9 Essential Questions About Evolving Cyber Risks and Claims Trends

?? Welcome back to the Cyber Savvy Broker Newsletter. Every month, we use this space to explore new and relevant topics for brokers in the cyber insurance world.

In case you missed it, we recently published a brand-new report on cyber risks and claims trends from the first half of this year. The 2024 Cyber Claims Report: Mid-year Update dives into new data on ransomware, risky technologies, third-party disruptions, and more.

Over the past few weeks, we’ve received numerous questions from brokers about the findings in the report, how these trends may impact businesses, and how Coalition is responding.

So, this month, our newsletter is dedicated entirely to your questions. We sought out experts from all corners of Coalition to share their perspectives on risky technologies, threat actor behaviors, how AI may be influencing claims activity, and much more.

1. What’s an exposed login panel, and why’s it risky?

Login panels, or login pages, are a way for businesses to provide users with remote access to applications or data from first- and third-party digital assets. Businesses often use a mix of cloud, web, and on-premises applications, many of which are web-accessible by default. This means that the login panels are also discoverable to threat actors that actively scan the internet looking for easy access into a business’ networks.?

Leaving login panels exposed to the public internet is like leaving an expensive racing bike unlocked in a busy area: We want convenient access to the bike but don’t want anyone else to take it. This is why most people lock their bikes.

Exposed login panels are complex systems that act like a lock to a door. Some are as simple as lock and key; others are more complex and require multiple steps to unlock. They all suffer from the same weakness: They’re only as good as the vendor that developed them or the code used to program them. This is why exposed login panels are susceptible to various methods of compromise, including remote attacks (command injection, remote code execution, or shell exploits that prey on the programming of the application) and social engineering attacks that use compromised credentials, brute force, or a combination of phishing and keylogging.

Coalition groups exposed login panels into two categories: those that should never be exposed to the internet and those that can or must be exposed but require additional scrutiny due to the importance of the services to which they provide access. The first group includes critical administration panels and management interfaces; Coalition agrees with CISA that these panels are heavily targeted by threat actors and access should be restricted from the public internet. The second group requires diligence in security posture and patch management.

Businesses with internet-exposed login panels were 3.1 times more likely to experience a claim in the first half of 2024 (1H 2024). We strongly recommend that businesses enforce multi-factor authentication (MFA) for all applications, when possible, and ensure they’re always running the latest firmware with up-to-date patches. — Joe Toomey , Head of Security Engineering

(Thanks to Thomas Harrington at Schueller-Harrington & Associates for this question.)

2. What’s the average ransomware payment amount after negotiations, and why do threat actors settle for less than the original demand?

Our primary goal is to support policyholders and mitigate the impacts of a ransomware event to the extent possible. But sometimes, businesses decide paying the ransom is their best option.

In 1H 2024, the average ransom demand was $1.3 million. This number includes both instances when policyholders opted to pay the ransom and when they didn’t.?

When reasonable and necessary, Coalition helps guide policyholders through the process of negotiating and paying a ransom. This year, we’ve successfully negotiated ransom payments down by an average of 57% of the initial demand. In those cases, the average ransomware payment was $357,000.

As for why threat actors accept reduced amounts, their willingness to negotiate varies from case to case. Sometimes, it has to do with their ability to exfiltrate data. Other times, they just want to wrap things up and move on to the next target. Many ransomware gangs operate like businesses, so there are many factors that can influence a negotiation. — Shelley Ma, MS, EnCE , Incident Response Lead, Coalition Incident Response

Read more about how the ransomware negotiation and payment process works.

(Thanks to Johan Hernandez at NFP Canada and Tim Friesen at HUB International for these questions.)

3. What happens when a ransom is paid but the threat actor doesn't hold up to their end of the deal?

When a business chooses to pay a ransom, all parties are putting their trust in threat actors.

Even after payment is made and threat actors deliver proof of deletion, retained copies of stolen data can still resurface on the dark web at a later time. We’ve also seen instances where the threat actors didn't provide a decryption key after the ransom was paid.

