The Future of Cyber Insurance: Why cyber insurance isn’t going away anytime soon

The Future of Cyber Insurance: Why cyber insurance isn't going away anytime soon

The cyber insurance market has faced challenges in recent years. Increased ransomware attacks have driven higher loss ratios. Russia’s attack on Ukraine has raised concerns about catastrophic global cyber events. With news that the U.S. government might create a government-backed national cyber insurance program, some people wonder whether private cyber insurance will become obsolete. The IT and cyber security community has questions about the future viability of the cyber insurance market.

We want to understand the potential threats to the cyber insurance market. We see three main risks from these threats:

  1. Insurance companies, worried about large potential losses, retreat from the
  2. The S. government creates a national cyber insurance program that crowds out the private market.
  3. Prices for cyber insurance become so expensive that coverage becomes unappealing to most

Although these threats can disrupt the future of cyber insurance with some level of plausibility, ultimately we find them unlikely. Let’s take each in turn.

The fear that insurance companies will simply retreat from the market due to the threat of large potential losses may be the most pressing concern. We can assess this threat better with some perspective on the history of the overall cyber insurance market and its position in the global insurance market.

Although 2021 was a bad year for cyber losses, the overall performance of the cyber insurance market in its 20-year history gives us confidence. Cyber insurance continues to be among the most profitable lines of business for global property and casualty (P&C) insurance. For more than 10 years, the cyber insurance market has grown steadily and is likely to continue growing.

Cyber risk continues to be among the top three risks cited by global risk managers, affecting every aspect of business and society. From cars, to manufacturing, building systems, to the very nature of workers’ everyday lives, technology affects every area of business and thus the insurance covering the risks it brings with it. Therefore, insurance companies struggle to ignore the attractiveness of the growing and profitable cyber insurance market, particularly in a world with few other options.

Rather than avoid the market, insurers are trying to improve their overall performance in cyber insurance. They are increasing prices and tightening underwriting standards with more requirements for cyber security. How these changes impact loss trends is not yet fully visible, but overall prices and requirements have moved at a greater pace in 2022 than in the previous two years.

Perhaps the greatest risk for massive losses is the risk of a nation-state-related catastrophic event. We see the insurance industry addressing this concern now.

Since the early days of insurance, insurance companies have recognized that war can create enough damage to bankrupt the entire industry. Every insurance policy, including cyber, excludes war-related losses. However, determining when a nation-state-related cyber attack constitutes a “war-like” action is a legal gray area.

Therefore, some insurance companies have started explicitly redefining “war” to include these nation-state-related attacks. For example, as of July 2022, Lloyds requires that cyber policies exclude coverage for nation-state-related attacks. Although this change might see painful losses for individual companies in the short term, it allows the cyber insurance market to thrive in the long term. By excluding these exorbitantly expensive and difficult-to-model losses as

“war-related actions,” this change essentially aligns cyber insurance with more traditional insurance.

Recognizing nation-state-related cyber attacks as war-related actions leads to the second main risk: the U.S. government might create a national cyber insurance program to protect

companies from these attacks, and companies might then decide that private cyber insurance is no longer necessary.

Rather than replace a functional private market, we find that the U.S. government typically intervenes only where the private market struggles to provide coverage. For example, after the 9/11 terrorist attacks, Congress enacted the Terrorism Risk Insurance Act (TRIA) to provide government-backed funding for insured losses from large-scale acts of terrorism. This successful program is a potential model for a cyber insurance fund for nation-state-related attacks, which can then be included in private cyber insurance policies.

Finally, the third threat—that prices will become so high as to make coverage unappealing to most companies—is also possible but unlikely. Cyber insurance is relatively inexpensive, often less than 10% of a company’s total cyber security expenses. We do expect the application and underwriting process to get longer and more involved, as underwriters bring more requirements and scrutiny to these risks. However, we also see insurance companies and technology firms working together to reduce the frequency and severity of cyber attacks. Efforts to reduce catastrophic events help make long-term price increases more manageable.

We expect cyber insurance to continue to be a vibrant and growing market, with the entrance of more companies offering more and better protection. Even as we see some volatility and change in the near term, as underwriters refine their process further and governments find their role, we expect cyber insurance to be essential for many companies for a very long time.

The Critical Convergence Between IT, Cybersecurity and Insurance

The Critical Convergence Between IT, Cybersecurity and Insurance

The complexities of technologies in the early days of computing are nothing compared with what MSPs contend with today. The speeds and feeds of yesteryear have evolved into conversations about processes and regulations and addressing challenges and opportunities with real business solutions. While running cable and repairing PCs are still vital functions, clients expect much more from their IT services partners today. That increasing reliance creates several key advantages for MSPs – from added revenue opportunities to greater customer satisfaction – as well as a few big drawbacks.   

Most IT service providers’ greatest challenge is managing all their responsibilities without fail. While core technologies may be a strength, keeping track of and juggling all the different business and regulatory concerns can be a nightmare without the right people and systems in place. The reality of running an MSP today is that IT is no longer the

sole priority. Providing multi-layered cybersecurity protections and advising clients on business continuity planning and awareness training are just as important as compliance with regulatory and industry requirements and obtaining the appropriate cyber insurance policy. Measuring and monitoring cyber risk in all environments the IT services provider manages is part of those responsibilities.

The convergence of multiple factors that influence and help protect these robust yet entirely vulnerable IT ecosystems is critical to MSP success today. Providers can no longer pick and choose which pieces of their clients’ businesses they wish to support without ensuring another capable entity has those obligations covered. Whether the company employs its own internal tech team or MSPs collaborate with peers, vendors and other suppliers to deliver various services, the responsibility increasingly falls on IT services companies to manage it all.

The Cybersecurity Equation

Some industry experts have suggested that every MSP should consider becoming a full-fledged MSSP, focusing most, if not all, of its resources on building and managing formidable defenses for business clients. The reality of the situation is that many organizations rely on providers with a mix of IT and cybersecurity skills to keep their operations running effectively. However, virtually every MSP dedicates more time and resources to data and network protection today to stave off potential malware attacks and other cybercrime.

