You’ve been hacked. It’s a sentence that can stop any organization dead in its tracks. And the potential of a breach has cemented itself as one
of the most devastating risks an organization could endure.

An estimated 2,200 cyberattacks occur each day, equivalent to one attack every 39 seconds. This surge in cybercrime carries an astronomical
price tag: Research estimates it will globally cost at $9.5 trillion in 2024, according to research Cybersecurity Ventures. And what makes the exposure of cybercrime so lethal is the evolving nature of how cybercriminals — the “bad actors” — operate to achieve their success and make a profit. Simply put, they’re very good at their jobs.

Luckily, as criminals and cyber bullies become experts in their field, so too have professionals in the insurance and risk management space.

Fine Tuning Their Methods

The threat of a cyberattack is nothing new for businesses, but there are trends and practices among cybercriminals that are worth deeming a notable risk.

“It is becoming more lucrative to have sophisticated attacks, where [a cybercriminal] spends more time crafting the attack, as opposed to the grab-and-go method where hackers are scanning the internet to find an open port,” said Gwenn Cujdik, cyber incident response manager, AXA XL. “Now, they’re making very deliberate decisions about who they’re going to attack and how they’re going to accomplish that.”

Others agree. Patrick Thielen, global head of cyber for Liberty Mutual, noted that cybercriminals are simply waiting for an opportunity to strike. “Opportunistic attacks apply to everyone, from individuals and families, small- and microsized businesses to large businesses, in every industry and geography,” he said.

“Essentially, [bad] actors are waiting for victims to raise their hand and say, ‘Hey, I left my doors unlocked; come on in.’”

In terms of the methods utilized, bad actors’ tried-and-true tactic continues to be ransomware: “In 2023, we saw a real uptick in ransomware attacks specifically,” said John Farley, managing director of Gallagher’s cyber liability practice.

Patrick Thielen, global risk solutions, global head of cyber, Liberty Mutual

“Hackers are regrouping, rebranding and introducing new variants of ransomware into the ransomware ecosystem,” he said. “We’re certainly seeing them go on the offensive again.”

Thielen also touched on ransomware and the tools utilized to make this tactic such a popular one for hackers. One example is a tool that hackers will use to look for potential openings in a victim’s defenses: “You might have a cyber actor that’s [using] a particular tool that’s good at exploiting a vulnerability on a particular piece of software,” Thielen said. “Finding these vulnerabilities is an easy scan, [and bad actors] can find large numbers of them fairly quickly.”

Social engineering still stands as a favorite method for cybercriminals to successfully hack into an organization’s internal infrastructure.

Antonio “Tony” Trotta, VP of financial lines and claims practice leader for cyber & professional liability, QBE North America, shared how hackers will deploy this tactic: “They would socially engineer the users of those devices to share a one-time multifactor authentication (MFA) password with them.”

Trotta added that because the employee did not request this access to the system, they would likely ignore the request. “What [the hacker] would do is something called MFA notification fatigue, where they would blitz you 24 hours until [the employee] is like, ‘I can’t stand this,’ and approve the MFA,” Trotta said.

And, of course, the ever-popular phishing email technique never gets old for bad actors.

As for which industries can find themselves vulnerable or susceptible to a cyberattack, most experts agreed that the manufacturing and professional services industries are most  at risk. Professional services include the engineering, health care and technology industries. Additionally, the financial sector has also experienced a significant number of cyberattack attempts, but its efforts to repel attempts are usually successful.

“The manufacturing and distribution segments both have a high degree of technological dependency and are often reliant on operational
technology, which tends to be more outdated,” said Jamie Schibuk, EVP, head of cyber & professional liability, Arch Insurance. “This makes them much more vulnerable to an attack, which can then result in it becoming much more severe from an operational standpoint.”

Responses Ramp Up

As businesses better understand how bad actors work to infiltrate their systems, this knowledge can be utilized to properly defend against attacks.

With every type of cyberattack, a different response is needed.

“The way that [organizations] deal with these events is very different, because the severity of the events can be very different,” Cujdik said. “It’s not a one-size-fits-all, so it’s important to make those distinctions to be able to tackle this in a meaningful way.”

Before implementing any cybersecurity measures, a business must be able to identify possible exposures or gaps. Once gaps are noted, businesses can then work with their insurers to craft coverages and response plans that check all the boxes.

A major component of a proper cybersecurity practice is employee awareness: “You’re only as strong as your weakest link,” said Ian Walsh, VP and U.S. cyber product leader, QBE North America. “Having annual cyber risk trainings, continuous phishing campaigns and making sure that your user base is aware, especially those people that are touching critical assets … it cannot be emphasized enough.”

Thielen noted that fostering a healthy culture of cybersecurity is imperative to ensure best practices are being prioritized from top to bottom.

“It starts with the board, asking ‘What kind of culture do we want our organization to have from a cybersecurity perspective?’” he said.
“Start there and make it everybody’s job to be accountable and engaged in security … You can invest billions of dollars in security, and you’re still not 100% secure, because people aren’t perfect and can be tricked or coerced into doing things.” This makes education an even more crucial component to top-notch security.

Other prevention measures include MFA, stringent verification methods for information access and the consistent use of strong passwords — “sixteen characters for normal passwords, 25 characters for administrative or highly privileged content,” according to Walsh.

Every business or organization should have a tested incident response plan crafted and ready to be deployed at any moment.

“Having a tested response plan is critical, because what we’ve seen is that an untested plan is essentially having no plan at all,” Trotta said.

Most importantly, businesses need to foster communication with their insurers about their tools and plans to be set in motion should disaster strike.

“[Insureds] should have an insurance carrier that is willing to put in the time to have meaningful dialogue with them ahead of an event,”
Cujdik said. “Starting that relationship, building that trust can be hugely instrumental in how you recover from an event.” &