Since the advent of the Internet, social media has become an unavoidable mass phenomenon. In a few short years, the existence of social media has forced us to rethink corporate strategy and information system management. Today, websites have become a company’s calling card. Cyber security norms have evolved as cyber attacks have both increased and become more sophisticated. What are the particularities of cyber risks, and what are the threats to our IT systems?
What is cyber risk?
Cyber risk is a threat of financial loss, data disclosure, business interruption, or damage to a company’s reputation or computer systems which is caused by a cyber-attack. These risks can take several forms:
- Deliberate and unauthorized intrusion into a system to obtain secure information for espionage, extortion, or humiliation.
- Unintentional or accidental intrusion of a secure system, the risks of which must still be managed.
- Information technology operational risks due to poor system integrity or other factors.
What risks are generally covered by cyber insurance?
According to very good study published on Tucu’s blog related to 2021 Canadian Ransomware Statistics:
- More than 4,000 cyberattacks in Canada in 2021: 2020 saw a massive increase in cyberattacks all over the world. Canada, in particular, reported over 4,000 attacks over the year which averaged 11 attacks a day. (Source: Emsisoft)
- Almost 75 percent of ransomware attacks resulted in data encryption: One of the main ways ransomware attacks extort businesses is by encrypting their data, in essence, locking them out of their databases. (Source: Sophos)
- The estimated ransom demands in Canada totaled $314 million CAD in 2019, but have increased to more than 2.5 times in 2020. Canada, as one of the top targets of global ransomware attacks, fared much worse than the global average. It’s estimated that the ransom demands in 2019 totalled 314 million CAD but this increased to an estimated $796 million CAD. (Source: Emsisoft)
- Data breaches cost Canadian small businesses more than $12,000 CAD per employee. Data breaches have also become extremely commonplace. Sometimes, these breaches leak customer data but more often, data breaches result in the theft of Personally Identifiable Information (PII) of employees. This attracts three potential costs: ransom demands, data recovery costs, and fines imposed by the government. The fines and financial penalties may seem counterintuitive but they are in place as a deterrent to lax security protocols which is important for the fight against cybercrime. (Source: Scalar Security)
Many, if not most liability insurance or errors and omissions insurance policies do not cover cyber threats, which is why cyber insurance has become a “must” for many organizations. In the United States, for example, the demand for cyber security insurance has doubled in the last four years Claims have been so numerous and high that cyber insurance premiums have skyrocketed during this timespan. And importantly, more and more applicants’ requests for cyber insurance are being denied due to unprecedented demand. The better an organization is protected against cyber attacks, the less likely it will be to have its application for cyber security insurance rejected.
Cyber risks are of different natures
Not all cyber insurance policies provide the same coverage. The risks which may be covered include:
- Ransomware attacks
- Malware and Account Take-Over (ATO)
- Information System Intrusion
- Identity theft
- Phishing or vishing
- Denial of Service (DDoS attack)
- Website Defacement
Ransomware is a cyberattack the purpose of which is to obtain payment of a ransom. Cybercriminals introduce the computer system with malicious software to recover the victim’s sensitive data. The cybercriminal asks its now vulnerable victim to pay a ransom.
Malware and Account Take-Over (ATO)
A malicious software attempts to take control of an account to the detriment of its owner. The cybercriminal or the group of cybercriminals who introduce malicious software thus have access to networks, messaging and a company’s intranet.
Information System Intrusion
The IS intrusion represents 20% of the cyberattack cases. The cybercriminal manages to break into the IS to alter its functioning and steal sensitive data. The cybercriminal can then make a ransom demand.
Identity theft is taking a person’s identity to carry out fraudulent actions. In the case of a company, the cybercriminal usurps the identity of a valid corporate user. The cybercriminal then places large orders, takes out loans etc. in the name of the person or company whose identity has been stolen.
Phishing or vishing
Phishing is a fraudulent text message or email designed to trick the victim into providing personal and banking information by pretending to be a trusted third party. Companies that are victims of this attack see their computer networks collapse. Even without system flaws, data hacking is possible. Vishing is where voice is used for phishing and scammers used telephone-based scams to the same end.
Denial of Service (DDOS attack)
The denial-of-service attack or DDoS makes a server inaccessible to cause an outage or a severely degraded service operation. For your information, the French national agency for information systems security (ANSSI) confirms a 255% increase in cyber risks between 2019 and 2020!
Defacements are caused by flaws in a web page, hacking of administrator access or simply a vulnerability in the web server operating system. Most of the time, the defaced sites are only on the home page. The defacement does not in itself lead to data loss.
How to become Cyber-Insurable?
Bradley & Rollins is a cybersecurity expert firm specializing in Dark web investigations whose ultimate mission is to save businesses from cybercriminals by reducing cyber risks and responding to a cyber crisis by identifying the company’s exposure on the Dark web. We assist its clients in reducing its cyber risks and assists clients in making necessary preparations before applying for cyber insurance.
We possess a vision of being the market reference for innovation in cyber intelligence and Dark web investigation tooling, surveillance, and consulting. Our leadership team has been a pioneer in cyber-security since 1999. Bradley & Rollins is developing its expertise in supporting large-scale cyber-defence projects and providing strategic consulting services with high added value. Bradley & Rollins is a consulting firm specializing in cyber-resilience and technology.
Write by Bertrand Milot