While many industry experts predicted future shifts in the IT services provider business model, the pandemic and ensuing push to WFH shortened that timeline considerably. The subsequent rise in nation-state-supported ransomware attacks was a driving force behind many         

of those transitions, requiring most MSPs to commit more resources to strengthen their clients’ defenses.

Implementing proactive cybersecurity services like awareness training and multi-factor authentication is now the norm. While MSPs continue to support the entire IT ecosystem − including devices, networks, software and cloud-based applications – consultation on data protection and disaster recovery practices and policies is gaining importance and creating new revenue opportunities.

Cybersecurity has become a major differentiator for providers that understand how to identify, measure and monitor those risks and tackle all the current and potential vulnerabilities. Small businesses (and many larger organizations) rely more on third parties like MSPs and MSSPs to provide those services today.         

The Symbiotic Relationship Between MSPs and Cyber Insurance Firms

Businesses are increasingly looking to the IT services community for insight on a variety of new issues in addition to the traditional services they’ve come to depend on to keep their operations in order. As in the case of cybersecurity, organizations want and need complementary types of support, including consultation on regulatory compliance, disaster recovery (technical and procedural) and risk assessment.

Decision-makers often look to MSPs for insight on issues on the fringe of their areas of expertise. Some of those questions or requests may fall outside of a provider’s legal comfort zone. Cyber insurance is a good example, as company executives look to MSPs for advice on finding the right companies and policies to cover potential liabilities.

Those requests should be seen as opportunities for IT professionals. When clients seek insight across multiple disciplines, especially those not entirely in the traditional IT realm, it’s a sign of a strong business relationship. The more support MSPs can provide, the greater those bonds. Whether providing that assistance solo or with specialists in              

those fields, those actions increase the value-add and trust between customers and providers.    

Cyber insurance is one of those key areas of opportunity. By aligning with a reputable firm with specific expertise in IT-related liabilities, MSPs can ensure customers are investing in more effective defenses while potentially increasing the providers’ recurring revenue. For example, DataStream Cyber Insurance can assess the security posture of each client, identify vulnerabilities, and make recommendations to ensure those companies are “insurable.” This process gives MSPs an opening to discuss specific improvements to minimize liabilities for providers and their clients.

DataStream brings an in-depth understanding of insurance and cybersecurity standards and expectations to these partnerships, as well as unique AI technologies that identify areas of concern. The ability to leverage real customer data and proprietary models that measure real cyber risk is a key differentiator. MSP partners play a critical role in this assessment process and can leverage the results to strengthen their clients’ cybersecurity posture and potentially boost sales and profitability.

A Value-Added Relationship

While it’s true that only certified insurance agents can sell policies, IT services providers can grow MRR and project income through a DataStream alliance. MSPs register their clients for an assessment that will identify vulnerabilities and behaviors that put them at risk and emphasizes solutions their provider can implement to address those problem areas. DataStream provides partners with details of the factors preventing each assessed business from obtaining cyber insurance coverage.

This is when the MSP comes to their rescue. With implicit knowledge of that client’s security posture, providers can pitch the proper solutions to bring their defenses up to par. The end game is to make companies aware of their risks and increase cybersecurity investments − which benefits MSPs and their clients.

With the COVID-19 lockdowns and corresponding increase in work from home and hybrid environments, those opportunities are plentiful. Along with the ensuing rise in ransomware attacks, the conversations around cybersecurity are growing in frequency and complexity – a perfect opening for MSPs that can pitch solutions, not the “speeds and feeds” of technology. Why not make cyber insurance part of that conversation?

Resources like the Cyber Insurance Assessment help businesses determine their readiness for cyber insurance. And our Partner Cyber Risk Report shows partners numerically how much impact they have on reducing cyber risk among their business clients. Would a sales prospect pay more attention if they could visualize the effect your firm could have on their data defenses? DataStream provides MSPs with that power.  

Build a Cybersecurity Fantasy Team

Build a Cybersecurity Fantasy Team

The cost of protecting data has never been higher. What many experts fail to say is that the financial liabilities associated with poorly secured systems are on the rise as cybercriminals target both MSPs and their clients. Estimating the cost of downtime and remediation support and the reputational damage from these attacks can be difficult for any business. For MSPs, those incidents are even more concerning as the experts in all things cybersecurity – a poor response can undermine their credibility in the business community.

That’s why dealing with cyber risk has become a team sport.

Cybercriminals are running businesses too, so they must continue refining and escalating attacks to maximize their revenue opportunities. For example, a recent IBM study found that the average incident takes 280 days from the point of access to conclusion and costs each company approximately $3.86 million.

Cybercriminals understand that most SMBs don’t have the internal resources to prevent cyberattacks. Ransomware purveyors target those businesses indiscriminately and rely on poor defenses, application vulnerabilities (vendors and suppliers) and inattentive and lazy employees – perhaps even a little luck – to gain entry.

Combined with the ever-increasing creativity of the cybercriminal community, it’s increasingly more difficult to protect businesses of any size today. As the amount of data they create, collect and store continues to grow, their financial and legal risks increase proportionally, and MSPs must work even harder to lock it all down.

A Complete Game Plan

Good teams produce more than the sum of their individual parts. Successful cybersecurity collaborations typically involve a tremendous amount of planning, training, evaluating, and, perhaps most importantly, communications. Most MSPs excel in most, if not all, of those areas, as are many of the specialists in their partner communities.

Building and executing cybersecurity “game plans” require that commitment. From conducting assessments and highlighting areas of concern to strengthening defensive measures and contracts, MSPs need to lead the way. That push begins (and ends) with finding the right partners.

Draft Highly Skilled Partners

Protection is truly a team sport. Building a ‘fantasy dream team’ by “drafting” quality partners can help minimize liability for MSPs and their clients. Collaborative relationships with complementary subject matter experts − those with knowledge and skills in different aspects of cybersecurity, liability and compliance requirements − will elevate the defensive game to new heights.

