Cyber risk and incident response
Kurtis Suhs, CEO of Cyber Special Ops, explains the history of cyberattacks, and how you can be prepared today.
Of all the technologies that changed our lives, perhaps the most profound of the last 50 years has been the internet. But it wasn't the ability to hyperlink documents that made the most impact. Instead, it was the platform that presented all that information to users – the browser.
In 1995, the world’s first pure internet bank, Security First Network Bank, was launched in Atlanta, Georgia. Obviously, bank regulators had several concerns, such as the ability to safely deliver online banking services and the threat of financial institution fraud arising from this new technology.
Below is a screenshot of Security First Network Bank’s website, which was highly innovative at the time:
The insurance broker for Security First Network Bank, who was also based in Atlanta, was asked to find insurance to protect the online-only bank from internet threats. The insurance agent sought out coverage, but no coverage existed for web perils.
That is when and where the insurance agent had a vision for hacker insurance. So, in 1997, this agent created Network Risk Management Services, LLC (later known as INSUREtrust.com), as a Managing General Agency (MGA) that launched the world’s first cyber insurance policy, at the height of the dot com era.
INSUREtrust’s model was based on Highly Protected Risk (HPR), where property insurers designed property insurance and engineering-based risk management solutions by employing state-of-the-art sprinkler systems. In a similar vein, INSUREtrust hired information security professionals to conduct an external vulnerability assessment against a cyber insurance applicant’s computer network.
As a condition of binding coverage, the applicant had to immediately remediate any discovered high vulnerabilities, and address and fix any medium vulnerabilities within 30 days of the policy’s effective date. The cyber applicant also had to complete a 12-page insurance application that addressed their risk management controls around people, processes and technology.
By 2015, the marketplace continued to expand, with over fifty standalone cyber insurers who were continually offering ever-broadening terms and conditions at accelerating premium reductions. Not only were external vulnerability assessments no longer required, but the cyber insurance applications shrank down to two to three pages.
This soft market was remarkably close to offering an all-risks policy – an insurance policy that automatically covers any risk that the contract doesn’t explicitly omit. For example, coverage was readily expanded to include:
- bricking – which is when malware doesn’t physically damage tangible property, but the hardware is essentially useless
- business email compromise – where the attacker sends a spoof email or hacks into the insured’s network to redirect a money transfer to the threat actor
- system failure – where the insured mistakenly takes their network offline resulting in business interruption loss.
Around 2017, private equity firms began heavily investing in cyber insurance MGAs, who took on traditional insurers with online and streamlined applications, quoting, binding and policy issuance. These cyber-MGAs also touted their innovative underwriting prowess by offering external vulnerability scanning at the time of application and during the policy period.
In 2020, the cyber insurance market showed signs of hardening as the frequency and severity of claims increased from ransomware attacks and the theft of money arising from business email compromise. To complicate matters, computer networks were even more interconnected as solicitors utilised online case management, billing, document and e-filing platforms.
By 2021, the cyber insurance market was in an unprecedented hard-market cycle. The European Union Agency for Cyber Security (ENISA) said there was a 150% rise in the frequency of ransomware attacks between April 2020 and July 2021. And, just as severe, a recent CrowdStrike report revealed that the average ransom payment in 2021 increased 63% to £1.3m, compared to £802k in 2020.
Today, cyber insurers have restricted their appetite for certain industry classes, reduced overall policy limits, sub-limited coverage for ransomware and theft of money, added co-insurance provisions, added additional exclusions, and increased premium anywhere from 25% to 400% over the past year.
Furthermore, the majority of cyber insurers now require multi-factor authentication (MFA) enterprise wide, regardless of user privilege for all applicants and insureds. This generally is non-negotiable and a minimum requirement for a cyber insurance applicant.
Many cyber insurers may also inquire on an applicant’s use of:
- endpoint protection monitoring and response tools
- a 24/7 security operations centre (SOC)
- regular security awareness and phishing training
- a strategy on backups of data and are the backups stored offsite and air gapped from the internet
- a privileged access management tool to protect user credentials
Given all these new and onerous cyber insurance requirements, what is your plan if your firm either doesn’t qualify to meet minimum information security insurance requirements or for other reasons decides to forgo the purchase of cyber insurance? Who do you call on a 24/7 basis if you have a cyberattack or theft of money? Even if you have an outsourced information security or information technology relationship, how will you preserve the forensics work product? Law firms have considerations that are unique to their industry – responsibilities related to ethics legal liability and attorney-client confidentiality.
Concierge Cyber® was designed to provide a plan and equip your firm with the best resources you need to respond to a cyber incident. And for a limited time, Law Society members are eligible to receive Concierge Cyber membership at a discounted cost of £195 per year, regardless of firm size, which translates to £3.75 per week. Concierge Cyber membership will ensure your firm is covered 24/7 with a dedicated team of credentialled, nationally recognised, third-party firms with the added benefit of cost savings between 35% to 50% off normal rates.