Hiscox cyber claims report 2018 - Hiscox Group
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Hiscox cyber claims report 2018
Hiscox, the international specialist insurer, is headquartered in Bermuda and listed on the London Stock Exchange (LSE:HSX). There are three main underwriting divisions in the Group – Hiscox Retail (which includes Hiscox UK & Europe, Hiscox Guernsey, Hiscox USA and subsidiary brand, DirectAsia), Hiscox London Market and Hiscox Re & ILS. Through its retail businesses in the UK, Europe and the US, Hiscox offers a range of specialist insurance for professionals and business customers, as well as homeowners. Hiscox underwrites internationally traded, bigger ticket business and reinsurance through Hiscox London Market and Hiscox Re & ILS. For more information please visit www.hiscoxgroup.com.
Introduction
From payment diversion fraud
to cryptojacking...
Managing the cyber risk We’ve seen that attackers are evolving
Cyber insurance might seem like their methods, targeting both the better
a relatively new product but, at Hiscox, protected perimeter of a company’s
we have been providing businesses network and the softer underbelly –
with cyber protection for nearly 20 years their staff. Employee error has emerged
and we have dealt with over 1000 cyber as a key risk and we see examples of
related insurance claims from businesses attacks related to phishing within the
over the past 12 months alone. The single report. The threat goes beyond this to
biggest cause of a claim was ransomware include drive-by website infections and
– where a business’ computer system the danger of staff sending confidential
is effectively put out of action by a hacker data insecurely or losing unsecured
until a ransom is paid. Analysis from across mobile devices. Businesses must ensure
the market suggests that this tactic is on their staff are equipped to deal with the
the decline as people and businesses risk and employee training is key.
become more aware of the threat after Gareth Wharton
the Wannacry and Petya attacks of 2017, Responding to the threat Cyber CEO
although we are still seeing ransomware In each of the examples we highlight, Hiscox
related insurance claims in 2018. cyber insurance went beyond the
promise to pay and played a crucial
Another central cause of cyber related role in responding to the threat. It gave
claims seen over the last year was through affected businesses fast access to a
payment diversion fraud; where a criminal range of experts including experienced
manages to fraudulently persuade an cyber claims handlers to support them
organisation to pay them rather than through the incident, forensics specialists
a supplier. We believe this may be because to remediate the threat, and legal and
incidents of this type require relatively low PR teams to help prevent reputational
levels of technical sophistication, where damage. Our aim is to get our customers
attackers often just use their phones back on their feet as fast as possible
for simple social engineering attacks, whilst still providing financial support
or create spoofed email addresses to lure for any associated loss of income.
in potential victims.
In a cyber insurance market expected
The rise of cryptojacking to be worth US$36 billion by 2027
What these tactics suggest is that (compared to US$3.2 billion today), this
while cyber criminals might still be very Hiscox cyber claims report – the first
interested in stealing and using in a series of cyber reports and related
confidential and personal data for financial material we will be producing – is intended
gain, there are now more direct ways to to help our customers and the wider
profit from cyber crime. Cryptojacking – business community better understand
where criminals use the processing current and emerging cyber risks; how
power of a business’ computer systems they can help reduce the risk to their
to surreptitiously mine for cryptocurrency organisation; as well as illustrating how
– is the latest of these trends and we insurance can form part of a cyber risk
explore its impact later in this report. management strategy.
The examples in this report give a broad
overview of the range of claims we’ve
seen in the last year, spread across
different sizes of company, industries
and geographies. The key learning is that
no business is immune from the growing
cyber threat.Cyber claims by numbers
Over 1,000 claims in 2017
Claims count growth 2017 Hiscox claims
Across all Hiscox territories UK retail
2013 2014 2015 2016 2017 Human error Non-human error
33%
67%
Since 2013, the rise in claims against the cyber insurance policies Over two thirds (67%) of all claims involve an element of employee
we have issued has risen by more than 1,700%. This is from error. Examples include employees clicking on malicious emails,
a relatively low base but is a good indicator that businesses visiting harmful websites or simply being negligent in losing
of all sizes and in all geographic regions are experiencing far more devices. It is vital that business’ not only invest in technology, but
activity related to the cyber threat than five years ago. This is also process and people, ensuring that their staff are an effective
resulting in far greater potential for financial and reputational loss. first line of defence.
