Evolving threat landscape influencing cyber insurance market
Many aspects of cyber insurance were addressed throughout Black Hat USA 2024, including changes in the threat landscape that affect policies and coverage.
LAS VEGAS -- Cyber insurance trends were a major focus during Black Hat USA 2024 due to a rapidly evolving threat landscape where attackers continue to adapt to improved defenses.
Multiple Black Hat sessions highlighted how cyber insurance policies are adjusting to shifts in threat actors' tactics, techniques and procedures. The topic was also frequently discussed in conversations TechTarget Editorial had with infosec experts at the conference.
One persistent threat that was repeatedly addressed by cyber insurance speakers and infosec experts was ransomware. The risks continue to worsen, highlighted by two major attacks over the past six months including one against UnitedHealth Group's Change Healthcare and another that disrupted CDK Global. The attacks showed that though threat actors are quick to adapt, enterprises also struggle to implement basic security protocols such as MFA to protect against ransomware.
During one session on Wednesday titled "Cyber Claims Outlook 2024: Trends, Threats and Tomorrow's Challenges," Catherine Lyle, senior vice president and head of cyber claims and incident response at Tokio Marine, emphasized how dangerous ransomware has become. She said there was a ransomware respite throughout 2022 due to geopolitical conflicts, but it has returned "aggressively."
"Because of war-torn countries, people were fleeing, so these cyber [crime] corporations broke up," Lyle said during the session. "Then they reached out and found each other, and now they've created new groups. Now, ransomware is back in, and we're seeing it with big ransoms -- MGM, Caesars, Change Healthcare, CDK, I could go on and on."
Lyle expanded on the Change Healthcare attack that occurred in February. Despite paying a $22 million ransom to the Alphv/BlackCat ransomware group, the company continued to suffer prolonged disruptions to payment and reimbursement services; the ransomware gang shut down soon after in an apparent exit scam. Lyle said the attack represented multiple shifts she's observed in the ransomware landscape. In addition to the Change Healthcare attack affecting insurance, those shifts will also influence policies moving forward.
For example, ransomware variants now consist of smaller threat groups, which has changed the way threat actors ransom and negotiate with victim organizations. Additionally, Lyle cited a shift in the ransomware supply chain. Throughout 2023 and into 2024, there's been an increase in initial access brokers selling access to victim organizations, she said.
"We saw this change during the attack on Change Healthcare," Lyle said. "They paid $22 million in ransom, 4 terabytes of data were taken, but then they got ransomed again because someone in that supply chain said 'Alphv didn't pay us, so we got 4 terabytes and we're going to hold it to you.'"
Catherine Lylesenior vice president and head of cyber claims and incident response, Tokio Marine
Lyle said attacks like the ones against Change Healthcare and CDK Global, which disrupted technology supply chains and thousands of downstream clients, will continue to be a major problem. CDK, for example, serves more than 15,000 car dealerships, which couldn't access CDK's dealership management system for two weeks following the attack.
"As you can see, what the supply chain and all these cases are showing you is that dependence system failure is going to be a big thing in 2024 and 2025," Lyle said.
MFA concerns
The Change Healthcare attack also further illustrated the need for MFA protection. In April, UnitedHealth confirmed that ransomware actors first gained access to Change Healthcare's network through compromised credentials for a Citrix remote access portal, which did not have MFA enabled. " If they had MFA, this probably wouldn't have happened," Lyle said.
Change Healthcare isn't the only organization struggling to implement MFA. Lyle said VPNs without MFA enabled replaced open remote desktop protocol as the second-most-used initial intrusion vector between 2023 and 2024, according to Tokio Marine's research.
More alarmingly, Lyle presented research that showed organizations are getting worse at implementing MFA. She said 70% of organizations weren't using MFA in 2021, and that number dropped to 44% in 2023. This year, however, 45% of organizations say they are not implementing the basic security protocol.
She acknowledged that attackers could bypass MFA, especially if the organization is a target of choice, but said it's essential in delaying attacks and making it harder for threat actors to gain access to the network. "I would have thought by now corporations would realize that's the way to protect their employees," she said.
During a separate cyber insurance panel on Wednesday titled, "Moral Hazards and Ethical Considerations in Cyber-Insurance," Tiago Henriques, vice president of research at Coalition Inc., discussed the importance of organizations enabling MFA in response to the evolving threat landscape.
Henriques stressed that enabling MFA is a major requirement to obtain a policy. "If you don't have MFA enforced on email, good luck getting a policy today," he said during the session.
In addition to targeting MFA-less accounts, ransomware actors are also increasingly exploiting vulnerabilities to gain initial access to victim organizations. Patrick Sullivan, CTO of security strategy at Akamai, said one of the more interesting sessions he attended at Black Hat addressed quantifying risks for insurance.
"It's been interesting to follow actuary tables and what it costs per $1 million of insurance coverage, and ransomware has probably dominated that calculation. I think the business has responded to that," Sullivan said. "People still assume ransomware begins with social engineering, but it's significant that it's now vulnerabilities."
Insurers influence on payments
Black Hat speakers and attendees also delved further into the ransom payment discussion. High-profile attacks and eight-figure ransom payments have forced some in the industry to reconsider a payment ban.
On the other hand, Lyle said many organizations have better backups to recover from so they refuse to pay a ransom. She also stressed that law enforcements takedowns have shown organizations that ransomware gangs are not trustworthy, and don't always delete stolen data after being paid.
In many cases, insurance providers are the first call victim organizations make following an attack and help with incident response efforts, including the negotiation for ransom payments. Tony Anscombe, chief security evangelist at ESET, said there are benefits to having cyber insurance, but he is concerned about how much influence insurers have regarding the decision to pay ransoms.
"Insurers have too much say over ransomware payments because it's their risk. That's the problem. I think we have to take the decision away from the business and the insurer," Anscombe said, adding that an external, regulatory body could review individual incidents and determine whether the victim organization should pay.
Lindsay Nickle, partner and cyber team vice chair at Constangy Brooks Smith & Prophete LLP, spoke during Wednesday's panel and said one of the most common questions she receives is if people pay ransoms. She stressed that insurance carriers can be helpful in instances where companies do want to pay but don't know how to get bitcoin, for example. Ransomware groups demand payments in cryptocurrency like bitcoin because it's difficult to track.
"Yes, they do pay ransoms. We always approach it from the perspective it's our last-ditch effort," Nickle said.
Arielle Waldman is a Boston-based reporter covering enterprise security news.