Cybercriminals continued to change their tactics and adapt their techniques in 2022, according to experts speaking at the Triple-I Joint Industry Forum (JIF) last week.
“Ransomware as a business model”; remains alive and well, said Michael Menapace, an insurance attorney at the law firm Wiggin and Dana LLP and a Triple-I Non-resident Scholar. What has changed in recent years is that “where the bad actors would encrypt your systems and extract a ransom to give you back your data, now they will exfiltrate your data and threaten to make it public.”
The types of targets have also changed, Menapace said, with an increased focus on “softer targets — particularly municipalities” that often don’t have the staff or finances to maintain the same cyber hygiene as large corporate entities.
Theresa Le, Chief Claims Officer for Cowbell Cyber, agreed with Menapace’s assessment, noting an increased tendency for cybercriminals to contact organizations’ customers or leaders as “a pressure point” for the organization to pay the ransom to avoid reputational damage.
“Threat actors focus on the quality of the data they can extract while they are ‘in house,'” Le said, “so it’s not just stealing social security numbers or other information they can sell on the Dark Web, as it was a few years ago. It’s really much more thought out and focused.”
Scott Shackelford, a professor of business law and ethics at Indiana University’s Kelley School of Business, reinforced Menapace’s and Le’s observations about the increased sophistication and adaptability of cybercriminals by talking about government-sponsored breaches.
“It’s not just the North Korea of the world,” he said, adding that “a growing cadre of nation-states” is launching attacks “not only against big companies but increasingly small and medium-sized businesses, even local governments.”
“We started a cybersecurity clinic two years ago,” Schackelford said, “and the number one request we’re getting from local governments and small businesses is about insurance coverage. There’s a big need out there for better information.”
Shackelford emphasized the continued development of the Internet of Things (IoT) as an “attack surface.” In the new pandemic-driven environment of working from home, he said, “What counts as a covered computing device for some of these policies has led to litigation and remains a major vulnerability that we’re just beginning to wrap our minds around.”
The conversation, moderated by Frank Tomasello, executive director of The Institute’s Griffith Insurance Education Foundation, spanned topics that included:
- Deep fake technology;
- The importance of aligning insurance pricing to risk – and educating policyholders on how to get a better price by becoming a better risk;
- How threats differ for different size organizations and for individuals; and
- The need for better data and information sharing around cyber attacks and trends.
Triple-I “State of Cyber Risk” Issues Concise