About the participants
With more than 20 years of experience in IT and cybersecurity services, Jeff Olejnik oversees the CyberTech practice of Wipfli LLP. He helps clients manage risk through effective information security, business continuity planning, and program management. Jeff is a frequent speaker as well an active participant in various related associations.
Kevin Pomeroy leads the Executive and Professional Services Practice Group (EPS) at USI Insurance Services, where his team helps clients manage directors’ and officers’ liability (D&O), professional liability (E&O), data security, privacy liability, employment practices liability (EPL), fiduciary liability and crime. He worked previously at Aon’s Financial Services Group, with a focus on financial institutions and large Fortune 1000 companies.
Shalin Johnson is a risk consultant at Marsh & McLennan Agency. He has more than 25 years of industry experience helping clients manage their risk management programs. His involvement in a number of professional organizations helps keep him abreast of new developments in the area of risk management.
How do you define cybercrime?
Kevin Pomeroy: Right now, most people would define it as ransomware. We hear about it over and over and over again. I talk about it all day. If you turn the news on just about any day, you’ll see that another ransomware attack has occurred at a pretty large level somewhere in the United States.
But there are other things besides ransomware. There are social engineering attacks and there are phishing attacks, but the biggest of those is something that can lead to ransomware attacks, and that’s where we’re seeing most losses in the insurance landscape. Insurers have realized they are really vulnerable to paying out incredibly large losses, due to what’s currently happening in the world of ransomware. That’s why anyone looking to get cyber insurance right now needs to focus on controls.
I’m going to ask everyone about those future controls, but first I want to ask Shalin, why are premiums going up so much? Is it in anticipation of attacks that’ll take place?
Shalin Johnson: The loss ratio is the basis on which insurance companies can make a profit. In 2021 a leading cyber insurance carrier reported their loss ratio was 175%. That means for every dollar of premium collected, they paid out $1.75. Some carriers wiped away eight years of profitability in just one year, or maybe 18 months. They can’t get enough premium. Not to mention the fact that the frequency and severity of these claims have gone up significantly.
Now it’s a double whammy. Bad actors hold you hostage by locking up your systems, and then they threaten to publish your sensitive information on the dark web unless you make payment. The average ransomware demand last year was $1.2 million.
Kevin Pomeroy: It’s not that ransomware attacks are something new, but in the last three or four years, we’re seeing them on a much smaller scale. The larger-scale cyber-attacks you would see in health care or retail. A mom-and-pop type shop — relatively small companies — would look at the Target breach and think, “That’s not going to happen to me.” Those seven-figure ransom payments are still around, but the bad actors have learned that they can more easily extort somebody else with poorer controls for $50,000, or $75,000, or $100,000. And if they do it 10 times, they will probably make just as much money, if not more. That’s really what’s pushed the market toward smaller, more vulnerable companies.
Jeff, are manufacturers a more vulnerable target than other industries?
Jeff Olejnik: Manufacturers are generally softer targets than some of the regulated industries. Financial services have very hardened controls. Health care to a certain extent, as well. The easier path might be to attack a manufacturing company that may not have the resources, personnel, or capabilities to safeguard and respond to these types of attacks. The success rate of these ransomware attacks is much greater against those softer targets.
One conclusion is that manufacturers probably should think of this a little bit more strategically than they have been in the past. You have mentioned the increasing dollar volume, but is the frequency of attacks also going up?
Shalin Johnson: Manufacturers’ employees are less sophisticated with respect to cyber. A typical scenario for my manufacturing clients is a sales rep thinking that he’s clicking on a purchase that’s not a purchase order — it’s malware. Before he knows it, this malware has gone through the whole computer system. For a long time, some manufacturers assumed this only happened in retail. They say, “We’re B2B. We don’t deal with the consumers. We’re not handling any credit card information. We don’t have any personal information.”
Those days are gone. They now realize that these people can get into the system and shut down production. It just got so fast, so quick. The bad guys are getting in and they’re doing so in a bad way. Manufacturers never thought that it could happen to them.
Kevin Pomeroy: The bad actors, the ones doing these attacks, escalated what they were doing faster than the consumer of cyber insurance realized. These criminals are smart. They figure out who really would struggle in the event of a breach. Manufacturing is a great example of a company that cannot afford to be shut down for any long period of time. So, they are more likely to pay the ransom in that scenario, or at least have insurance that will be able to take care of the ransom.
Jeff Olejnik: The number of attackers is also increasing. This is a criminal enterprise. These are gangs. These are nation-states, or even terrorists and underground criminal enterprises, and they run it like a business. Some of them are smart, but you don’t have to be super smart, because you can buy kits on the internet to launch these ransomware attacks. If I have some customer service agents to negotiate with the insurance company, I can be in business pretty quickly.