2017 personally identifiable information (PII) claims 2017 cause of claims
UK retail Across all Hiscox territories
Other claims 78% 23% Ransomware
20% Hacker
16% Data loss or misuse
13% Other
PII claims 22% 12% Payment diversion and phishing
7% Lost device or documents
6% Malware
3% Software or hardware failure
Nearly a quarter of the claims (22%) in the UK involved the loss While ransomware was the most prevalent cause of claims
or misuse of PII. Given the tightening of regulations, incidents in 2017, the graph above illustrates the wide range of attacks
of this kind could become more costly both financially and from that businesses have to protect themselves from. Some of these
a reputational perspective. Despite this, 78% of claims did threats are external, some are internal and some are accidental.
not include loss or misuse of data, presenting a risk even for Combined this shows the need for a cyber defence strategy
business’ that hold little or no PII. that encompasses people, process and technology.Spotlight on cyber claims
Ransomware still on the rise
As in 2016, ransomware remained the largest source of cyber-related insurance claims for 2017, largely due to the low barrier
to entry for hackers, ease of deployment and the prospect of a decent return on a minimal investment. Ransomware usually involves
human error, where mistakes by employees also lead to many phishing and social engineering attacks. Below are four anonymised
examples of actual cyber insurance claims we have dealt with over the last 12 months, three of which involved an element
of human error.
No ordinary case of ransomware Background Lessons learned
Our insured became aware that its IT DDThe attacker tried a large number
Sector Technology
systems had been compromised when of password combinations (usually
Turnover £10m – £50m a number of folders were encrypted and in the thousands) until finding the
a ransom demand was made. The hacker correct one. To protect against
had determined the identity of the against this sort of attack, good user
administrator of the company’s network account management is critical,
and then used a brute force attack for example locking out accounts
to identify their password. after a large number of failed
login attempts.
Using the administrator’s credentials
DDThe UK’s National Cyber Security
to remotely access the company’s
Centre (NCSC) has good advice
systems, the attacker was able to obtain
on this subject and recommends
further credentials giving them even
that businesses:
greater access. PII and commercially
DDallow around ten login
sensitive data (contracts, bank account
attempts before the account
details etc.) were compromised.
is frozen;
Hiscox response DDput in place protective
The company contacted us and we monitoring. A powerful
immediately arranged for a data breach defence against brute force
coach – a specialised role to help attacks and offers a good
companies respond to a breach – and an alternative to lockout
IT forensic firm to investigate the extent or throttling;
of the breach, resecure the company’s DDgive administrators, remote
network and understand its contractual users and mobile devices
and regulatory notification obligations. extra protection such as
We also engaged a PR agency to advise two-factor authentication;
the company on its communications DDensure that administrators
with the press and customers. use different passwords
for their admin and non-
A notification was made to the local data
admin accounts;
protection regulator as well as the data
DDconsider implementing
subjects affected and customers. The
two-factor authentication
swift action taken resulted in the regulator
for all remote accounts.
taking no further action.
Revenge DDoS attack Background Lessons learned
A loan aggregator company suffered DDOrganisations that depend on their
Sector Financial services
a series of DDoS attacks – a cyber attack customers being able to access
Turnover £10m – £50m that aims to bring down services by their internet based services should
bombarding the networks with more consider purchasing a DDoS
traffic than they can handle – which mitigation service. These services
crippled its website for several days, filter out unwanted traffic before
leaving it unable to trade. forwarding on legitimate requests
to the appropriate website.
Hiscox response
A police investigation revealed that the
attacks were by a disgruntled employee.
We covered the costs of the insured
engaging its IT contractors to restore
its systems. The company also suffered
a very significant business interruption
loss as a result of the breach.A large restaurant bill Background Lessons learned
A ransomware attack encrypted DDBy helping staff recognise the style
Sector Food services
a restaurant’s entire server, impacting of potential phishing emails, or what
Turnover £1m – £10m its point of sale registers and meaning to look for in email senders’ details
it was effectively unable to trade. to help identify suspicious looking
emails, companies can significantly
Hiscox response
reduce the risk of phishing attacks.
Having exhausted all other options,
DDIt is also important to ensure that
it was clear that the most effective way
good back-ups are in place. These
to restore the restaurant’s systems was
should be regularly tested and
to pay the ransom.
done through a system that is not
We covered the cost of the ransom, connected to the main network,
together with the associated IT costs of for example on a hard drive.
applying the decryption key and ensuring
that the insured’s business was back up
and running. We also engaged a breach
coach to confirm whether any PII had
been compromised. In addition to these
costs, we covered the business interruption
suffered by the restaurant as a result
of being unable to trade.