The “team cybersecurity” approach focuses on risk aversion to limit financial and legal exposure for both clients and providers. Together, they provide more comprehensive coverage, as each is an expert in their respective area. They may collectively review existing processes and systems to identify and quickly address high-risk vulnerabilities and then develop plans for resolving other potential breach points or areas of concern. Potential “players” and their responsibilities include:

  • Vendors − MSPs typically partner with a number of suppliers to comprehensively protect clients’ networks, devices, data, applications and other systems. From end-point protection and data back-up and recovery providers to Security Operations Centers (SOCs), these “players” are focused on the cybersecurity game and many can even chip in during the off hours to give MSPs a well-deserved break.
  • Auditors/Remediators − these firms help MSPs identify and fix potential vulnerabilities following a structured approach. These professionals often serve a dual role: mitigating cybersecurity threats before they can cause harm to clients or providers and addressing similar issues following an attack.
  • Cyber Insurance Experts −every team needs a coach to measure the threat environment and guide game plan development. DataStream Cyber Insurance offers that level of support to MSPs with a Cyber Risk Assessment that evaluates the defensive posture of each client and a 24/7 Hotline to call when they first suspect a compromise. A tech assessment on each policy helps expedite claims and payments, eliminating potential stressors for providers and the business they support.
  • Attorneys with IT Specialization – every cybersecurity team needs legal representation to minimize risk on the front end, writing air-tight legal agreements and contracts, and on the back end, supporting the response when things go bad. Those professionals should get the first call following a breach to review strategies and ensure MSPs properly execute their remediation plans.
  • Public Relations Firms −messaging matters before and after a breach. Every MSP should have a crisis communications expert on their team to interpret the key points of the situation and help craft verbal and written responses. Information management is crucial. MSPs may need to share details of the compromise with different audiences, including clients, government agencies, law enforcement, and media. Releasing the right information to the appropriate people helps ensure the success of the response plan and prevents additional exposure.
  • Cyber Forensics Experts − these companies or individuals step in after a breach, analyzing the evidence and reviewing each incident step-by-step to determine what went wrong. More importantly, the information they provide allows MSPs and other team members to mitigate vulnerabilities and prevent future attacks.

Are Your MSP’s Assets Adequately Protected from Cyberattacks?

Are Your MSP’s Assets Adequately Protected from Cyberattacks?

IT service providers spend a lot of time discussing protection. Whether consulting with clients or developing plans to boost internal defenses, those conversations often center on data and the systems that store or transmit critical and sensitive information. With cybercrime on the rise, many technologists are more inclined to invest in more solutions and implement measures that will help keep providers and the businesses they support safe from IT-related threats.

While those defenses are critical, MSPs must look closely at legal liabilities associated with those IT ecosystems. Cybercriminals are directly targeting IT services companies since they hold the “keys to the kingdom,” with access to clients’ networks, business systems and, by default, their data. SMBs rely on MSPs’ security expertise to protect those assets. With the escalating attacks on organizations of every size and mission, the threat vectors are continually shifting and evolving.

The financial costs of a cyber failure are too big to ignore. Unfortunately, some SMBs are not taking the appropriate steps to secure every system, perform regular backups and protect all their important data. The lack of an effective cyber defense significantly increases their legal liabilities.

That last point is essential. No matter how well MSPs lock down information and secure critical infrastructure, if someone (or something) finds a way to get into a client’s systems, the provider will likely take some, if not all, of the blame. In a highly litigious society, that exposure can damage, if not cripple, a small business. Worse yet, if cybercriminals gain access through a provider’s network, they can expect other clients and prospects to scrutinize their practices. The costs, from both a public relations and legal perspective, could be enormous and threaten the MSP’s viability.

Why?

Because cybersecurity is a matter of trust. When companies sign up with an MSP, they expect that team to provide complete protection for their businesses and assume, as cybersecurity professionals, they will implement industry best practices across every part of their operation. If even one client becomes the victim of ransomware or a cyberattack, especially through a provider’s compromised system, the trust may erode quickly.

Cover the Risks

Despite the rising threats, there is hope for MSPs. Careful preparation on the business end of an IT service firm’s operations can lessen those liability concerns considerably. That’s why providers should always seek legal advice from attorneys who understand the MSP business model and appreciate the threats against your company and clients. Those professionals should have the know-how to minimize the firm’s liabilities in the event of a cyberattack and work collaboratively with insurers to support the best interests of providers and their clients. An IT services-skilled attorney will be an invaluable resource to prevent things from going sideways.


Consulting with someone with extensive expertise supporting the legal needs of MSPs provides peace of mind. A good tech attorney can craft, review or amend services contracts and master agreements and offer guidance on a variety of industry-specific issues, as well as general business processes and policies. MSPs need that type of oversight today. Quality counsel will proactively address potential issues before they become problems and minimize the exposure when things go bad.


Those professionals help keep an MSP safe from potential lawsuits and bureaucrats (think regulatory compliance) regardless of the threat landscape and legal environment. Think of them as a firewall for cybersecurity experts.

The Fine Print Matters

A key reason for working with IT-experienced attorneys is their understanding of professional services delivery and the documents that outline the various responsibilities of MSPs and their clients. The “legalese” in customer agreements could be a major fact in whether the firm continues to thrive, let alone survives, following a cyberattack.

That’s a major reason for updating your managed services-related documents. Attorney Brad Gross, a recognized authority in IT services law, suggests that companies with antiquated agreements may find themselves in worse shape than those without contracts.

“The devil is in the details,” he emphasizes. His recommendation to MSPs is to partner with a proven IT attorney to review and strengthen their critical business documents to minimize cybersecurity-related liabilities. For example, any promises IT services providers make, whether explicit or implied, must be based on reality, not marketing prowess. “You can be confident, but your confidence needs to be based on both tangible and intellectual honesty,” adds Gross. “The way to achieve that is to have agreements in place that manage customer expectations, and then have the technical background and ability to perform under those contracts.”

