Cybercrime and ransomware have become a global concern for governments and businesses
By Michael G. Malloy
The adage that crime doesn’t pay is being turned on its head with cybercrime, which pays well (often in hard-to-trace cryptocurrency). Businesses and government entities large and small alike are battling cybercriminals based in the murky shadows of the internet and the “dark web,” who are sending out surreptitious lines of hidden code and clandestine “worms” that burrow their way into systems that are then held hostage until site holders pay up.
While not a ransomware or the first large-scale cyberattack, last year’s SolarWinds hack, in which malicious code was planted into computer networks of U.S. companies and government agencies via Texas-based SolarWinds’ ubiquitous Orion software, was something of a wakeup call on the importance of cybersecurity. It compromised systems to the highest levels of the federal government, including the Commerce, Energy, Justice, and Treasury departments. Microsoft President Brad Smith told CBS’s 60 Minutes in February that “from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen.”[1]
Then this spring, ransomware blasted onto the front pages when people found themselves in panic-infused gas lines reminiscent of the 1970s energy crisis following the hack and subsequent payment demands by international cybercriminals that temporarily shuttered the Colonial Pipeline, which feeds fuel up the East Coast. Like SolarWinds and a previous large-scale global hack—2017’s NotPetya attack—the suspected hackers, known as DarkSide, were based in Russia, raising the political stakes just as President Joe Biden met with Russian President Vladimir Putin at a Switzerland summit following the Group of Seven nations’ meeting in England in early June. At that meeting G-7 leaders, including Biden, issued a communiqué calling on Russia “to identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.”[2]
The Colonial attack—and a subsequent strike on multinational meatpacking company JBS—pushed the issue of whether to pay ransomware into congressional hearing rooms on Capitol Hill in Washington, where Colonial CEO Joseph Blount defended his company’s decision to pay more than $4 million to DarkSide, calling it “the right thing to do for the country,” in order to get fuel moving again.[3] Then in early July, another cybercriminal gang, dubbed REvil, broke into the software of Miami-based IT software firm Kaseya, which was passed on and locked the systems of thousands of small businesses, demanding some $70 million in a hack that hit companies in the U.S., Europe, and Asia, in what was called the biggest ransomware attack on record.[4]
An evolution in the making
“Government hasn’t exactly been on top of [cyber] infrastructure for the past couple of decades,” said Norman Niami, vice president and actuary at the American Property Casualty Insurance Association, and chairperson of the American Academy of Actuaries’ Cyber Risk Task Force. “It’s obviously getting more attention and focus, and there are some basic [cyber] hygiene things that companies and individuals can do that significantly lowers their risk … but once you talk to security people, it’s not much of an exaggeration to say that many systems are almost wide open for anybody who wants to do whatever to them.”
Editor’s note: Listen below for an exclusive interview with Norman Niami.
[player id=’8802′]
The NotPetya attack, which targeted Ukraine, quickly turned into a global catastrophe, Niami said in a Q&A with the Academy’s Spring 2021 Casualty Quarterly newsletter.[5] Prior to this year, that had been the most expensive known cyberattack, with costs estimated as high as $10 billion and with two of the most heavily impacted companies being pharmaceutical giant Merck and logistics titan FedEx, which each lost hundreds of million dollars as a result.
“Companies should certainly be cognizant of threats and be actively planning how to improve their operational resilience,” said Brad Gow, global insurance cyber product leader with Sompo International, who noted the tests that cyber-risk issues can pose to actuaries. “From an actuarial perspective, the cyber line can be incredibly challenging … to price for all these different threats,” he said, noting that when carriers first started putting cyber-risk policies together, threats were far more limited 20 years ago. “If you’re pricing hurricane or earthquake risk, you’ve got hundreds, or thousands—or even tens of thousands—of data points to reference. With cyber, networks are so dynamic with new users and companies constantly reconfiguring their networks,” so it’s not as predictable, he said.
Especially in the past 10 years as cyber-risk insurance has become a more prevalent, and profitable line, the scope of coverage has continued to grow and includes first-party expenses related to data breaches, including setting up call centers and credit monitoring for impacted people, cloud outages, regulatory defense coverage, and most recently ransomware. “Carriers that are struggling through recent ransomware problems are those that, for example, focused exclusively on data breach as a threat. Their underwriting and their pricing may not have taken into consideration other potential threats against different coverages,” Gow said.
Regarding ransomware, “every organization has a business decision to make as to whether or not they pay a ransom,” said Brad Keenan, assistant vice president for public agencies at Keenan & Associates, a Torrance-Calif., based insurance and financial services firm. “When ransoms are part of the equation, the federal government is generally involved and are briefed on the matter to ensure proper protocols and laws are followed. Most cyber insurance policies do have extortion coverage to pay ransoms [and] many policies are now including sub-limits and/or co-insurance for extortion/ransom payments.”
Despite the recent boom in hacks and large-scale attacks seeking ransomware, Niami noted that cybercrime—and cyber-risk insurance—has been around almost as long as the internet. In the past few years, the U.S. has accounted for about half of all global premiums, he said.