A costly phishing trip Background Lessons learned
An employee at a financial services DDBetter staff training remains
Sector Financial services
agency fell victim to a phishing incident important here in order to help staff
Turnover £50m+ in which a spoof email from one of the identify potential phishing emails
company’s senior managers requested DDIt is important to check email
that the employee wired £230,000 to addresses carefully before taking
a specified bank account. Believing the action. Companies can help their
request to be genuine, the employee employees by including an identifier
issued the fraudulent wire and both the on all emails that are received from
agency’s bank and the receiving bank external sources, such as including
were unable to recover the funds. The the wording ‘email originates from
email was actually from a Gmail account outside the organisation’ or similar.
created to imitate the senior manager’s DDA change of culture can also make
genuine address. a big difference in mitigating this
type of threat. Senior management
Hiscox response
should look to create an environment
On realising what had happened,
where employees are more likely
the agency called us and we immediately
to do the ‘right thing’ rather than
engaged a data breach coach and IT
simply satisfy an ‘urgent’ request
forensics to confirm whether there had
from a client or a senior colleague.
been any breach of the insured’s systems
Ideally, wire transfer requests to new
or whether PII had been compromised.
or modified accounts should be
We reimbursed the money lost within verified by calling the other party on
a month of notification while it was a predetermined phone number –
confirmed that no breach of data had one that they already have, not one
occurred so there was no need for that may be in a phishing email, as
any notification. hackers often give bogus numbers.
Losses for payment diversion fraud are
covered as standard under our US cyber
insurance policy and can be offered as
an additional cover in other territories.What next: cryptojacking
More lucrative, less effort for criminals
Criminals are starting to move away from obvious and invasive ransomware attacks to a more stealthy cyber crime; cryptojacking.
According to Symantec, instances of cryptojacking rose 8,500 percent in the final quarter of 2017. Once a hacker has access to
a compromised computer system, instead of downloading a ransomware payload that encrypts the victim’s files, the cryptojacking
attack will install ‘mining’ software. This sits in the background and uses spare processing resource within the victim’s machine
or office server environment and quietly mines crypto-currency for the hacker. Whilst we have seen cases where the mining software
has been so invasive that the victim’s machines can no longer complete their intended task, our view is that the more savvy hackers
will use a smaller percentage of computer processing capacity allowing their activity to remain undetected and therefore earning
more in the longer term.
An IT firm falls victim Background Lessons learned
A technology company noticed that DDIn both these cases – alongside
Sector Technology
a piece of malware had been installed the standard advice regarding
Turnover £50m+ on one of its servers. good password management
and regularly updating software
Hiscox response
to ensure it is fully patched –
We immediately instructed an IT
organisations can also use server
forensics firm to investigate what the
monitoring software to track the
malware was doing and how it had been
key metrics of servers such as
installed on our insured’s systems. The
processor, memory, network
server contained a substantial amount
and disk usage. Over time, the
of PII and so we also investigated whether
monitoring software will create
there was any wider breach or risk that
a baseline from which thresholds
PII had been compromised.
can be set. This can be a useful
Given the potential gravity of the breach, way to track server outages, and
we also instructed a breach coach to it can also detect if unusual levels
manage the investigation. The investigation of network traffic are detected,
confirmed that the malware was mining, helping to indicate when data
but fortunately nothing more than this is being exfiltrated. If processor
and there had been no wider breach. utilisation is higher than expected
for extended periods, this could
Advertising for Bitcoin Background also indicate that cryptomining
A PR company noticed a problem with malware is running on a system.
Sector Marketing
its emails. Its regular IT contractor
Turnover £0 – £1m investigated and concluded the most
likely cause was malicious activity. The
insured contacted us and we deployed
an IT forensics team who were quickly
on site to investigate and confirmed
the insured had indeed been the victim
of an attack.
The PR company’s IT systems had
been infected with crypojacking malware
to mine for cryptocurrency. They also
confirmed that the hackers who deployed
the malware had accessed the insured’s
systems and that PII was potentially
compromised.
Hiscox response
After investigating the extent of the
breach, the IT team removed the malware
and plugged the gap in the PR company’s
security which had allowed the breach.
We then engaged legal counsel to advise
the insured on its notification obligations,
and then arrange the notification of the
regulator and relevant data subjects.Glossary of terms
Access control. The process Command-and-control server. Firewall. A barrier between networks
of granting or denying specific requests A computer that issues instructions to or parts of a network, blocking malicious
for or attempts to obtain and use members of a botnet. traffic or preventing hacking attempts.
information and related information The firewall inspects all traffic, both
Cookie. Files placed on your computer
processing services and enter specific inbound and outbound, to see if it meets
that allow websites to remember details.
physical facilities. certain criteria. If it does, it is allowed;
Cryptojacking. The unauthorised use if not, the firewall blocks it.