There’s no honor among thieves, which is why we urge businesses to ensure they have reliable backups in place. Here are our best recommendations for maintaining backups:

1. Triage the data on all systems. Determine what would be needed to restore critical business and all business operations (across teams like Sales, Finance, Marketing, and Operations).
2. Always maintain at least two backups. One set should include all critical data and be completely offline from the primary network so it cannot be accessed and encrypted.
3. Avoid onsite software backups when possible. They’re the least effective, as threat actors are familiar with how to corrupt or delete them.
4. Determine a cadence for backing up critical data. Some businesses are comfortable with weekly backups, while others need to run them every 24 hours.
5. Test backups often (monthly at a minimum). Testing verifies if restoration is possible and estimates how long it will take. Data recovery timeframes can range from as low as 45 minutes to six months or more.

Having viable backups is often an effective way to recover from a ransomware event and helps to avoid having to engage with threat actors. — Leeann Nicolo , Incident Response Lead, Coalition Incident Response

(Thanks to Beverley Salo at WBA Insurance for this question.)

4. Are the increases in business email compromise frequency due primarily to artificial intelligence?

Coalition sees business email compromise (BEC) events every day. BEC was the leading cyber event in 1H 2024, accounting for nearly one-third of all reported claims. A key part of our investigation in these cases is identifying the root cause of the compromise. For BEC cases, the most common root cause is a phishing email.

Not all phishing emails are equal in credibility and effectiveness. Some are still general, with vague wording and recognizable suspicious patterns, while others are more personalized, especially when a threat actor uses spear phishing.

Spear phishing attacks are highly targeted, and threat actors could use AI to improve their success rate. Whether it’s scanning large datasets to identify valuable targets more quickly or extracting details to make the emails more credible, AI has the potential to enable threat actors to greatly increase the scale and sophistication of their attacks.?

Historically, phishing emails have been characterized by poor grammar or typos. With help from AI, it is possible for threat actors to craft nearly flawless phishing emails in any language. The absence of out-of-pattern typos or unusual grammar can increase the believability of phishing emails, which can, in turn, improve their success rate.

At its core, phishing is a social engineering attack that relies on deceiving end users. This is why it’s crucial for businesses to educate employees and invest in training solutions that prepare them for these types of attacks. — Amy Cohagan , Senior Incident Response Analyst, Coalition Incident Response

(Thanks to Tom Brand at USI Insurance Services for this question.)

5. What type of training would you recommend to businesses for their employees to prevent business email compromise?

Most businesses recognize that human error is one of the biggest contributors to cyber risk. Yet, many, many businesses have not rolled out phishing awareness programs.

A high-quality security awareness training program can empower employees to identify phishing attempts, help avoid BEC and funds transfer fraud (FTF) events, and collaborate with IT to bolster a business’ security posture.

Aberdeen Strategy & Research reported that security awareness training resulted in “a reduction in risk of about 50%" and "a reduction in the 'long tail' of risk from phishing attacks of more than 2.5 times."

We launched Coalition Security Awareness Training (SAT) with this in mind: providing small businesses with tools to educate employees on emerging phishing and social engineering techniques. Coalition SAT includes handpicked training content, phishing exercises, and phishing simulation features, making it easy for teams to reduce human risk and helping them achieve compliance. — Alok O. , Head of Security Products

Read more about why security awareness training is essential for SMBs.

(Thanks to Gary Saunders at CoVerica for this question.)

6. What’s the difference between funds transfer fraud and funds transfer liability?

Funds transfer fraud (FTF) and funds transfer liability (FTL) are commonly confused. Both coverages respond to cybercrimes, but the two importantly differ based on who is victimized by the fraud.

FTF is a form of cybercrime in which a business or its financial institution receives fraudulent electronic instructions to authorize the transfer of money or goods. These events often occur due to social engineering: A threat actor sends a business a fake email and tricks them into making an unauthorized payment.

An FTF event is considered a first-party loss because the money is stolen from an account owned by the policyholder, either the policyholder’s own funds or funds held in escrow by the policyholder. Direct losses incurred by the policyholder typically fall under FTF coverage.

FTL is a coverage that applies when a security failure allows an attacker to gain access to the policyholder’s system in order to steal funds from third parties. For example, an attacker gains access to a real estate broker’s email account and sends new wire transfer instructions to a home buyer. The home buyer then wires their deposit to the attacker.

The key for FTL coverage is that the cause was a security failure on the policyholder’s network, which may make them legally responsible for the transfer. If the home buyer received an email that wasn’t from the policyholder’s domain (spoofed sender address or email from a look-alike domain), the policyholder generally wouldn’t be liable, and FTL coverage wouldn’t apply.

