payment or restore from backups, it takes time “even if you have the best backups in the world,” Ahmad says. “You don’t know when the threat actor got into your system. So, you can’t just pick a random date and say, ‘Well, I’ll restore from three weeks ago, or six weeks ago or nine weeks ago.’ It has to be done securely because you don’t want to be re-extorted.”

This is where cyber forensics comes into play, Ahmad says. “Because the question you’re going to get from your stakeholders, internal or external, is, ‘How can I continue doing business with you if you don’t know how they got in in the first instance?’”

And hackers have adapted, knowing that many companies have good backups in place, adds another panellist, Neal Jardine, global cyber risk intelligence & claims director with BOXX Insurance Inc. “So, what are they doing? They’re stealing large quantities of data.”

A few years ago, there were really only a couple of types of ransomware incidents, Ahmad says. “You either had ransomware… that locked up your data and you had to pay for the decrypter to unlock the data, or you had the data that was locked up, but you had good backups and you could restore it.”

Now, threat actors have introduced a new concept of “double extortion,” where data is taken out and then the system is locked up. “So even if you have the file somewhere else, you may be incentivized to pay to recover the data to come back, especially if it’s sensitive data.”

Feature image by iStock.com/tommy