Advanced persistent threat (APT).
of a target’s computer systems to mine
A type of high-level targeted attack Hacktivism. Used to describe hacking
carried out by an attacker who has time cryptocurrency. activity carried out for political, ethical
and resources to plan an infiltration into Cyber Essentials. A government backed or societal ends.
a network. These are usually seeking cyber security certification scheme that Hashing. A process that uses an
to obtain information, proprietary or sets out a good baseline of cyber security. irreversible encryption algorithm to turn
economic, rather than simple financial The base level requires completion of a data entry into a random alphanumeric
data. APTs are persistent in that the a self-assessment questionnaire, which value. Typically used to protect passwords
attackers may remain on a network for is reviewed by an external certifying body. from compromise in the event that
some time and usually bypass regular Cyber Essentials Plus adds an extra level a malicious actor gains access to the
security controls. by requiring tests of systems to be made database where they are kept. Often
Air gap. The physical separation or by the external body. combined with ‘salting’ (see below).
isolation of a system from other systems Data loss prevention (DLP). A set Incident response plan (IRP).
or networks of procedures and software tools to stop A set of predetermined and documented
Anti-malware/anti-virus. Software sensitive data from leaving a network. procedures to detect and respond to
which uses a scanner to identify programs Distributed denial-of-service attack a cyber incident.
that are or may be malicious. (DDoS). An attack which prevents users Intrusion detection system (IDS).
Attack surface. All of an organisation’s from accessing a computer or website A device or software application that
internet-facing assets including both by overwhelming it with requests and/or monitors a network or systems for malicious
hardware and software. A larger number instructions, often carried out using activity or policy violations, with any
of such assets yield more potential a botnet. unusual activity being flagged.
vulnerabilities that an adversary can Domain name system (DNS). Intrusion prevention system (IPS).
exploit to attack an organisation. The phone book of the internet. It allows A proactive version of IDS that can
Authentication. The process of verifying computers to translate website names, automatically take actions to block
the identity or other attributes of an entity. like hiscox.com, into IP addresses so that suspicious behaviour.
May also be used in multi-factor (or two they can communicate with each other.
Insider threat. A person or group
factor) authentication, which refers to the DNS hijacking. An attack which changes of persons within a company who pose
process in which multiple methods are a computer’s settings to either ignore a potential risk through violating security
used to identify and authenticate DNS or use a DNS server that is controlled policies, either maliciously or negligently.
an individual. by malicious hackers. The attackers
can then redirect communication ISO27001. An international standard that
Backdoor (trojan). A piece of malicious
to fraudulent sites. describes best practice when it comes
software which allows someone to take
to information security risk management.
control of a user’s computer without Drive-by download. The infection of a
their permission. computer with malware when a user visits Keylogger. A type of malware that can
a malicious website, without the user secretly record a user’s keystrokes and
Blacklist. A list of entities, IP addresses
specifically initiating the download. send them to an unauthorised third party.
etc. that are blocked or denied privileges
or access. Encryption. The process of converting Malware. A general term for malicious
information or data into a code, so that software. Malware includes viruses,
Botnet. A collection of infected computers
it is unreadable by anyone or any machine worms, trojans and spyware. Many
or internet connected devices that are
that doesn’t know the code. people use the terms malware and virus
remotely controlled by a hacker and report
interchangeably.
to a command-and-control server. Endpoint. An internet capable hardware
NIST cyber security framework.
Brute force attack. An attack in which device. The term can refer to desktop
A set standards, best practices,
hackers use software to try a large number computers, laptops, smart phones,
and recommendations for improving
of possible password combinations to gain tablets, thin clients, printers, etc.
cyber security. It is industry, geography
unauthorised access to a system or file.
Exploit. An attack which takes advantage and standards agnostic, and is outcome
Bug. An unexpected and relatively small of a vulnerability (typically a flaw in rather than input focussed.
defect, fault, flaw or imperfection in a software code) in order to access or infect
system, software code or device. a computer.Network access control (NAC). Report on compliance (RoC). Issued Transport layer security (TLS). The
A method to bolster security by restricting by a QSA if the audit of a merchant’s successor to SSL and also a protocol for
network access to those devices that systems have been found to be in transmitting private data via the internet
comply with a defined security policy. compliance with PCI-DSS. by utilising cryptographic systems that use
two keys to encrypt data. Many internet
Patches. Software and/or firmware Resiliency. The ability of a network to
browsers indicate a connection protected
add-ons designed to fix bugs and security provide continuous operation (i.e. highly
by TLS by displaying a padlock or security
vulnerabilities. resistant to disruption and able to operate
certificate near the website address field.