A poorly constructed MSA (master services agreement) or SOW (statement of work) can increase your liability. The language in these documents can expose an MSP to litigation following a breach or malware attack. Knowing what to put in and what to leave out are decisions best left in the hands of those properly trained to deal with those legal concerns.

Six Reasons Your Company is Not Safe from Ransomware, No Matter How Much You’re Spending

Six Reasons Your Company is Not Safe from Ransomware, No Matter How Much You’re Spending

Cybersecurity is one of the biggest concerns for every business today. Hacking and ransomware attacks deliver high returns for a relatively low effort and the significant rise in revenue fuels increasingly more aggressive and costly attacks. That recipe means the cybercriminal community will expand and ramp up its activities to keep those cash streams flowing.    

The processes and organizational advancement of these syndicates are astounding. Few people outside the tech industry understand the capabilities of these groups that often get support from nation-states and organizations with evil objectives. While the 24/7 news may cover ransomware attacks on multi-billion-dollar pipeline companies and other high-profile organizations, there is little if any mention of small and mid-size companies. That creates a false sense of security. Many business leaders think their organizations are simply too small to fall into the crosshairs of those cybercriminals.

The reality is that every company is a target today, and it just takes one slip for ransomware to get into the system and potentially shutter the entire organization. According to research firm IDC, approximately 37% of global organizations reported being hit by at least one of the more than 130 variants of these attacks in 2021. Many of those victims likely invested significant resources in their IT system defenses. While businesses must do everything possible to prevent these attacks, a more realistic goal today is to minimize the potential harm that may occur when cybercriminals manage to find those gaps.  

Complacency is also a concern. Unlike the early days of computers, today, businesses should consider cybersecurity investments as a maintenance fee that will likely continue to grow as the threat levels rise. IT spending needs to increase each year to protect its most valuable assets, including customers, employees and data. Ensuring the security of the company’s networks and operations centers is critical, and organizations with remote and hybrid workforces may need to double down on those efforts and investments.     

Minimize the Threats

Prevention is critical. While no one has come up with a 100% foolproof defense against ransomware attacks (other than running a business without computers and internet connections), anything companies can do to boost their collective defenses helps lessen their financial and legal exposure.  

Cybersecurity strategies are business-critical. Building an effective plan and investing in awareness training, anti-ransomware and antivirus tools, and other proactive measures mitigates a company’s risk profile. And while none of those actions can guarantee a company’s complete protection from threats, they reduce liability and cyber insurance costs and lessen the executive team’s anxiety when properly implemented and managed.

Most IT professionals add layers of cybersecurity measures to protect networks, devices and other technologies, including cloud applications and proprietary software. It is virtually impossible to lock down every potential access point to prevent cybercriminals from reaching their ultimate target: data. Stealing and ransoming business and personal data drives hundreds of millions of dollars (potentially billions since many attacks go unreported) in income for nation-state-supported crime syndicates, professional hackers and basement-dwelling amateurs each year. One thing they all have in common is an innate ability to make organizations pay dearly for their mistakes.   

Business leaders need to understand that premise and why no matter how much they invest, no company is ever completely safe from ransomware attacks. Here are some of the ways cybercriminals strike paydirt:

1.       People make mistakes. According to one recent report, human error plays a role in virtually all (94%) cybersecurity breaches, including nonadherence to email protection measures, poor credential management and employee sabotage. No matter how many technologies and policies a company implements, ransomware purveyors know someone will slip up at some point.     

 

2.       Ransomware is a thriving and ruthless business. From rudimentary attacks by rogue workers to elaborate new business models like Ransomware as a Service (RaaS), this is a profitable and rapidly evolving opportunity. The reward for cybercriminals far outweighs the risks, and this community’s almost limitless creativity and cruelty should strike fear into every corporate decision-maker.

 

3.       IT resources are limited. Even before the “Great Resignation,” the number of high-tech job openings was astronomical. The ensuing pandemic and changes in work preferences are impacting many companies’ ability to fully staff their IT departments and adequately protect their systems.     

 

4.       Management support is lacking. Effective cybersecurity strategies begin and end at the top. Executives must prioritize cybersecurity, from adopting strong policies and leading by example to investing in technologies and programs to properly protect their people and systems. Employees often discard or discount initiatives that don’t appear to have solid support from managers and other executive team members.  

 

5.       Supply chain attacks are rising. Cybercriminals understand that there’s usually more than one way into a company’s networks, including access through business partners’ systems. Ransomware attacks from suppliers and contractors are a rising concern. Recent examples include Target and SolarWinds, where cybercriminals first gained access to other companies’ systems from which they spread malware using connected networks and applications. Many organizations implement standards and follow industry best practices to vet their business partners’ IT security tools and methodologies.       

 

6.       Testing is never a high enough priority. Companies can invest a significant amount of their resources on cybersecurity yet not know if it will actually work. Periodic evaluations and adjustments are critical to ensure the integrity of every organization’s defenses. Cybercriminals are constantly looking for openings to exploit, from non-working end-point protection tools and unencrypted email systems to lax credential management. Testing helps businesses identify and rectify those vulnerabilities as well as any others that happen to pop up between evaluations.       

Frame The Threats

Ransomware attacks are non-discriminatory. Cybercriminals target anything and everything, and thanks to new business models, the cost of entry for aspiring hackers is virtually non-existent today. With all of the resources they have on tap, no business or individual is safe.

The risks are rising exponentially, especially for companies that work with sensitive personal and financial data, as well as those adopting WFH (Work from Home) environments. More importantly, the decision-makers must understand that even with the latest measures, those threats will never completely disappear.

Cyber insurance coverage adds another critical layer by mitigating potential liabilities for the business. A basic protection package can also lessen the executive team’s anxiety level and assure other stakeholders that their financial interests are well protected. 

Raising the cybersecurity bar is never easy. However, any cost-effective measure that can prevent a business from being the “lowest hanging fruit” for criminals is worth pursuing. With the threat level of ransomware rising and no guarantees that companies can stop every attack, leadership teams should be open to all potential abatement options today.