“It’s been a U.S. phenomenon for about 30 years and has become a lot more international for about the last 15,” Niami said, with systemic threats joining ransomware as some of the most prominent recent issues of concern. “It’s been getting worse, and 2020 just exploded with ransomware,” he said. Insurance was “not even the tip of the iceberg,” at about $3 billion in the U.S. and around twice that globally. That’s just a fraction of the estimated $6 trillion in global cybercrime costs this year—and heading toward an estimated $10 trillion by 2025, he said—“To get a sense of the size of this, the only two economies that are bigger than that are the U.S. and China.”
And while personal systems like laptops or cellphones update regularly, by contrast large industrial systems generally cannot do so that easily. “You can’t shut a steel plant down three times a day to update the software,” Niami said, adding that big targets are “kind of the new version of why people rob banks—because that’s where the money is. Electrical grids could be brought down by a teenager because systems are antiquated. There’s not enough money being spent [on cybersecurity], and there are so many holes and openings—it’s a big problem.”
A moving target
One of the challenges for actuaries is that data is changing so fast—almost week to week, Niami said. A few years ago, the majority of theft and losses were from compromised personal information and because of regulations it cost companies millions of dollars to contact customers.
“Cyber used to be a relatively inexpensive coverage, but with every headline about a new cyberattack such as Colonial and JBS, it allows insurance companies an opportunity to increase pricing,” Keenan said. “Cyber insurance seems to be trending to a coverage that requires many risk controls to be in place at the time of the loss or else coverage will be substantially different.”
Silent cyber—those cyber-related risks that may not be expressly covered in a cyber-risk insurance policy—are also an issue in cyber-risk coverage. Taylor Krebsbach—who presented on the issue in a breakout session at the Academy’s 2020 Annual Meeting and Public Policy Forum when she was a member of the CRTF—said that determining silent cyber exposure is complicated because cyber risks expand and evolve at a rapid pace, and it is difficult to expect or predict where the next cyber accident will come from and its severity.
“Insurers typically do not have sufficient historical data to accurately forecast their future silent cyber risk exposures and price appropriately,” she said. “Both insurers and reinsurers continue to develop more robust analytical tools and transform silent cyber to affirmative cyber risk through clear and transparent policy inclusions.”
Gow said that unlike natural disasters, cyberattacks don’t have geographical boundaries, with malware that can spread beyond borders once unleashed, adding that many carriers are involved in multiyear projects to try to model and aggregate risk to at least identify what the exposures are.
“Regulators and rating agencies are very conscious of the ten- and eleven-figure cyber aggregations that carriers have on their balance sheet, so they’re looking more closely at how carriers are protecting themselves from an exposure management point of view,” Gow said. Until a few years ago, much of the reinsurance was proportional, and since then reinsurers have been impacted by their proportional participation in treaties that have been heavily affected by ransomware, he added.
After the Colonial hack, the FBI was able to retrieve about $2.3 million in Bitcoin of the approximately $4.4 million the company paid to DarkSide, in part by reviewing the Bitcoin public ledger.[6] Gow said that despite the FBI being able to successfully retrieve those funds, “nobody should expect to get their Bitcoin back if they pay a ransom, particularly if you’re dealing with an experienced crew of cybercriminals” like DarkSide.
Niami noted that “every day the targets, the type of attacks, the software that’s being targeted, and where it’s coming from keeps changing. Actuaries aren’t going to become IT experts, but can become more familiar with the technology, the language, and the technical issues that impact this area,” he said, adding that even talking to a security expert in their own company can help an actuary’s high-level understanding of cyber threat issues.
Niami offered this analogy for companies: “If someone knocks on your door and sees there are a lot of walls and doors, they’ll say, ‘I don’t want to deal with that,’ and go next door where it’s more wide open. The problem becomes for small and midsized companies as to how much they can afford to spend” on cybersecurity, he said, adding that “some larger outfits don’t even have a handle on who all their third-party vendors are.”
How cyber-risk insurance moves forward “is anyone’s guess,” Niami said. “There have been a lot more coverages added in the past few years,” including ransomware and legal issues related to security and privacy liability. Industrial, manufacturing, and public-sector coverage prices “were quite reasonable compared to, for example, financial companies,” but that has changed, with public-sector entities such as police departments, transit agencies, and hospitals getting hit hard in the past few years. And they often don’t have enough money to hire the people they need, let alone for updating their software and hardware, Niami said.
In the cloud
With most activity, business and otherwise, having migrated to the “cloud”—stored on internet servers instead of company hard drives—that can lead to more cyberattacks on vulnerable systems. And with the coronavirus pandemic leading to more people working from home in the past year-and-a-half, the migration of business operations to online has only been magnified.
“There’s a pretty significant trend in general in moving things to the cloud,” said Jon Oltsik, senior principal analyst and fellow with IT research and analysis firm Enterprise Strategy Group. “When the pandemic hit and everyone was sent home, that just accelerated the pace.”
