At RISKWORLD 2023: More Than Just a Black Hoodie — What Organizations Are Up Against When It Comes to Hackers

A RIMS session took attendees into the mind of a hacker, exactly how they infiltrate organizations’ systems and how companies can protect themselves.

By: Emma Brenner | May 3, 2023

When picturing the typical hacker or cyber bad actor, we tend to imagine a faceless person donning a black hooded sweatshirt, perhaps hunched over a computer. This image has become ingrained as the standard when thinking about hackers, but it couldn’t be further from the truth.

“For hackers, this is their business and their livelihoods; this is how they feed their children,” said Joey Sylvester, area senior vice president with Gallagher and a 2020 and 2022 Risk & Insurance® Cyber Power Broker.

A hacking business operates just as any legitimate business would. Hackers have quotas they must meet — at the expense of the systems they will ultimately breach.

“They’re constantly innovating, finding new, interesting ways to exploit vulnerabilities, compromise systems and get money,” Sylvester said.

Sylvester, along with John Lundgren, CEO and cofounder of BreachBits Inc., discussed the thought processes behind a bad actor’s attempt to hack into a company system — and how to thwart any type of attack — at this year’s RISKWORLD conference.

The session, entitled “Ransomware Postmortem: The Anatomy of a Cyber Breach,” brought attendees through the mind of a hacker, how exactly they play on the weaknesses of their targets and what companies can do to avoid suffering losses.

Hackers: They’re Just Like Us

For companies and businesses to truly understand how they can defend themselves from cyber threats, they must first step into the mind of a hacker. Luckily for attendees, Lundgren served as the portal into the inner recesses of a hacker’s brain.

Joey Sylvester, area senior vice president, director Cyber Risk Solutions, Gallagher

Lundgren’s company, BreachBits Inc., was formed to research and understand the technologies hackers use every day in order to help companies discover which cyber risks were most prominent for them.

“Most of my experience has been thinking, acting and working from an attacker’s standpoint,” he said.

Lundgren then touched on the importance of understanding the enemy: “[Companies] need to know where [the hacker] is coming from in order to use that information against them.”

What can be striking to know about the operations of hackers is that they function according to a similar organizational structure as any other company. They follow a very standard business model, according to Lundgren, in which there is a hierarchy of positions that are goal- or metrics-driven.

In fact, hackers can work during normal business hours, be offered compensation packages and even complain about their bosses and colleagues in Teams chats. Sound familiar?

Sylvester interjected to note that the business model hacker organizations follow proves how sophisticated they actually are. It’s not as simple as the faceless persona in a black hoodie.

“[Companies] aren’t up against just one person; they’re up against an entire industry,” Sylvester said.

And because hackers believe that a company’s insurance policy will cover any loss from a breach of security, they view infiltrating a company’s systems as a “victimless crime,” Lundgren said.

The Attack Cycle

Before a hacker jumps on the next task on their to-do list, it is important to distinguish what their motivations could be. In many cases, a hacker’s motivation will stem from financial gain, but there could be times in which breaching an organization’s systems could take place for strategic reasons.

Lundgren then broke down what he referred to as the attack life cycle that hackers will use to conduct their jobs successfully.

To start, a bad actor will target an organization, or their “customer.” To find an optimal target, hackers will begin by reviewing organizations’ revenues, recent acquisitions or big investments. They’ll also investigate, looking for opportunities that will allow them to infiltrate an organization’s systems.

Then, a hacker will transition to the reconnaissance phase.

“What they’re looking for here are attack or threat vectors,” Lundgren said. “It’ll be a combination of an opportunity [to attack] that you’re presenting to this group, where they can pair that with the capabilities they have.”

Once a hacker organization has completed the reconnaissance step, the “easy” work begins. They’ve found a way into a company’s systems, and they’ll want to ensure that they can maintain their access.

To do this, a hacker will install malware onto the hacked company’s server so that information can be shared between computers. Lundgren said that, often, hacker organizations are merely using malware codes and capabilities that are free and open to the public.

“These organizations have margins; they’re trying to maximize their profit while limiting their expense,” Sylvester said. “So, the really cheap thing to do is send a phishing email and use an exploit that they can download from a dark web forum.”

Once a hacker has initial access and establishes their foothold, they increase their account privileges, which allows them to access the information and data that would hurt a company, should it be released. They continue to expand their access until they achieve their objective, which is typically extorting a company’s information for ransom.

“[A hacker] is not going to try and extort [a company] for ransom until they think they’ve achieved that leverage imbalance, or they’re going to fake it,” Lundgren said.

Once a hacker has achieved their goal and met their quota, the attack life cycle begins again, searching for its next customer.

How to Ruin the Hacker’s Day

Hacker organizations are smart — there’s no two ways about it. But it’s imperative that companies can readily prevent or fight off any bad actor attempt.

Sylvester discussed how organizations can do just that.

“[Hackers] are constantly innovating and finding new ways to exploit vulnerabilities,” he said.

“There’s no system that is 100% secure, but there are a lot of very simple basic hygiene steps that [a company] can take to thwart a large majority of attacks.”