What Are An MSP’s Liabilities When Clients’ Become Cybercrime Victims?

The risks MSPs face are not always clear. While most IT business owners are aware of the consequences of losing clients, hiring bad drivers, and not locking their doors, other potential threats are not quite so clear. For example, knowing where the ultimate responsibility falls when a client becomes the victim of a ransomware attack or some other type of cybersecurity incident can get a bit fuzzy.

The factors may be complex and assigning responsibility for failures tends to get similarly complicated. Is the targeted vulnerability on the MSP side or due to client’s negligent employee? IT services providers need to know best practices for minimizing their collective risks to effectively protect their businesses, customers, and the livelihoods of everyone’s employees. Cybersecurity responsibilities must be clearly and frequently communicated to the respective parties, with periodic testing of each safety protocol to minimize the chances of a breach, ransomware attack, or other type of data-related incident.

As with any tech process or theory, a proactive management approach is essential. MSPs must continually assess their collective security environments and add new measures to reduce their company’s liability in the event something bad were to happen to their systems…or to their clients. The things that work well today may become vulnerabilities tomorrow.

The Weakest Links

Whether opening a business or walking down the street, risk is a part of life. Virtually everything and every activity brings some level of uncertainty (if not actual danger) and people spend a lot of time and effort managing the unknowns. Cybersecurity is a perfect example of that concept.

When cybercriminals compromise an organizations’ IT networks or data collection and containment systems, it’s almost inevitable that someone will start pointing fingers. Failures lead to blame. There will never be an unbreakable security perimeter as long as humans are part of the equation, and the responsibility for a lapse often falls to people far beyond those making the mistake. Many business leaders expect cybersecurity to be infallible. Even when an employee bypasses company security policies or ignores basic logic, some will blame their MSPs (or their internal tech teams when applicable) for not doing more to limit, if not completely prevent any subsequent damage. Their understanding of the scope and complexities of these attacks may not mesh with the true challenges of defending their networks, computers, and employees – especially workers who ignore rules, take shortcuts, or intentionally sabotage their systems.

Realistically, the liability for any failure should extend to all the “players.” Employees should pay closer attention and follow best practices. Company executives could invest more to strengthen cybersecurity measures and training and better enforce workplace policies. Unfortunately, everyone expects MSPs to be infallible − no matter how much their hands are tied by clients’ decisions and budget limitations – so they often take most of the blame.

Minimizing those liabilities must be a priority for every business. For MSPs, that mission is even more critical to limit their exposure to the processes and technologies actually in their control when an attack does occur. Proper safeguards and insurance coverage are an essential part of that equation.

The Known Liabilities

Cybersecurity concerns continue to grow. The problem is that there is absolutely no room for error: not from employees, business owners and managers, or the IT teams that support their technology systems. MSPs have to be more diligent than ever to reduce their own liabilities. While no IT services firm can eliminate every risk, some of the steps team members’ can take to minimize the company’s exposure include:

  • Setting and enforcing strict internal cybersecurity policies. Between breaches, ransomware, phishing and a slew of always evolving malware targeting any network opening, MSPs cannot overlook anything today. Establishing and adhering to firm guidelines for the implementation, management and support of every IT system −for clients and internally – must be a priority. Lapses in a provider’s cybersecurity practices and controls can significantly increase its liability if those issues contribute to the breach of a customer’s data.

 

  • Demanding high cyber standards from clients. There is no excuse for poor cybersecurity policy adherence today. If there was one issue that MSPs should ever consider firing a client over, this is the one, especially considering the impact a potential breach could have on both businesses. Providers must be willing to walk away from high-risk organizations to protect their reputations, financial stability, and livelihoods. MSPs that continue supporting clients with known vulnerabilities are amplifying the risks and potential monetary impact to their own bottom lines. Implementing and following through with a tough love approach, delivering cybersecurity upgrade ultimatums to poorly protected businesses, is business critical for IT firms in today’s threat environment.

 

  • Keep building. Cybersecurity is dynamic. MSPs may gain the upper hand over cybercriminals by installing the latest protection measures and adding support options – but those wins may be short-lived without a roadmap of continual upgrades. One of the prime reasons providers attend channel events today is to gain insight on new tools and strategies to combat ransomware attacks and social engineering schemes. Adding layers of protection and upgrading existing tools helps keep cybercriminals at bay. MSPs that continually fortify cybersecurity protection and end-user awareness training (a critical component in any plan) prevent their clients from becoming the “low hanging fruit” those miscreants typically target. Those measures also help limit providers’ liability should something bad occur. MSPs following and promoting industry best practices have less to worry about in this era of high cyber anxiety.

 

  • Checking all the “compliance boxes.” Failure to comply with recovery time or recovery point objectives or backup errors (including data losses) can be major legal and financial liabilities. MSPs have to be compliance experts for all of their clients and adequately support each requirement to limit their mutual liabilities in case of a ransomware attack or other data-compromising event. Rules and regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Industry Regulatory Authority (FINRA) can make clients’ heads spin. While the companies bear a major part of the responsibility for compliance, the blame for any failures is increasingly shifting to the MSP and IT communities. Providers can minimize their risks by adopting all prescribed requirements, testing systems frequently, and stressing the importance of these standards with clients, end-users and their own staff members.

 

No Easy Outs

Managing risk is part of doing business today. MSPs, like their clients, must strive to do the right thing everyday to minimize their legal and financial liabilities.

Following prescribed cybersecurity best practices and addressing regulatory and industry standards are essential steps. However, even the best laid plans can fail in today’s high threat environment, as cybercriminals look for even the smallest opening (typically a human error) to launch an attack.

Every organization needs a cybersecurity-specific insurance policy to minimize the monetary impact of business compromises. No MSP can expect to plug every potential gap or predict when a client’s employee will click that ransomware-launching link. Knowing the company has financial protection and support in these situations helps ease the burden (for everyone).