FTL coverage is considered a third-party coverage because the policyholder’s initial security failure led to the theft of a third party’s funds. The impacted third party must make a demand of the policyholder or take legal action to recover lost money. Defense costs and damages owed to the third party typically fall under FTL coverage. — Michael Carr , Head of Cyber Portfolio Underwriting

Learn more about how coverage responds to FTF events.

7. Is there a minimum loss required for Coalition to claw back money after a funds transfer fraud event?

When a matter is reported to Coalition, neither the loss amount nor the self-insured retention amount has any bearing on our process. We follow the same procedure for all funds transfer fraud (FTF) events and work to claw back the stolen funds to the best of our ability — and no amount is too small for us to pursue recovery.

Larger transactions typically take longer for banks to process, which means we have more time and a greater chance of recovery. However, the biggest determining factor in a successful FTF clawback is reporting time.

The sooner a policyholder reports a matter to us (even if it’s just suspicious activity), the greater our chances of clawing it back. The first 48 hours are the most critical, though we’ve managed to claw back funds months after the initial wire.

In the first half of 2024, policyholders recovered $10.8 million with an average recovery amount of $208,000. This includes at least a partial recovery in 27% of all reported FTF events and a full recovery in 15% of reported events. — Anne Juntunen , Senior Claims Manager

Read more about how clawbacks put stolen funds back in policyholders’ pockets.

8. How can policyholders see what underwriters would flag as a contingency during the policy period?

Coalition Control? is the single source of truth for policyholders seeking to assess their cyber risk exposure. Once a cyber insurance policy is bound, we continuously monitor the digital attack surface of every policyholder, looking for assets that are exposed, vulnerable, and likely to be targeted — policyholders can view their risks in real time via Control.

If an exposure is detected during the policy period and is likely to result in a claim, we notify the policyholder with a security alert that describes the risk and provides the best-in-class recommendation for how to mitigate or avoid it. While new exposures will not impact coverage during the policy period, unresolved security issues may result in contingencies that must be resolved before renewal.

We recognize that every business responds to security alerts differently. What matters most is that security alerts are being received and addressed with the appropriate level of urgency. And if a business ever needs help responding to a security issue, our Security Support Center is committed to providing active, tailored solutions that mitigate risks and enhance security resilience. — Ryan Gregory , Security Support Center Lead

Learn about the difference between proactive and reactive security alerts.

9. Would Coalition increase premiums and/or not offer a renewal based on a client not acting on security recommendations?

Yes, it’s critical that policyholders heed our guidance and take action to address new risks as they arise. New vulnerabilities regularly emerge during the policy period. Coalition relies on a continuous feedback loop between our security research, claims, and underwriting teams to ensure we have a complete view of the cyber threat landscape.

When a new vulnerability emerges, Coalition quickly assesses the severity, exploitability, and potential impact on insurance claims. If likely to result in claims, we immediately notify impacted policyholders and provide security recommendations to mitigate the risk. Then, we provide access to experts in our Security Support Center to help ensure brokers and policyholders address the risk.?

One benefit of addressing cyber risks head-on is a smoother renewal process. With access to Control and guidance from our Security Support Center, policyholders have the ability to be proactive about their cybersecurity strategy. So when facing a critical risk, brokers and policyholders should consider the big-picture financial impact of a potential breach, as it could be much more than just a premium increase.

Requiring businesses to address certain risks prior to renewing coverage has proven to increase our policyholders’ security posture and decrease the likelihood of claims.?

We also know that inaction can lead to financial loss: Businesses with at least one contingency of any type were 2.5 times more likely to experience a claim in the first half of 2024.?

We encourage all businesses to take action on our security recommendations, even if they ultimately choose not to bind or renew a policy offered by Coalition. In the first six months of this year, 156 businesses that didn’t follow our security recommendations and didn’t bind coverage experienced a cyber incident, totaling an estimated $78 million. — Austin Aten, ACAS , Head of Cyber Pricing

Read more about how we price and model cyber risk.

(Thanks to Haley Phillips at HUB International for this question.)

Thanks for reading the Cyber Savvy Broker Newsletter. Join us for future editions as we continue to explore the most up-to-date and noteworthy topics in the cyber insurance industry. Click the Subscribe button to receive the Cyber Savvy Newsletter directly in your inbox.

Want to start working with Coalition? Click here to become an appointed broker.

This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.

Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc. (“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. Copyright ? 2024. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.