Internet criminals may be asking target companies for details of their cyber crime insurance to calibrate their demands when launching a ransomware attack, experts say.
US observers say some ransomware specialists have asked to know the limits of a victim’s cyber crime insurance. Experts elsewhere say they are aware of criminals researching insurance details before they attack.
Ransomware criminals either steal data from companies and threaten to make it public, or place software on an organisation’s systems so data cannot be accessed. They then demand payment to return or release the data.
A group of cyber crime observers in the US said they knew of at least one ransomware attack that came with a request for the sum covered by insurance.
US security software company Varonis says it has found a ransomware case in which the hackers requested the target company to “anonymously” hand over insurance terms so they could aim for the maximum allowable in a contract.
JD Supra, an insurance intelligence site, calls it a “disconcerting, albeit predictable” development and warns against sharing details of cover.
“Policyholders are strongly advised to avoid cooperation or dialogue with attackers that would reveal policy limits or other coverage information, lest they void their coverage or embolden larger ransom demands.”
‘Exerting pressure’
The National Cyber Security Centre spokesperson told Board Agenda: “Ransomware is one of the most acute cyber threats the UK faces, and all organisations should take immediate steps to limit their risk by ensuring they have robust defences in place.
“We know that cyber criminals use these attacks to exert pressure on the victims for financial gain and, increasingly, we see attackers not only preventing access to systems but threatening to leak data online too.”
The NCSC urged companies and boards to follow its guidance on preventing and protecting against ransomware attacks.
Some observers believe cyber criminals are adapting to the growth in cyber insurance, which would require a change in “strategies to counter these evolving threats”.
One estimate forecasts cyber crime insurance will double to $22bn by 2025. Another estimate puts the number of ransomware attacks in the first half of 2022 at 236m. More than a third of UK businesses have experienced a cyber attack.
There have been reports of criminals targeting cyber attacks on M&A activity while there has been alarm at the improved targeting of attacks and the damage caused.
‘Pivotal role’ for business
In the past month, the NCSC has urged business leaders to take a “pivotal role” in boosting defences against online threats. The NCSC, in partnership with the US Cybersecurity and Infrastructure Security Agency, launched a new “toolkit” this month to help chief executives and boards develop their cyber security policies.
Lindy Cameron, chief executive of the NCSC, who has previously warned of the cyber insurance risk to companies, said the toolkit could help prompt the high level “security conversations” needed to keep organisations secure online.
“Cyber incidents can have severe impacts on organisations of all sizes, both in the short and longer term, from causing reputational damage to grinding operations to a halt.”
Andrew Kakabadse, professor of governance at Henley Business School, warned that while companies are targeted by criminal gangs, cyber action has also become the tool of state actors.
Suspicion of being the victim of a “covert” cyber attack requires companies to report the issue within 72 hours to the Information Commissioner’s Office. However, there is no similar requirement to report a criminal action to law enforcement agencies. He worries government is not doing enough.
“The deepest fear for companies,” says Kakabadse, “is reputational damage. Top executives have to balance promoting positive image to enhance competitive advantage, against the level of disclosure required.
“A softly-softly approach will allow cyber crime to mushroom exponentially. The vacuum left by government inattention and covert operations against other nations positions business to lose out whichever way they turn.”
Cyber crime is not going away. Making demands for insurance details is an alarming new development.