at a lower level if damaged), recover
Payment card industry data security Often still referred to as SSL.
effectively if failure does occur and
standard (PCI-DSS). An information
scale to meet rapid or unpredictable Trojan. Malicious programs that pretend
security standard created by PCI-SSC
demands (e.g.DDoS attacks). to be legitimate software, but actually
that governs how companies accepting
carry out hidden, harmful functions.
payments by credit or debit card have to Rootkit. A piece of software that hides
handle and protect that information. There programmes or processes running on Virtual private network (VPN).
are four tiers of governance, based on the a computer. Method of connecting remote computers
volumes of transactions that a company to a central network, allowing users to
is handling, from level four at the bottom Salting. The addition of a unique, random communicate or access the organisation’s
end to level one at the top. The exact string of characters to a password before servers securely over the internet.
boundaries of these tiers are set by the it is hashed to make deciphering the
password more difficult. Virus. Malicious programs that can
individual card brands.
spread to other files.
Payment card industry security Secure file transfer protocol (SFTP).
A methodology for transmitting files over Vulnerability. Bugs in software that
standards council (PCI-SSC). The
the internet in an encrypted format. hackers exploit to compromise computers.
body responsible for developing and
promoting the PCI-DSS and relevant Secure sockets layer (SSL). An Whitelist. A list of entities, IP addresses,
tools to aid compliance. Founded by the outdated protocol (replaced by TLS) for applications etc. that are considered
five main card brands (Visa, Mastercard, transmitting private data via the internet trustworthy and are granted access
American Express, JCB and Diners) and by utilising cryptographic systems that or privileges.
supported by an ‘advisory board’ made use two keys to encrypt data. Worm. A form of malware that can
up of representatives from major partners
Security information and event replicate and spread without the need
(retails, processors, banks, etc.).
management (SIEM). A security solution for human or system interaction. Think
Penetration testing. A process whereby that provides visibility of a company’s of it as malware on autopilot.
assessors search for vulnerabilities and cyber security by aggregating alerts Zero-day vulnerability. A software
attempt to circumvent the security features and logs generated by multiple sources bug, unknown to the developers, that
of a network or information system. and security assets (IPS, IDS, AV, etc). hackers have detected and can exploit
Phishing. The fraudulent practice Self assessment questionnaire (SAQ). to adversely affect computers, programs,
of sending emails purporting to be from A self-assessment form used by smaller data or a network.
reputable sources in order to induce merchants to verify their compliance Zombie (aka bot). An infected computer
individuals to perform particular actions, with PCI DSS. that is remotely controlled by a hacker.
such as revealing information, transferring
Social engineering. The methods It is part of a botnet.
funds, or opening attachments or links.
attackers use to deceive victims into
Phreaking. Using a computer or other performing an action, often including
device to trick a phone system. Phreaking phishing, but also phone calls, fake
is often used to make free phone calls or to LinkedIn accounts, etc. Typically,these
have calls charged to a different account. actions are opening a malicious webpage
Qualified security assessor (QSA). or running an unwanted file attachment.
A person who has been certified to audit Spearphishing. A targeted phishing attack
merchants for PCI-DSS compliance. against a certain individual.
Ransomware. A piece of malicious Spoofing. When the sender address
software that encrypts or blocks access of an email is forged for the purposes
to data or systems, with a decryption key of social engineering or phishing.
only being provided upon payment of a fee.
Spyware. Software that permits
Red team exercise. An exercise, advertisers or hackers to gather sensitive
reflecting real world conditions, that information without your permission.
is conducted as a simulated attempt by
a hacker to attack or exploit vulnerabilities SQL injection. SQL is a computer
in a company’s network. programming language to tell a database
what to do. An SQL injection is where that
Redundancy. Additional or alternative language is manipulated to instruct the
systems, sub-systems, assets, or
database to perform a different task
processes that maintain a degree
to what was intended.
of overall functionality in case of loss
or failure of another system, sub-system, Threat actor. An individual, group,
asset, or process. organisation, or government that conducts
or has the intent to conduct detrimental
Remote desktop protocol (RDP).
activities (essentially a hacker).
A methodology that allows users to
remotely connect to computer systems Threat vector. The method that a threat
over the internet. actor uses to gain access to a network.Hiscox Ltd 4th Floor Wessex House 45 Reid Street Hamilton HM 12 Bermuda T +44 (0)20 7448 6000 E enquiries@hiscox.com hiscoxgroup.com 19079 7/18
You can also read