Some companies say they used to be on-premises, but they’re in the cloud now, thinking that’s solved the problem.
Jeff Olejnik: You bring up a good point. It’s your data, whether it’s on-premises or in the cloud. The cloud can be more secure, not out of the box, because you have to turn on security controls. If you get Microsoft Office 365 or Amazon Web Services from Amazon, those security controls, like multi-factor authentication (MFA) and email box login, and a bunch of those other tools aren’t enabled right away. You have to enable them. So, during the pandemic, people rushed to put in these collaboration tools and move everything to the cloud, but they didn’t necessarily think about a lot of the security controls.
It sounds to me like this whole thing accelerated when office people started working from home through remote access, etc. Is that true?
Jeff Olejnik: Those increased endpoints have to be protected. You still have to make sure that those security controls are in place and that you’re protecting all of your data, no matter where it is. You’ve got to be thinking that through and creating this digital distributed network. It has really expanded the attack surface.
What are some of the steps manufacturers should take to protect their systems?
Kevin Pomeroy: It does start with multi-factor authentication. There are several different ways to implement MFAs to get insurance that’s really meaningful. MFA for remote access has become crucial. Remote access to email, remote access to backups, remote access in general. The backup piece of it has become critically important. Making sure that you have secure backups, that are backing up daily, that are offsite and offline, puts you in a situation in which you’re able to back up and resume working, without theoretically having to pay the ransom. We often see folks who don’t have their backups segregated properly, so that when the ransomware attack occurs, well, the bad actors are also in your backups. One more that I think is also important is something called endpoint detection and response, or EDR, which is managing those endpoints. It can be your phone or your laptop — anything that connects to the system. It makes sure that threats are detected through those endpoints, and it has a built-in response tool to neutralize those threats.
Talk a little more about endpoints. It’s probably broader than just your phone.
Jeff Olejnik: EDRs are the next generation of anti-virus. They look at heuristic information to determine if a file operating on your computer is behaving like ransomware. The EDR identifies unusual activity and quickly and automatically isolates and contains that device, that workstation, or that endpoint, so that the problem doesn’t spread to other devices within your network. You still could have it, but at least it’s isolated to a single workstation or a single server.
Given all this, how does an insurance company determine the size of a cyber policy and set the rate?
Shalin Johnson: The coverage limit is based on an internal assessment of a client’s vulnerability around computers and technology, and what a worst-case scenario may look like if they were hacked. We have tools that help clients determine their true exposure, as well as provide benchmarking data. If they had any losses, they’re basically being underwritten. Do they have the security controls in place? Do they have multi-faceted authentication? If they don’t, 90% of the insurance marketplace won’t even look at them. Some carriers won’t renew a policy if the company doesn’t have MFA. The other big factor is these controls have to be in place. It used to be within the next 90 days. Today’s insurance companies want proof that those safety controls are in place before the policy even starts.
So, let’s say I have MFA, and I passed the test. But I let it lapse, and I don’t educate my people. And then I get penetrated. What’s the insurance company about to say to me?
Kevin Pomeroy: It’s a tough scenario. We would obviously advocate for our clients in those situations and say, “Hey, they had the controls at the time they needed them. There isn’t a requirement to maintain them throughout the entire policy period. That’s not expressly written into the contract, or expressly written into the application.” So, I think in that scenario, we would have a significant leg to stand on.
What if the company misrepresented what was actually in place? Saying they had an EDR and MFA but didn’t?
Kevin Pomeroy: Great question. I think we’d be facing an uphill battle to get coverage. As they start to deploy the forensics and realize, “You guys don’t have what you said you did, based on the application, and that’s a warranty.” I expect they would deny coverage — and would likely be within their rights to do so. Obviously, we would advocate for our client, but I do think they would deny it, and to the extent that they paid anything initially when the claim occurred, they would seek to get reimbursed for that, from the insured.
What kind of training should employers do proactively with employees to make sure they’re not doing stupid things? These expeditions can get pretty sophisticated. How do you train employees?
Jeff Olejnik: First of all, it’s about building a culture of security awareness. It shouldn’t be just training once a year, or with new hires. It should be ongoing. Part of that process should include the CEO, the executive team. It’s about tone: “Hey, this stuff is really important. We need to protect our organization.” Then it’s training. You’re supporting it on an ongoing basis to test the quality of that online training, through regular phishing exercises. The first time a phishing exercise is done if training wasn’t involved results in about 30% of the people clicking through, and then hopefully, after training, nobody’s clicking on the phishing.
It’s multi-faceted. Take a look at the latest vulnerability. How could it impact our organization? How would we respond? How would we interact with our insurance provider? How would we interact with our legal counsel? How do we work with the digital forensic team? What are we going to do from a messaging perspective? Who’s going to be making the call? These are ways to build up muscle memory. If you can get these incident-based drills in place, people will understand the decisions that need to be made in a period of crisis.
