There has been a large amount of attention, both in the insurance industry and wider society, about the increasing frequency and severity of Ransomware attacks experienced by companies around the world.  Because we have been dealing with cyber risks since the turn of the century and thanks to the resulting expertise and continued investment, we can identify “innovations” in ransomware attacks, derive lessons learned and develop effective risk mitigation steps to reduce exposure.

In the case of highly complex companies, a considerable underwriting effort is required to precisely understand an insured’s ability to prevent, detect and, in a worst-case scenario, recover from Ransomware or other types of attacks. We must strive to ask the right questions in order to understand how effectively high-level controls are being implemented. A thorough exposure assessment can’t be made by evaluating responses to simple questions about high level controls. With that in mind, let’s examine how some technical protection approaches can still leave hidden perils. 

A deep understanding of security risks and controls is key in supporting the sustainable growth of the Cyber insurance market for the future. Here is a list of some common remarks which do not always provide the effective mitigation which they appear to.

While an Antivirus solution is an important security control that can detect malicious files and documents that are downloaded on the endpoint, these Antivirus solutions can be circumvented. It is important to consider that limitations in Antivirus scanning techniques are often exploited by attackers who obfuscate the files in such a way that the Antivirus scanner does not recognise them as malicious. Each time an attack is concealed in a new way there is a delay before the Antivirus solution is updated to detect it, giving attackers a window of opportunity.

Another often overlooked risk is the fact that these scanners only scan for malicious content. An attacker who has gained high-enough privileges can simply disable it. For this reason, behaviour-based endpoint monitoring systems which monitor the entire endpoint for any suspicious behaviour. For example, if a user tries to execute unexpected commands or use abnormal high risk programs, the monitoring system will prohibit these actions and draw attention to the potential breach.

The use of Two-factor or Multi-factor provides a higher level of security than just a username and password authentication and is highly recommended since it makes it harder for attackers to use stolen credentials to attack a system. However, in order the be fully effective, it needs to be implemented on all relevant endpoints. It may seem obvious, but companies with complex IT landscapes that are regularly supported by diverse IT teams, often with differing standards and security guidelines, can find it a challenge to achieve uniform implementation of MFA on all systems. With one compromised endpoint, an attacker then has the potential to gain access to the entire network

Vulnerabilities in software that allow an attacker to gain access to a corporate network without any authentication are a serious threat and often the initial step of a successful Ransomware attack. For example, an ‘authentication bypass vulnerability’ in a VPN endpoint could circumvent an MFA solution. Naturally, the timely implementation of patches is very important. It is not however the full story.

Internal patch processes for mitigating vulnerabilities need to be in place and should also take into consideration situations where a serious susceptibility is made public but a software patch from the vendor is not yet available. Take for instance the “Citrix Vulnerability” in 2019: The vulnerability was exploited numerous times after it was reported but before patching was available. A company’s internal monitoring and manual mitigation processes are extremely important in situations like this and should not rely solely on the official patch.

A good Backup strategy that is tested on a regular basis is an essential component of every disaster recovery plan and therefore also important for a Ransomware incident. However, it remains crucial that there is no possibility for an attacker to encrypt or plant further malicious triggers into the Backup. To reduce the risk of compromise, the Backup and storage systems should be hardened and kept separate from the corporate network. There is evidence that shows Ransomware groups will actively search for a company’s Backups before starting encryption, since locking them improves their negotiating position.

Backups can also be compromised when an attacker plants an additional malicious file, the so-called ‘Time Bomb’, into the Backup which is then executed after the initial recovery. For this reason, a thorough post-recovery investigation is highly recommended, or alternatively, a verification that the Backups have not been altered in any way.

Of course, every company should have implemented their own Disaster Recovery Plan. Yet, it is of utmost importance to test it on a regular basis and as realistically as possible. This will ensure the relevant parties understand their roles and encounter unforeseen issues, such as which areas of the business to restore first. It also should not be a purely technical drill. For example, involving a PR department (or provider) in the simulation can reduce the negative fallout of an attack and promote a speedier recovery. Early involvement of insurance partners or external responders can also be a smart move as they can provide insights from other incidents. 

The payment of a ransom demand may allow access to encrypted data, but it is not always a solution to the underlying problem. There are many uncertainties involved when paying a ransom. For example, there is no guarantee that a victim will receive a ‘fully functioning’ key after paying the attackers.

In addition, the length of time taken to decrypt such large amounts of data could keep a business offline for days or even weeks. What’s worse, even after successfully decrypting all data and having corrected data and system synchronization, the same hackers may be able to launch another attack due to unresolved vulnerabilities or back doors left open in the system.

These examples highlight that here is no 100% security in digital life – and that even a company’s conscientious action plan can fall prey to a vulnerability and an overlooked risk. The fallibility of individual controls means that the implementation of a risk-based and multi-layered information security architecture is a necessity.

Munich Re’s Cyber division has made significant investments in traditional insurance expertise in underwriting, accumulation and claims management, as well as in dedicated cyber experts with deep technical cyber security knowledge.

With this market-leading expertise we guarantee the best cyber (insurance) solutions that may be individually tailored for our clients. These solutions range from the development of up-to-date wordings, best-in-class cyber risk assessment and pricing as well as accumulation modelling. In addition we also provide access to our top-rated cybersecurity service provider network. By doing this we contribute to a sustainable and growing cyber insurance market. This is essential for a digital future, resilient to the ever-changing cyber risks and threats. Get in contact with us to find out more about our holistic approach to tackle cyber risks for each client segment and branch.