What Oltsik called this “lift and shift” strategy is due to the lower cost of using the cloud versus a company network. “In recent years, the cloud has become the development platform of choice, and that’s what’s driving a lot of this,” he said. “The cloud is pretty secure … [but] the pace of change of application development tools and infrastructure in the cloud is just extraordinary. Every year, Amazon, Microsoft, and Google announce new types of developer features and functions, and people use them almost immediately.”
Oltsik, who moderated a June webinar hosted by publicly traded cybersecurity firm Splunk Inc., used the analogy of a storage-facility locker, in which “the locks are changing quickly. Your security team may not understand how to lock down your cloud infrastructure and applications, or they may make human-error mistakes. That’s the most common way people are getting into the cloud,” he said.
Splunk noted its webinar that almost three-quarters—73%—of organizations are enriching their security analytics with other data sources, and Oltsik confirmed in a subsequent interview that more companies were using automated data analytics, applying statistical analysis to their corporate networks and systems.
“All systems log activity, and if you know what you’re doing, you can find suspicious activity,” he said. “But because a big company or government agency will have thousands of assets, no person can do that, so you automate data-collection, apply rules and statistical analysis to it, and use it to provide advanced analytics.”
Some data anomalies might be obvious, but as was the case with SolarWinds, “the Russians are very good at hiding, so you have to be good at detecting things all over the network,” Oltsik said. Analytics help companies detect and determine which things are the most dangerous and should be prioritized and fixed first. “That’s what the analytics are doing,” he said. “They’re helping us with decision-making that we didn’t have in the past.”
In the wake of SolarWinds, the Biden administration issued an Executive Order in May that encouraged private-sector companies to follow the federal government’s lead to take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.[7] The order would:
- modernize and implement stronger cybersecurity standards in the federal government;
- establish a cybersecurity safety review board;
- improve detection of cybersecurity incidents on federal government networks; and
- improve investigative and remediation capabilities.
Splunk noted in its webinar that 78% of organizations are concerned they are vulnerable to an attack like SolarWinds. “If you have a trusted software partner like SolarWinds … there’s very little security oversight done, because the assumption is that’s a trusted partner,” Oltsik said. “But if that partner is breached, those in security say, ‘Holy Smokes—now we have to look a little more at what our trusted partners do.’ Government agencies kind of do that, but if you look at the Biden Executive Order, basically they’re saying, ‘You can’t take this for granted anymore; you have to do X, Y, and Z to make sure these systems are secure.’”
How did we get here?
“I don’t think most people could have predicted the combination of factors that got us to where we are now” with cybersecurity, said Meg King, director of the Science and Technology Innovation Program at the Washington, D.C.-based Wilson Center, which studies a wide range of global public policy issues.
SolarWinds led to a domino effect, with customers of Microsoft and cybersecurity firm FireEye inadvertently passing the bug along to customers in its software, exposing sensitive data. (FireEye’s cybersecurity sleuths first discovered and reported the SolarWinds hack last December.) Then early this year, a group of suspected Chinese hackers broke into tech giant Microsoft’s email software. Those attacks “showed there were a lot of vulnerabilities that could be accessed by criminal groups, among other things,” King said. “Ransomware has been a pervasive problem, fueled in part by the anonymity, or partial anonymity you get by transferring funds via cryptocurrencies.”
Asked about groups with potentially more nefarious motives, King said that the largely criminal groups that have engaged in cybercrime “are only out there to make money. It’s not in their interest financially to carry out an attack that results in the loss of life. … Theoretically, a terrorist group could hire one of these hacking groups, but the criminal group would have to be completely naïve [because] there would be a non-digital response to what would be considered an act of war.”
Regarding potential laws that might bar ransomware payments—as was discussed in congressional hearings following the Colonial Pipeline and JBS hacks this spring—King said she thought such a measure “would be hard to pass, but there are lot of other things to do short of just banning paying ransom.” In the wake of the two hacks, The Treasury Department is considering requiring the reporting of cryptocurrency transactions worth $10,000 or more to the IRS.[8] “That kind of thing would probably have to be codified by Congress,” she said, noting that even the lowest levels of ransomware cases have topped that threshold.
MICHAEL G. MALLOY is managing editor for member content at the Academy.
[1] “SolarWinds: How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments.” 60 Minutes. July 4, 2021.
[2] “Carbis Bay G7 Summit Communiqué.” The White House. June 13, 2021.
[3] “Testimony of Joseph Blount, President & CEO, Colonial Pipeline Co.” U.S. Senate Committee on Homeland Security & Governmental Affairs. June 8, 2021.
[4] “Hackers Demand $70 Million to End Biggest Ransomware Attack on Record.” CBS News. July 6, 2021.
[5] “Casualty Quarterly, Spring 2021.” American Academy of Actuaries. April 2021.
[6] “Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside.” U.S. Department of Justice. June 7, 2021.
[7] “Executive Order on Improving the Nation’s Cybersecurity.” May 12, 2021.
[8] “The American Families Plan Tax Compliance Agenda.” U.S. Department of the Treasury. May 2021.
[9] “Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion.” U.S. Department of Justice memorandum. June 3, 2021.
[10] “Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market.” U.S. Government Accountability Office. May 20, 2021.