Shalin, as an insurance provider, do your clients ask for coaching?
Shalin Johnson: It needs to start at the top so that you have the owner, the CEO, the C-level suite invested in this. There’s this belief that they’re smarter than the bad guys, because the social engineering has been around for a number of years. “Oh, we can tell,” they’ll say. Years ago it was an email saying, “Send a check to so and so.” And it was met with laughter. Now those emails are much more sophisticated. Two years ago, a client told me that the bad actors were in their system for several months, and they were reading emails. They were figuring out who’s in control of the checkbook, who’s what. They’re looking at the Outlook calendars. Sure enough, Bob, the president sends an email to Dan, the controller, saying, “I need you to do this, this and this. And, oh by the way, I need you to send a $50,000 down payment on that machine that we’ve been talking about.” He goes on by saying, “I hope you and the kids and your wife have a great time down at Orlando. Say hi to Mickey Mouse for me.” It becomes personal. It is the vernacular that they use between themselves. At 4 p.m. that afternoon, Dan the controller calls me and says, “Just tell me we’ve got cyber insurance because we got hoodwinked.” I said, “Call your bank first. Make sure they know.” He was able to call the bank before they made the wire transfer that day. I think the big lesson is training. It used to be, “Oh, I can tell a bad email.” Not so anymore.
Jeff Olejnik: Everybody in the organization should understand that any time you get an online request to send a wire transfer, buy gift cards, or change an employee’s direct deposit, [it] should be followed up with some other kind of communication. Call, walk down the hall or send a text message. Ask, “Bob, do you really want me to send this $50,000?”
Kevin Pomeroy: Here’s something that’s a little bit outside the box, but it just shows how sophisticated these folks are getting. We’ve heard about people leaving flash drives or thumb drives in public places hoping that somebody will pick it up and say, “This is interesting. I wonder what’s on it?” They go home, plug it into their computer, and bada bing, bada boom. We’d think there’s no way that people could be so, forgive me, but stupid, right? But it does occur. We’ve seen those types of exact scenarios play out, and they’re costly.
Jeff Olejnik: Whether it’s a jump drive, a mobile device, or even a personal laptop, you’ve got to have policies and technologies in place that say, “Here’s what the acceptable use is” and have the technology in place to enforce the policy.
Any final words of advice, something we may not have covered here?
Shalin Johnson: If you do business, you need to have a cyber policy. Cybercrime is not going away. Some cyber experts anticipate we will see over $10.5 trillion in damages by 2025. As a reference, that number would represent the third-largest economy in the world, behind China and the U.S. It’s going to be huge.
Insurance companies can put together safeguards, as can all the very capable IT consultants. Everyone is going to be very busy because there’s always a new way to get in. That’s going to be the challenge.
Kevin Pomeroy: We need to make sure everybody is properly protected and properly insured if things do occur — and to begin this process as early as humanly possible. Understand what is happening in the market and what controls are being emphasized by the insurance companies. Some of those controls take months and months to implement, particularly if it’s a little bit foreign to you. You may need to start working with different providers and putting a lot of effort into actually implementing everything. The other thing is to make sure you’re aware of what’s in your insurance policy. We all like to look at our policies, see a limit of $5 million and say, “Great, we have $5 million of coverage.” Cyber is different. There are a lot of different supplements within the policy and a lot of different insuring agreements. You may have a $5 million aggregate policy that provides $250,000 of ransomware coverage, with co-insurance alongside it. I say get ahead of it, make sure your controls are in place. Look at your policy with a fine-toothed comb because you don’t want to pay for something that’s not going to react when you need it most.
Shalin Johnson: There’s still a learning curve in the manufacturing space. The manufacturing sector moved from being number eight in 2019 for cybercrimes to number two in 2020, following only finance and insurance. The bad actors now see the middle market space as ripe for the taking. They have to tighten down the gates to get in. They can’t just allow any Joe Six-pack vendor to get into their service and order up stuff. A lot of manufacturers take pride in themselves on the ease of doing business. Today, a user-friendly business is a business that was also an open door to get in.
Jeff Olejnik: You’ve got to be doing your due diligence on the vendors. I mean, if this is a vendor that is either critical to my business operation or that I’m sharing information with, I want to take a real close look at their insurance. I want to take a look at their hiring practices. I want to take a look at their cyber security controls. I want to understand their disaster recovery capabilities.
Another thing is that security shouldn’t be considered a cost center. It’s an investment. We’re working with a lot of private equity firms and companies looking to sell that are starting to include cyber security controls as part of their due diligence process. They don’t want to acquire a company that exposes them to risk. We’re seeing a lot of companies looking at security and technology as a differentiator that adds value to their organizations.
Featured story in the Spring 2022 issue of Enterprise Minnesota magazine.