Insurance Jottings

What 3 Experts Are Saying About Pipeline Attack and Cyber Insurance

Article in The Insurance Journal

 

Here is what AM Best, Fitch Ratings and CyberCube think about the recent ransomware attack that shut down Colonial Pipeline:

 

The ransomware attack on one of the largest pipelines in the United States highlights the interconnectedness of cyber risk and the importance of cyber security to all business operations, according to a new AM Best commentary.

 

In its Best’s Commentary, “Colonial Pipeline Attack Throws Spotlight on Cyber Insurance Market,” AM Best notes that premiums for standalone cyber policies grew more than 28% in 2020, reflecting price increases and a move by the insurance industry to get more clarity on their cyber underwriting factors.

 

While premiums in the US$2.7 billion American cyber insurance market have seen healthy growth in recent years, an even greater increase in claims has overshadowed market growth. From 2017 to 2020, according to the commentary, annual premium grew at an average of 19%; however, claims grew by 38%, reflecting a steady increase in the sophistication of criminals’ ability to penetrate and disable networks.

 

The Colonial Pipeline attack, which shut down 5,500 miles of pipeline between Texas and New Jersey, is a “manifestation of this growing sophistication and many insurers are now realising the significant risks inherent in this line of business,” according to the rating agency.

 

“As the Colonial Pipeline attack has shown, cyber is a very complex risk, with far-reaching

impacts to clients and insurers alike,” said Sridhar Manyem, director of industry research and analytics.

 

“The classifications of these events as terrorism, criminal activity or acts of war have different implications for insurance, and will require guidance from government entities as clients and insurers navigate these cases.”

AM Best said the escalation in ransomware attacks also has forced insurers to re-think globally, as evidenced by the decision of AXA Insurance in France to halt ransomware crime reimbursements.

 

“Insurers that lack the appropriate expertise, ability and controls for cyber insurance risks could be subject to losses outside of risk tolerance that may have ratings implications,” the. commentary concluded.

 

Fitch Ratings: Ransomware Attacks a Growing Global Threat

The recent proliferation of ransomware attacks underscores how cyber risk is cutting across sectors and becoming a growing global security and financial threat, Fitch Ratings says. The volume, size and sophistication of ransomware attacks are expected to increase, as the risk of criminal prosecution remains low and profit incentives remain high. Fitch views the increase in attacks and severity as a credit negative; however, every incident will be evaluated within the context of each issuer’s credit profile.

 

Ransomware attacks increased 485% in 2020 globally, according to Bitfdefender, accounting for nearly one-quarter of all cyber incidents, with total global costs estimated at US$20 billion, per Purple Sec.

 

Ransomware attacks which threatened to release stolen data are rising and were 77% of total attacks in 1Q21.This has helped drive up the cost of ransomware attacks, with the average ransom payment in 1Q21 of US$220,298, up 43% from 4Q19, according to Coveware.

 

Fitch says recent incidents may spur internationally coordinated public and private efforts to help prepare for and mitigate against ransomware attacks. The Institute for Security and Technology recently issued a Ransomware Taskforce report indicating that combating ransomware should be a global priority.

 

The US Justice Department has established a ransomware taskforce with the FBI and federal prosecutors to increase coordination with the private sector and other agencies.

 

Issuers with less sophisticated networks, security systems and IT departments may be most vulnerable to attack, but downside risk potential is higher at larger and more strategically important entities, according to Fitch.

 

Ransomware targets every sector and geography, but certain sectors have proved more attractive targets than others. Professional services firms, such as small law and financial services firms, are popular targets of ransomware attacks as they typically possess valuable personal identifiable information, payment data, or intellectual property.

 

Cyber-attacks against schools, local government healthcare providers more than doubled to 2,354 in 2020 from 966 in 2019, according to Emsisoft.

 

CyberCube: Pipeline Attack Is ‘Wake-Up Call’ for Insurers over Risk Accumulation

The cyber-attack on a major US fuel pipeline is a wake-up call to insurers about the potential for cyber risk to accumulate around vital infrastructure or technology systems which affect large numbers of connected organisations, according to cyber risk analytics firm CyberCube in its analysis.

 

The Colonial Pipeline is connected to 30 oil refineries and nearly 300 fuel distribution terminals throughout the United States. In addition, thousands of gas stations, consumers and hundreds of companies including mass-transit hubs such as airports, rely on Colonial to deliver fuel.

 

According to CyberCube, the Colonial attack demonstrates the vulnerability of so-called Single Points of Failure (SPoF) to cyber criminals. SPoFs are components or entire companies – physical or electronic – whose failure will shut down an entire system and affect many end-users.

 

“Colonial is a taste of what is to come. Both criminal ransomware operators and nation-state sponsored threat actors are increasingly turning their attention toward attacking SPoF,” William Altman, cyber security consultant at CyberCube, said.

 

“By going after SPoF criminal attackers will create maximum leverage to convince their victims to pay a ransom, and nation-state actors will use SPoF as a jump-off point into adjacent systems for conducting espionage and other information operations.

 

“While we have yet to see a true accumulation catastrophe event in cybersecurity, the writing is on the wall. Recent attacks on SPoF like SolarWinds, Microsoft Exchange, and Colonial Pipeline indicate clearly the direction the industry is headed.

 

“It should now be abundantly clear to the insurance industry that cyber-attacks with catastrophic scope – and the potential for catastrophic losses – are no longer just science-fiction. In 2021, it will be widely acknowledged that a rigorous and structured approach to cyber risk accumulation management is now a prerequisite and a necessity for all (re)insurers.”

 

Colonial discovered its IT systems had been hacked on the 7th May. Prior to that date, CyberCube said, its underwriting tool Account Manager had already flagged several high-risk signals for the Colonial Pipeline including malware infections and the potential for a remote user to gain access to Colonial’s network through an Open RDP Port, which is one of the most common ransomware attack vectors.

 

“The attack underscores the rising need for underwriters to assess basic cyber hygiene alongside threat-specific risks such as ransomware for organisations of all sizes across industries,” said Yvette Essen, head of Content for CyberCube.

 

According to CyberCube, the attack was perpetrated by a group of organised criminals that likely have tacit approval but not operational support from the Russian government. The group, DarkSide, reportedly took nearly 100 gigabytes of data out of Colonial’s network in just two hours before encrypting the company’s data and leaving a ransom note threatening to release the company’s data if no payment was made. This is known as a double-extortion ransomware attack and provides an example of the rapidly evolving nature of the cyber-criminal playbook.

 

DarkSide inadvertently took down 5,500 miles of critical US oil pipeline infrastructure, causing one week of downtime before a US$5 million ransom payment was made.

 

Lloyd’s reopens underwriting room on the 17th May

Lloyd’s of London reopened of its underwriting room and corporation offices on the 17th May.

 

The specialist re/insurance marketplace plans to apply a class of business rota.

 

There will be additional action over further relaxing restrictions and increasing footfall in line with the expected updated government guidance on the 21st June.

 

This will include the process of removing Perspex screens which had been installed throughout the underwriting floors.

 

The organisation will also be opening its virtual room, which was launched in September, to all classes of business.

 

The concept of the room was to add online elements that allow brokers and underwriters to connect in a similar way to the physical 1 Lime Street location in London.

 

Lloyd’s added additional features, including Meet Now / Meet Later, which will enable calendar integration between the virtual room and users’ own calendars.

 

Meanwhile, face coverings remain mandatory in all public areas of the building including the reception, lift lobbies and lifts, bathrooms, the coffee shop and when walking around the underwriting room. These can be removed when at the box or in meetings.