Triple Extortion Schemes Give Cyber Criminals More Power and Leverage

Triple Extortion Schemes Give Cyber Criminals More Power and Leverage

The riskiest thing many businesses do is maintain the status quo. The cybercrime community appears to take that to heart as they continue to renew and upgrade previously retired malware and launch new and more damaging versions of their malicious software. The greater the creativity, the more money they can generate from unsuspecting individuals and businesses. Unfortunately, cybercriminals are very innovative and imaginative, so MSPs and other security professionals need to work even harder to keep ahead of the latest schemes and attack methodologies.

That job gets tougher as ransomware purveyors find new ways to up their game and outfox unsuspecting and inattentive prey. The latest schemes – including triple extortion attacks − illustrate the lengths cybercriminals will go to terrorize end-users and maximize their ROI on malware development or purchases. Not satisfied with the penetration rate of traditional ransomware, they are doubling down on their successes, further victimizing end-users and businesses reeling after the initial event.

One key reason malware developers are going to that effort is they have a substantial financial stake in expanding the size and depth of the attack vectors. Much like MSPs’ desire to add incremental recurring revenue to fuel cash flow and grow their market and wallet shares, cybercriminals often rely on subscription sales of their code to ensure steady income increases. Adding new features to their “offerings” and schemes keeps demand high and malware developers profitable.

And those margins are surely high already. According to the 2022 Palo Alto Unit 42 Ransomware Threat Report, the average ransom request was approximately $300,000 in 2020, which nearly doubled to $541,000 in 2021. While the actual payments can cost less than the initial demands, malware victims are handing over a lot more cryptocurrency today. Those numbers will continue escalating with the introduction of new and more powerful attack schemes.

Cybercriminals Triple Down on the Threats

In 2019, with companies and the tech industry thwarting many ransomware strikes, negatively impacting their revenue growth, the cybercriminal community developed a solution to generate more income from each successful attack. Double extortion schemes copy all the data in the infected systems before encrypting the network and then threaten to publish or sell the information if the company (or individual) refuses to pay. That “cache” may include credit card numbers, protected health information, or proprietary information that the cybercriminals attempt to sell on the black market.

Malware developers were not content with the financial outcomes of employing those malicious methodologies and added a new twist with triple extortion. In these attacks, cybercriminals attempt to ransom the target company and its customers and other organizations in its ecosystems (and databases). MSPs are certainly not the only people looking to grow wallet share today.

Imagine the impact of a triple extortion attack on a medical practice or hospital? The amount of personal information in one of those systems could put a ransomware purveyor’s kids through law school. Those types of situations could put an attorney or accountant out of business, considering how much damage a data compromise could inflict on their clients and reputation. Even though ransom demands are typically smaller for the secondary victims (the patient or customers), the embarrassment and potential financial ramifications of having sensitive information leaked to the general public would be difficult for any company to overcome.

One of the first publicized examples of a triple extortion ruse was the 2020 Vastaamo breach. The company manages twenty-five psychotherapy centers across Finland and works directly with the country’s public health services. In addition to demanding a significant bitcoin payment from the provider, cybercriminals also sent similar requests to thousands of the organization’s patients, threatening to share their session files and recordings if the ransom wasn’t received.

Data Protection Goes Beyond Technology Solutions   

The Vastaamo triple extortion case highlights the value of data an MSPs’ clients may possess. With access to sensitive information, cybercriminals gain great power and leverage and can make a lot of demands. An MSP’s job is to protect all data, including personal and confidential files, and prevent malware purveyors from scoring the big wins. Triple extortion is most effective when cybercriminals know they have companies over a barrel and have the leverage to dictate lucrative terms for the return of that information.

With the rise of the REvil community and its ransomware-as-a-service business model, things may worsen before they get better. According to Check Point, that group is leveraging DDoS attacks in their schemes and offering to make phone calls to victims’ business partners and the media. Even if their MSP can restore their networks and systems using data backups, they can’t prevent cybercriminals who make their own copies from publicly publishing or selling that information.

The truth is that no IT services company can assure its clients of 100% protection from these types of threats. For those unforeseeable situations, businesses need the appropriate level of cyber insurance coverage. These policies aim to help affected companies regain their financial footing and pay for the restoration services needed to rebuild their operations, integrity, and momentum.

While MSPs address the technical aspects of rebuilding systems and networks, a client’s cyber insurer should have their back, helping provide the resources needed to get businesses back on their feet. From proactive insurance assessments and MSP-supportive recommendations to post-incident handholding, a reputable broker can help IT providers and their clients. Those are the types of services DataStream Insurance provides. We can determine if your clients are insurable and help get them protection from the latest attacks, like triple extortion…and whatever threats may come next.

What you should do if your business is hit with a cyber attack

What You Should Do If Your Business is Hit With a Cyber Attack

Cyber Attacks Have Been Increasing.. Are You Protected?

The Covid-19 pandemic has led to a paradigm shift in how businesses operate and the accelerated shift to digital and online operations.

With that shift has come, sadly but inevitably, an increase in the number of businesses that are being targeted by cyber criminals.

The statistics for 2020 make for uncomfortable reading. Last summer at the height of the pandemic, the FBI reported it was now receiving more than 4,000 complaints about cybersecurity attacks each day – up 400% from what they were seeing pre-covid. Interpol, too, reported a huge surge in reports of attack attempts aimed at SMEs, major corporations, governments and critical infrastructure.

The most worrying increase has come in the form of corporate ransomware attacks, where criminals hold your company’s data (including customer data) or network hostage until they get paid money. From Honda to Garmin and Cognizant to Travelex, ransomware attacks have crippled businesses, with Security Boulevard reporting that 58% of businesses ended up paying off the attackers just to get control back of their systems.

Unfortunately, most cybersecurity experts – including DataStream’s own team of analysts – now position corporate cyber attacks as an almost inevitable event that businesses should prepare for. Even with the best and most expensive cyber security technology protecting your systems, the chances are a cyber attack can and will find its way through at some point.

So, what should you do if your business is hit by a cyber attack, what do you need to do to protect your business and its customers, and what steps will you be advised to take?

