While many may think it premature to discuss the potential for another pandemic, particularly in the midst of the COVID-19 Health Crisis, there are some indications and warnings that another COVID-like event, albeit in the cyber world, is on the horizon.
According to the World Economic Forum (“WEF”), an independent international organization focused on “improving the state of the world,” the next major global pandemic will likely be a cyber one. It posits that like the COVID-19 Public Health Crisis, which demonstrated how vulnerable the global community was to a biological crisis, so too would a “COVID-19-like” cyber pandemic demonstrate how dependent and vulnerable we are in the digital world.
In a short video posted on YouTube, the WEF argues that the effects of a cyber pandemic “would spread faster and further than any biological virus” with a “reproductive rate” 10 times greater than that of the coronavirus.” Going further, the WEF concludes that the only way to stop such an “exponential propagation” of a “COVID-like cyber threat” is for the millions of vulnerable devices to completely disconnect, not just from one another, but also from the internet.
If recent events are any proof of the growing menace of cybercrime, the specter of a larger, more destructive type of cyber event is something that companies large or small must consider and prepare for as best they can.
What a single day without the internet would cost our global economy
The WEF says the ability of such a cyber virus to propagate itself and infect so many computers and systems so quickly that the end result could be a day or longer without any internet access. If such a scenario were to occur, the WEF calculates the potential costs and damage to the global economy would be more than $50 billion, “not including the economic and societal damages” that would also result from the closure and disconnection of critical infrastructure such as energy, transportation, and health systems, from the internet.
In response to the potential for a cyber pandemic and to help companies assess the impact of a potential cyber pandemic, the WEF’s Cyber Polygon, a subsidiary dedicated to cybersecurity issues, will address these issues during a cyber pandemic event planned for July 9. 2021.
Like an exercise it conducted in 2020, the Cyber Polygon is “a unique cybersecurity event that combines the world’s largest technical training exercise for corporate teams and an online conference featuring senior officials from international organizations and leading corporations.” According to the WEF website, this year’s simulation and conference will discuss the key risks of digitalization and best practices for the “secure development of digital ecosystems.”
The WEF is not the only entity to hold a simulation such as this. In June of 2017, the New England National Guard held its own simulation of a cyber attack on Cape Cod during its 7th annual Cyber Yankee cybersecurity exercise.
Ransomwares are increasingly attacking the insurance industry
While an actual global cyber pandemic hopefully will never come to pass, the increasing rate of isolated, “one-off” cybercrimes cannot be ignored. As succinctly stated in the June 2021 McAfee Labs Threats Report, “[w]hile the topic itself is not new, there is no question that the threat is now truly mainstream.”
For example, in the U.S. during the first half of 2021 alone, there have been various ransomware attacks against major supply chains including Colonial Pipeline, JBS Foods, the Massachusetts Steamship Authority, and the top 25 U.S. P&C insurer CNA.
The report notes that in 2020, ransomware attacks were up 150%. Continuing on, the report advises that while “smaller” ransomware attacks appeared to have dropped in Q1 of 2021, there was also a rise in what it calls “Ransomware-as-a-Service campaigns” which involves targeting and breaching more lucrative larger organizations and companies. Moreover, the report notes that many of these targeted companies received “a custom-created variant” of the ransomware family.
McAfee Labs also has seen a 3% increase in the First Quarter of 2021 in the number of malware threats it tracks per minute (688) and that it has seen a 41% increase in threats to the Finance/Insurance sector from Q42020 to Q12021. Phishing and account hacking also saw an increase in incidents during the first quarter of the year.
So how does all this affect the Massachusetts insurance industry?
It is important to realize that while traditionally the insurance industry has been a decentralized, state-level run industry, that is no longer the case. Now that many insurers are moving from legacy systems to centralized platforms such as Guidewire, they are now a part of the digital insurance supply chain.
A case in point: In March of this year, the top 25 P&C insurer, CNA, was forced to disconnect from the internet and ended up paying a $40 million dollar ransom in order to restore its operations.
Independent agents, too, must realize that no matter how small their agency, they are also a connected part of the internet and interact with many entities that are global or national in nature. In addition, they have the added burden of safeguarding their clients’ data, oftentimes with fewer resources than the larger entities with which they work.
As such, it is important to remember that the use of digital platforms, cloud-based applications, AI chatbots, social media platforms, etc. have inherent risks.
Whether you are an independent agency, a regional insurer, an insurtech, or a global insurer doing business here in Massachusetts, the main takeaway is that anyone doing business on the internet today needs to understand the risks of being connected to everyone else on the internet and to prepare their businesses as best they can against a potential cyber-attack or cyber pandemic.
Where to start?
So, what to do? There are many resources out there listing ways to prepare against a potential cyber-attack. For example, earlier this month, New Hampshire issued a warning to insurers based on President Biden’s Executive Order.
“It is critical for insurers to protect against these threats,” said Commissioner Chris Nicolopoulos. “There are immediate precautions and steps industry leaders can take to prevent a ransomware attack, including ensuring strong cyber defenses.” In addition, the WEF has offered various solutions for companies large and small looking to prepare for an anticipated risk which you can find on their website.
Finally, the White House also has weighed in on the issue, issuing a memo to Corporate Executive and Business Leaders on June 2, 2021 entitled “What We Urge You To Do To Protect Against The Threat of Ransomware.” In the document, the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, writes the following:
“The private sector also has a critical responsibility to protect against these threats. All organizations must recognize that no company is safe from being targeted by
ransomware, regardless of size or location. But there are immediate steps you can take to protect yourself, as well as your customers and the broader economy. Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defences match the threat.
The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively. To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans
to ensure you have the ability to continue or quickly restore operations.”
The following are a list of some of the key recommendations from both the WEF as well as the White House Memo:
- Make cybersecurity a C-Suite issue. Planning for a potential cyber pandemic and how your company will secure its online data is a strategic planning issue best handled by the top-brass.
- Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems. Consider keeping physical hard copies (paper files) of important or sensitive data and images.
- Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
- Test your incident response plan: There’s nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
- Check Your Security Team’s Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
- Invest in technical know-how. If all your processes are online, you need to have someone with the knowledge to protect them. Do not skimp on making sure you have a well-informed, up-to-date, certified IT team.
- Educate your employees about good “cyber hygiene”. Ensure employees are well-versed in how best to transmit sensitive data, avoid unknown sender links, and select trustworthy websites and apps. This also includes updating and patching systems promptly on their own computers that might be used for company work.
- Segment your networks: There’s been a recent shift in ransomware attacks – from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
For those interested in reading the official memo, it can be accessed here:
