Author: Joey Sylvester
Threat actors across the globe are targeting critical infrastructure with malware, causing chaotic disruption, threats to our privacy and significant financial consequences for public entities.
Ransomware attacks have proliferated at an alarming pace over the last few years:
- In the recent NetDiligence Cyber Claims Study 2021 Spotlight on Public Entities, nearly one-third of all cyber claims in the public sector involved ransomware
- In Coveware's 2021 Q3 report identifying ransomware trends across all industry sectors, the public sector ranked as the second top industry targeted by ransomware, at 14.8% among all industries in the study
- Out of all the known ransomware events of 2021, one in six targeted the public sector
Public agencies and schools have smaller staffs and limited budgets dedicated to cybersecurity, along with aging cyber infrastructure. But threat actors know that these public entities must continue to operate and serve the public and, as a result, they believe ransoms will be paid because there can be no downtime.
The problem is compounded by widespread vulnerabilities and hacks that have impacted numerous entities around the country — including the Microsoft Exchange hack and SolarWinds, not to mention the many changes brought on by the onset of the COVID-19 pandemic. The recent Log4j vulnerability is just the latest (and particularly exploitative) issue to be uncovered. See our recent client advisory for more information on patching this critical vulnerability here.
Impacts on cyber insurance and beyond
Many cyber insurers have seen losses increase significantly in the public sector. As a result, carrier appetite has tightened considerably and underwriting requirements have become increasingly stringent. Sub-limits and coinsurance provisions have become commonplace, especially regarding ransomware losses.
Nearly all carriers are asking more detailed questions related to ransomware through the use of supplemental applications. Answers to these questions can take center stage in your renewals depending on which controls your entity has in place.
Multifactor authentication requirements
Perhaps the most prominent requirement for coverage these days is multifactor authentication (MFA). MFA requires a second factor, like a one-time use code or a push notification to a smartphone, in addition to your password in order to gain access to the system or network. For an employee working from home or accessing email remotely, the steps are simple:
- Employee logs in with their normal password
- MFA is triggered and the employee must then authenticate their account via a separate means (e.g., an app-specific notification on the employee's smartphone)
- The MFA threshold is satisfied and access is granted
If this situation were to occur with a stolen password, here's how it would play out:
- Hacker uses a stolen password to access the entity's systems remotely
- MFA is triggered and a notification is sent to the app on the employee's smartphone
- Employee receives notification and declines the request, and the hacker is denied entry
- Employee alerts IT and passwords are reset
Even if the employee's original password has been stolen, it will be useless to an attacker who lacks possession of the required second factor. Research shows the vast majority of account-compromise attacks can be prevented through the use of MFA. It's no wonder insurance carriers view this with such importance and are now requiring the presence of MFA at multiple levels for renewals — not just for email.
Multifactor authentication solutions
There are several MFA solutions in the market that can accommodate public entities of all sizes and budgets. We recommend contacting these vendors about setting up MFA as soon as possible. Keep in mind that underwriters are increasingly looking for MFA to be applied at multiple levels, but this is just one of many top underwriting concerns.
Other top underwriting concerns include such things as:
- MFA for remote access to the network
- MFA for administrator and privileged user access, including access to routers and switches
- MFA for access to critical backups
- MFA for web access to email
- Offline/off-site backups for critical data and regular testing of the backups
- Encryption on portable and employee devices
- Employee training and phishing campaigns
- Critical patch management and cadence
- Endpoint detection and response (EDR)
- Privileged account management (PAM) solutions
Best cyber security practices for public entities
In addition to implementing the above controls, it is recommended that public entities follow these seven best practices:
- Conduct cyber risk assessments, including internal and external vulnerability scans, penetration testing, threat intelligence monitoring, investing in physical security around critical IT assets, and assessing insider threats.
- Implement robust IT security policies for data governance, data security, cyber risk management, physical and environmental security, compliance and maintenance.
- Have a tailored and practiced incident response plan (IRP) with an interdisciplinary approach across departments and vendors that may be involved in the management of a cyber event. The IRP should be broad enough to encompass all types of cyber incidents that may occur, from data breaches to systemwide ransomware attacks. Studies show that many plans go untested and are outdated, and those that are tested often reveal major flaws. Your IRP should be reviewed and updated at least annually, and tested to stay current with today's threat landscape and your internal staff and structure.
- Conduct a tabletop exercise to test your IRP. Carriers will want to see this as part of the renewal process, and it is a good practice to incorporate. The best tabletop exercises will have an interdisciplinary approach, just like the IRP.
- Take advantage of carrier and broker resources. Many cyber carriers offer free or discounted resources when you purchase their insurance policy. This can range from external scanning on an ongoing basis to free training for employees, and much more.
- Conduct a thorough review of your vendors and subcontractors for their own cybersecurity posture. This should also include a review of contracts to gauge exposure following a cyber incident that may impact you due to their negligence.
- Transfer the risk by purchasing a cyber insurance policy. In the interest of keeping your entity's data safe and limiting downtime from a potential cyber attack, a cyber insurance policy not only provides the financial safeguards afforded by a typical insurance policy, but it also provides access to world-class vendors from breach coaches and legal assistance to IT forensic investigators to address the aftermath of an incident. These vendors can help you manage the fallout of a data breach or other cyber attack, including legal guidance to remain in compliance with state laws and regulations, public relations assistance when needed, and rebuilding your systems to the level that existed prior to the attack. Some even allow for betterment expenses to improve the overall stability and security of the network.
Implementing these controls can help keep your data safe, limit downtime in the event of an attack and help turn the tide against the ongoing cyber attacks we face today. I encourage you to speak with your insurance broker about these controls now. An early start can make all the difference in your insurance renewal, with the added bonus of significantly improving the management of cyber risk.