As mentioned, a main priority for a hacker is to keep their margins low. To be an unfavorable target, Sylvester mentioned the notion of becoming an expensive target.

Sylvester noted a slew of methods a company can use to protect itself prior to a breach, and perhaps to prevent one altogether. These tactics included performing risk assessments, investing in controls that will disrupt a hacker’s progress and educating team members on how to do this as well.

Establishing and practicing a plan to enact in the event that a breach does occur, Sylvester said, is the optimal path to take. Alerting authorities such as the FBI and CISA after a breach is also advisable. &

Emma Brenner is a staff writer with Risk & Insurance. She can be reached at [email protected].

Why Insureds Might See an Uptick in M&PL Claims

George Schalick, Jr., Senior Vice President of the Management and Professional Liability Division, Philadelphia Insurance Companies

The current soft market might come as a bit of a surprise as it does not track with previous underwriting cycles and economic conditions. Afterall, many privately held and non-profit organizations struggled during the early days of the pandemic with shutdowns and rapidly declining revenues. But the Government assistance programs, like the Paycheck Protection Program loans, helped keep many afloat during the tough times.

“During COVID many organizations stopped doing business until they were able to sort out all of the health and safety challenges,” Schalick said. “They were forced to lock down, but then all the government assistance programs allowed them to keep people employed. The increased volume of claims we anticipated we would see coming from the lockdowns and restrictions that were imposed upon businesses in the U.S. didn’t manifest at first.”

“Just because there wasn’t an onslaught of reported claims at the beginning of the pandemic, doesn’t mean the circumstances that would give rise to a claim being reported didn’t occur. Courts and the judicial system were closed or slowed and now that they are back open, we’re starting to see the circumstances that occurred during the COVID lockdowns becoming claims today,” Schalick said. “Litigation is progressing.”

Added to the delayed pandemic litigation is a concern over newer claims that might be filed as the country inches toward an economic downturn. Though a recession was avoided in 2023, experts think a soft dip could occur in 2024, with 76% of economists saying there’s a 50% or less chance of an economic downturn this year — that almost always results in more management liability claims.

“During the Great Recession in 2008, we saw an almost immediate spike in claims because of the economic conditions and the pressure it placed on organizations. They were making personnel changes with significant belt tightening almost immediately.” Schalick said.

What’s in Store for M&PL Policy Rates in 2024?

Despite an uptick in claims and increased economic uncertainty, management liability rates haven’t increased, resulting in market-wide pricing levels that may not meet the increased pressure of rising settlements and jury verdicts.

“Rates are going the other direction and settlement values are not falling,” Schalick said.

The mismatch between rates, claim frequency and severity is, in part, because carriers experiencing the dramatic soft market in the public D&O market are seeking premium gain in the private and non-profit market.

“In the public company market, the rates have been decreasing significantly. The rates were increasing in the private, not-for-profit market, and rightfully so, but there’s a desire to supplement overall mid-size D&O for carriers who also write private not-for-profit, and they see that as an opportunity to aggregate premium,” Schalick said. “So the always competitive landscape in the private, not-for-profit market has dramatically increased in the last 18 to 24 months.”

Still, companies of all sizes and types should be concerned about management liability rates in the future. Legal system abuse is resulting in increases in both the amount of litigation and the size of verdicts plaintiffs are receiving.

Certain areas of the country are particularly vulnerable to this type of legal system abuse. As a result, insureds in these localities are likely to be vulnerable to rate increases.

“The environment is so positive for the plaintiff that forces premium increases so carriers are able to stay in that market long term,” Schalick said.

Why a Tenured Carrier Partner Can Help Insureds Navigate An Uncertain Market

It’s clear that insureds are facing an uncertain M&PL market over the next few years. Fortunately, carriers with a long history in the M&PL space will be there to offer stability.

Philadelphia Insurance Companies has been supporting this market for 35 years. PHLY is committed to offering long-term rate stability, even as economic and claims trends start to push premiums upwards. They have an appetite for all sorts of companies, large and small, for-profit and nonprofit alike.

“We’ve been at this game for a long time and are one of the most tenured underwriters in this space,” Schalick said. “We like to stay very consistent.”

PHLY has worked with both for-profit and non-profit on management liability policies. With dedicated M&PL teams throughout the company’s 13 regions, PHLY provides the support agents and brokers are looking for on behalf of their clients. The teams know their regions well and can respond to local trends. They’re also dedicated to making the renewal process as easy as possible for their partners and policyholders.

“We have real confidence in our results, so we focus a lot on making the renewal experience as painless as possible for all agents and insureds,” Schalick said.

The company is also investing in tools to help insureds avoid losses. Earlier this year, they launched a new online risk management platform, PHLYGateway, which offers resources for insureds on how to create an employee handbook and trainings on issues such as recognizing workplace sexual harassment and discrimination.

If insureds have questions, they can consult a Best Practices Help Line, provided via the platform. That way, they can get on the spot risk management guidance to help them prevent claims.

To learn more, visit: https://www.phly.com/mplDivision/managementLiability/default.aspx.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Philadelphia Insurance Companies. The editorial staff of Risk & Insurance had no role in its preparation.