The good news for customers of DataStream is that we should be your first port of call, and as part of your policy and claim process, what follows in this article is exactly what we will do for you. But not everyone will have this level of cyber insurance – or indeed cyber insurance at all – in place. In which case, these are the steps you need to take.

Call Your Experts

It sounds like obvious advice, right? But the reality is that when you discover your business has been the victim of a cyber attack, there are a whole heap of actions and steps you need to take to protect yourself, your customers, to minimise damage and financial loss, and to get you back up and running again asap. 

A lot of business owners will try and manage the incident response themselves, but as an insurer and one of those businesses dedicated to dealing with the aftermath of an attack, we would always recommend getting the experts in – aside from anything else, it immediately offers you a further level of protection. So, the first step we at DataStream would recommend is, either call your cyber insurance provider straight away – or check to see if your other insurance policies have cover for this type of incident, and if they do, call them. A strong cyber insurance partner will be able to help you bring in the expertise you need to contain and manage the situation and prepare you and your team for the next part of the process.

Get Specialist Legal Advice

Undoubtedly, whether (hopefully) through your insurer, or failing that independently, the next step should be to engage legal advice. 

Cyber attacks are not victimless crimes. Individuals and businesses suffer horrendous impact because of the actions of threat actors – from data breaches to financial losses. Accordingly, there are very specific regulatory requirements business must take to both store users sensitive information and to alert and protect the owners of that data in the event of an incident taking place. 

Getting these responses right in the aftermath of an attack can be the difference between your business surviving or failing – and a specialist law firm should be engaged immediately to help you navigate through this situation.

The following steps are the actions we would expect a business to need to take in the immediate aftermath of an attack – but (and we cannot stress this enough) these are actions we would advise companies take in collaboration with specialist experts who can direct the response and monitor its effectiveness. In other words, unless you are that expert, don’t try and do this yourself.

Contain The Breach

The first step is, working with your cyber security providers, whether in-house or a Managed Service Provider, to try and contain the breach. This doesn’t mean deleting everything on your IT systems or turning all your computers off – quite the opposite as that information will be critical to security analysts to figure out what happened, when and where.

Instead it means they will try to shut down – as much as possible – entry routes for the criminals. So, for example, they will work to disconnect your internet gateways, disable remote access, and check and amend firewall settings. You will also be asked to advise any staff working remotely to do the same for any personal devices they use to access work IT environments. 

Password changing is also critical – and ensuring new passwords are as strong and complex as possible.

Assess What Happened

The second step to take is usually for the experts to assess the breach – what happened, when, where and how. At this stage – depending on your scale as a business and the amount and sensitivity of data you hold – you will often be asked or required to bring in specialist cyber investigators or forensic data teams. Your MSP or cyber security provider will be able to help you identify providers that can help with this, or if you are part of the DataStream family, we will help.

Eitherway, the key for them is to figure out who has access to the servers that were breached, what was their route in (in other words, which network connections were online and available when the attack occurred) and how was the attack initiated – how did they get in.

Your MSP or internal security team will be able to help with this so all involved can understand this aspect, by checking security data logs, log-ins, flags on intrusion or on cyber protection systems. 

Understand Impact of the Breach

This aspect is critical. As a business, you need to quickly, and accurately, understand who has been affected by the breach, and what data may have been stolen or copied and if financial damage has been created. Have customers, employees, clients, third-party vendors had their data taken and how sensitive was this data? This last aspect is vital to know the further steps you will have to take as a business – both in terms of reporting this to the right authorities, and to ensure you can effectively communicate with those impacted.

Communicate to Authorities

Now you understand – or are beginning to understand – what has happened, it’s time to start telling other people what has happened. Again, what you should say, and to whom and when, are areas that your legal counsel combined with your cyber security response team, should advise you on. Don’t act without seeking their guidance first.

  • Report the incident to the Internet Crime Complaint Centre – ic3 –  your response team will help you, and the right pathway is here: https://www.ic3.gov/
    • The ic3 will need to know a range of information, which you can find on their website. They will ensure the information you give them will be shared with other authorities
  • You should also report the incident to your nearest FBI office or report it centrally to tips.fbi.gov
  • Additionally you should inform your local police department as soon as possible, and explain to them to potential risks posed – especially around things like identity theft if personal data has been exposed.

Develop Communication Plan

The laws pertaining to when, where and how a customer whose data has been stolen should be notified, and what steps you as the guardian of their data, are complex – and again an experienced cyber insurer like DataStream will have the expertise needed to help you get this step right, first time. 

The initial thing to remember is that these laws – and they vary by state, although there are currently no federal data breach laws – are designed first and foremost to allow impacted customers and other third parties to take steps themselves to mitigate against the risk posed by criminals having their data. The laws are also there to act as an incentive for companies to strengthen their IT and data security.

Most states have clear policies on creach notification, and what you must tell your customers. But in general people need to know:

  • how it happened
  • what information was taken
  • how the thieves have used the information (if you know)
  • what actions you have taken to remedy the situation
  • what actions you are taking to protect individuals, such as offering free credit monitoring services
  • how to reach the relevant contacts in your organization

Working with law enforcement teams, you should also be looking to tell people information that can help them minimise their exposure and mitigate against threats. For example, what steps they can take if they have had their social security numbers exposed, information on identify theft recovery, filing complaints and how you will contact them in the future.

The Federal Trade Commission has a detailed set of guidance for businesses that have experienced data breaches, including model letters to send to affected customers.  

Ultimately, everything you do post-incident is aimed at securing the data that has been stolen, protecting everyone who is impacted, getting your business operating safely again, and ensuring law enforcement agencies have the best opportunity possible to find those responsible and bring them to justice.

Experts like DataStream are ideally placed to help organisations recover in the aftermath of an event – and of course our insurance policies are designed with business continuity in mind from the start. 

Find out more about how Datastream’s cyber insurance can protect your business here or to speak with one of our experts, click this link and book a meeting.

We have to forge a strong counter-network to tackle cybercrime

We have to forge a strong counter-network to tackle cybercrime

Cyber criminals operate in networks – those fighting this threat need to do the same

 

A couple of years ago, the US Department of Justice and Europol released court documents showing how a cyber criminal organisation worked.

