When the BlackCat ransomware gang compromised healthcare-billing services firm Change Healthcare in February, several security controls failed: The company did not adequately protect its Citrix remote-access portal, did not require employees to use multifactor authentication (MFA), and failed to implement a robust backup strategy.
The subsidiary of UnitedHealth also had no cyber insurance, meaning its parent company had to foot the bill, at least $872 million, and — in hindsight, perhaps just as important — missed the benefit of a cyber insurer’s focus on what strategies can minimize claims. Both insurers and “insursec” firms, which combine insurance and security services, are awash in data on the current threat landscape and the technologies that appear to make the most difference — among them, backups, MFA, and protecting remote-access systems.
Finding the right security technologies for the business is increasingly important, because ransomware incidents have accelerated over the past few years, says Jason Rebholz, CISO at Corvus Insurance, a cyber insurer. Attackers posted the names of at least 1,248 victims to leak sites in the second quarter of 2024, the highest quarterly volume to date, according the firm.
“Without a doubt, attacks are increasing in terms of frequency and severity — the data is pointing to that,” he says. “We also see that when you focus on specific security controls, you can have a meaningful impact on both preventing those incidents, but also in just recovering from the incident [with fewer costs].”
Cyber insurance has become a security best practice, with the vast majority of security-mature companies (84%) retaining a cyber-insurance policy while another 9% are in the process of obtaining a policy, according to a recent survey of 400 security decision makers by insursec firm At-Bay and analyst firm Omdia, a sister company to Dark Reading. Overall, 72% of all firms consider cyber insurance to be critical or important to their organization, the survey found.
Three (or Five) Defenses Every Company Needs
More than 60% of insurance claims involve a ransomware incident, while email-based fraud accounts for another 20% of claims, according to At-Bay. Because most successful attacks use vulnerable or misconfigured remote-access points or compromise an individual system through email, improving security on those two vectors is paramount, says Roman Itskovich, chief risk officer and co-founder at At-Bay.
The insurer charges less to customers who use email systems with better security, such as Google Workspace, and more for on-premise email systems, because Google users have filed fewer claims. The insursec firm also found that companies who use self-managed virtual private networks have a 3.7 times greater likelihood of filing a ransomware claim.
“We take VPNs very seriously in how we price [our policies] and what recommendations we give to our companies … and this is mostly related to ransomware,” says Itskovich.
For those reasons, businesses should take a look at their VPN security and email security, if they want to better secure their environments and, by extension, reduce their policy costs. Because an attacker will eventually find a way to compromise most companies, having a way to detect and respond to threats is vitally important, making managed detection and response (MDR) another technology that will eventually pay for itself, he says.
“How do you catch someone who just made the beachhead before they access your database, or before you get to your accounting system?” Itskovich says. “For that, we find that EDRs are very, very effective — more specifically, EDRs that are managed.”
Backup, But Verify
For smaller companies, email security, cybersecurity-awareness training, and multi-factor authentication are critical, says Matthieu Chan Tsin, vice president of cybersecurity services for Cowbell. In addition, secure data storage can help get a company back up and running quickly, minimizing the business impact of a ransomware attack, he says.
“We look at encryption and how we help our policyholders better store the data,” Tsin says. “Having good backups, having some cloud backups, some in-house backups [are critical], because that’s truly the one thing that will get them back to business as quickly as possible.”
Companies with robust backups are about 2.4 times less likely to need to pay a ransom, according to Corvus Insurance. The cyber insurer recommends a “3-2-1 policy,” where the business makes three different backups to at least two different types of media, with at least one backup kept offsite. The company found that policy holders with strong backup strategies claimed 72% lower damages than businesses who did not maintain robust backups, according to its Q2 2024 Cyber Threat Report.
The strategy is effective enough that attackers have moved to double-ransom techniques, where they not only encrypt data to make it unusable, but also steal the data to extort the business. In 2024, nearly all ransomware incidents (93%) involved data theft, a sharp increase from 2022 when less than half of incidents involved data theft.
“Backups can have a pretty meaningful impact as a kind of line of last defense, if you are getting getting attacked via ransomware,” Corvus’ Rebholz says.
The Dark Horse: Disruption Risk From Third Parties
Attackers also seem to be focused on compromising aggregators — those third-party firms have some sort of privileged access to a host of other companies: Firms such as network-monitoring service SolarWinds, healthcare billing provider Change Healthcare, and auto dealership services firm CDK Global. In the second quarter of 2024, third-party breach events accounted for about 40% of all claims processed, up from 20% in the last quarter of 2023, according to Corvus.
“We call out IT services as one of the industries that are getting hit, and that’s one of those reasons — it’s just kind of a one-to-many [relationship], right?” Corvus’s Rebholz says. “What we can see from this year — in particular, the first half of the year — is there are some big names out there that were third parties that got hit, and we can see a subsequent increase in the frequency because of that.”
Major destructive attacks, such as WannaCry and SolarWinds, can lead to significant costs for cyber insurers, and in some ways are analogous to natural catastrophes. However, determining the right risk ratings for such events is more difficult, because the causes — and probability of occurrence — are far from simple, says At-Bay’s Itskovich.
“[SolarWinds] was a threat actor delivering malicious software through the update mechanism; CrowdStrike was a software error in the update; CDK Global was was a ransomware attack on the company; WannaCry was a widespread vulnerability,” he says. “If you [think about] natural catastrophes, you deal with hurricanes and earthquakes and maybe a couple other secondary perils — it’s much simpler.”