 

The documents showed how the criminals built an international online network, building malware to steal bank details in one country, launching phishing attacks from another, and passing the stolen money through several more.

 

In total this group, Goznym, stole more than $100m from 40,000 different businesses – having hatched their plan, developed their attack strategy and organised themselves on the dark web.

 

There are two key learnings – amongst many others – that can be taken from this rare spotlight into cybersecurity criminality networks.

 

Firstly, this was an attack on businesses of all sizes and across all sectors – the threat actors in this case were targeting anyone and everyone they thought might be susceptible to phishing. The documents detailed how the victims included an asphalt and paving business in PA; a law firm in Washington DC; a church in TX; a neurological equipment distribution firm in FL; a furniture business in CA and a stud farm in KY – amongst many, many others.

 

The second key learning was not only how this criminal gang was able to form, iterate and act as a deeply integrated community – and share huge amounts of knowledge and strategy, but also how it took the same level of connectivity between police and enforcement teams to catch the crooks. This article, on the WEF site, outlines the cyber criminal network value in greater detail: https://www.weforum.org/agenda/2019/10/cyber-crime-and-security-business/

 

To beat a network you need a better network.

 

The following statement is from one of those leading the prosecution of Goznym:

“This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized cybercrime,” said FBI Pittsburgh Special Agent in Charge, Robert Jones. “Successful investigation and prosecution is only possible by sharing intelligence, credit and responsibility. Our adversaries know that we are weakest along the seams and this case is a fantastic example of what we can accomplish collectively.”

 

This necessity of communication, of forging your own counter-network to tackle cyber criminality, is an issue that is much wider than just the requirements of the law enforcement agencies. Once it has got to the point of police, FBI and court involvement, it’s already too late because there will be victims out there.

 

Instead it is an area where those working to protect organisations from cyber criminality – like MSPs, technology vendors and of course insurance specialists like DataStream – can and must get ahead of the game. To do that, it has to start with the wider sharing of data – data which can help all those on the non-criminal side of the fence to get ahead of those seeking to do damage – this currently isn’t happening enough.

 

The instigation of the Cybersecurity Information Sharing Act (CISA) is a solid start, though there is still much to be worked out, as is informatively written here: https://techbeacon.com/security/cisa-good-start-challenges-remain-security-information-sharing.

 

But it also starts with a change in dynamics around how cybersecurity insurance providers work.

 

DataStream CEO Andy Anderson, says: “To effectively mitigate the risk of cyber attack, businesses need three core tools to be working seamlessly together: Technology – the products that work to stop threats; Compliance – ensuring your business operates in accordance with the guidelines or regulations governing it and uses best practice for cyber security (like changing passwords, monitoring BYODs etc); and Cyber Insurance – the backup that keeps your business operational when the inevitable happens.”

 

Currently, insurance is very much the outlier – to reference the above statement, cyber insurance is the ‘seam’. Legacy insurers – those who until recently offered other insurance products by not cyber insurance – are typically not part of the cybersecurity industry, so they don’t work as truly integrated partners in the sector – and that’s a problem.

We have seen in other sectors of insurance that when insurers are part of the ecosystem, they can play a pivotal role in advancing safety. 

 

For example, in the US car industry, the Insurance Institute for Highway Safety was founded by three insurance firms in 1959 to promote better safety in motoring. The institute started by scientifically evaluating what factors – human behaviour, car design and environmental factors – were the biggest causes of both crashes and human loss and sharing their findings with manufacturers and other insurers. It has been widely credited with having significantly reduced both crash and death rates, and has expanded to incorporate elements of testing too. In other words, getting ahead of the curve and creating a virtuous circle whereby the safer a car, and the better the driver, the less the insurance costs. 

 

The IIHS also initiated the Highway Loss Data Institute in 1972. The HLDI analyzes losses under six insurance coverages — collision, property damage liability, personal injury protection, medical payment, bodily injury liability and comprehensive (including theft). HLDI collects data from companies representing over 85 percent of the U.S. market for private passenger vehicle insurance. That information helps car buyers make more informed choices about which cars to buy so they are as well protected as possible – and its database is the largest repository of such information in the world. 

 

In much the same way DataStream – which also uniquely has access to the largest repository of cyber insurance claims – believes that same level of cooperation and data-sharing is needed amongst those working in the cyber security space, if we are to claw back the advantage against threat actors and reduce the cost of data breach and other incidents.

 

One key to delivering effective cyber insurance is forging deeper partnerships between the technology vendors and support teams (MSPs) – that are at the heart of installing, maintaining and upgrading the core technologies businesses use to protect themselves – and the insurers who analyse and measure risk both at the individual business level and at a macro level across the entire sector. 

 

These partnerships allow all parties to analyse, mitigate and influence cyber risk more effectively, enabling more data to be gathered and assessed and subsequently to be acted on and approaches adjusted. Put simply, by working together we can better understand the threat landscape and increase resilience. 

 

It is exactly this shift in approach that DataStream is working to change. By working with the MSP community to offer insurance to their customers, we forge that connectivity from the start. We not only offer the insurance products that help with business continuity when the worst happens, but we get upstream of the problem too – helping mitigate risk and facilitating the sharing of information, data and insight which helps others stay protected too.

 

This is never going to stop some attacks being successful – sadly there are too many threat actors out there already connected with others and sharing ideas and tactics. But by building the counter-network out as wide as we can, and working with other similar networks too – we stand a good chance of stopping some attacks.

 

And that, really, is the basis of insurance in the first place – sharing risk with others so that collectively we can face the dangers together.

 

Find out more about how DataStream works by visiting our ‘Why DataStream’ page here, or speaking to one of our colleagues – click this link to book an appointment. 

 

The power of a network can be both positive and negative – as this article begins to show. It’s a theme we at DataStream will be returning to over the coming months, as we examine how collectivity drives progress across the cybersecurity ecosystem in areas including, for example, data science.