Every day, bad actors are scheming and executing new ways to exploit company networks in the United States and around the world. However, law enforcement agencies, cyber insurance carriers, and cybersecurity providers are working diligently to sabotage their plans.
Doug Howard, CEO at Pondurance, moderated the webinar “Cyber Risk Vantage Points: From Law Enforcement to Cyber Insurance” to discuss the evolving roles of bad actors, federal and international law enforcement agencies, complaint statistics for cyber activity, and trends in insurance claims. The panel included David Scott, Deputy Assistant Director, Cyber Division, at the FBI; Mark Greisiger, CEO at NetDiligence; and Max Henderson, Senior Manager of Incident Response at Pondurance.
Bad Actors
In the past, the FBI identified cyber activity as fitting into the following roles: hacktivism, crime, insider, espionage, terrorism, or warfare. Today, these distinct roles have begun to overlap, and individuals who previously fit neatly into only one of the categories no longer do. According to David Scott, the FBI now sees criminal actors contracting their services to foreign intelligence services and nation-state actors moonlighting as criminals for financial gain.
“One single actor supplying a single supply chain can cause cascading effects across multiple sectors across a community, so this is a new change that we’re seeing a lot, especially over the last year or so,” said Scott. “They are willing to cross those lines, which makes it challenging, and then it definitely makes it concerning for all of us.”
Law Enforcement Agencies
To combat cyber activity, law enforcement agencies in the United States and abroad interact to exchange information about their cyber adversaries. The FBI maintains 56 field offices, each with a multiagency cyber task force manned with investigators, special agents, intelligence analysts, digital forensic technicians, and more, all with a focus on helping victims of cybercrime. These offices work with the Intelligence Community, the National Cyber Investigative Joint Task Force, and cyber assistant legal attachés to protect national security against cyber threats worldwide.
These agencies share intelligence information to keep the United States safe from cyber threats, and they also aim to develop relationships with private sector companies to share information about cyber activity before an attack occurs. Therefore, it’s important for the agencies to develop relationships with companies in the private sector. The agencies can deploy their cyber action teams within hours, domestically and globally, to assist companies onsite when a major incident or attack does happen.
“If … a private sector company is about to get hit by a ransomware attack or by any other type of intrusion, we want to get out there immediately and let that victim know how they can best mitigate that attack,” said Scott. “We only can do that if we have the relationship built, and the better we do that ahead of time, the stronger those relationships are.”
As a success story, Scott discussed how the agencies worked as a team and shared information to take down the HIVE ransomware group. Hive was a ransomware variant that was a threat worldwide. In July 2022, the team gained persistent access to Hive’s control panel, which enabled the team to get the decryption key. Having that, the team was able to reach out and provide assistance to victims as they were being victimized by Hive. They responded to 1,500 victims in 48 states and 88 countries, preventing an estimated loss of $130 million to victims.
The FBI had always estimated that only 20% to 25% of cyber victims report a cyber incident. As a result of the team’s interaction with Hive victims, the FBI was able to substantiate that percentage.
Complaint Statistics
The FBI’s Internet Crime Complaint Center (IC3) collects reports of internet crime and assists victims in freezing money involved in cybercrime. In 2022, the IC3 received a total of 870 complaints of ransomware attacks, with the largest number of reports coming from the healthcare and critical manufacturing industries. The government facilities industry came in third, and Scott attributed this ranking to the targeting of schools, which is a trend he expects will continue.
Ransomware is the main threat concern in cybersecurity, but business email compromise (BEC) ranks a close second. The IC3 received 21,832 BEC complaints in 2022, amounting to adjusted losses over $2.7 million. In total, over the past five years, more than 3.26 million total complaints have been reported to the IC3. For 2021-22, the total number of complaints decreased slightly, but the total volume of losses increased significantly.
The IC3 uses its recovery asset team (RAT) to protect victims of cyberattack 24/7. The team functions as a liaison between law enforcement and financial institutions to stop illegal transfers of funds that occur due to cyberattacks such as BEC. The RAT team has a 73% success rate with 2,838 incidences, according to Scott. As much as $590 million in losses have been reported, and the RAT team has frozen $433 million of those funds to date.
Scott and all members of the panel encouraged victimized companies — of every size and in all industries — to report cyber events to the IC3, as well as to their cyber insurance carriers and cybersecurity providers.
“Our goal is not to come in and take over,” explained Scott. “Our goal is to provide victim assistance in whatever way that victim needs it.”
Insurance Claims
Today, companies across the market spectrum are carrying cyber insurance and making claims, and Mark Greisiger presented research from the NetDiligence 2022 Cyber Claims Study to illustrate the breadth and depth of the threats. The study showed the top two causes of loss for all companies were ransomware at 29% and BEC at 15%. The study also showed that the professional services industry had the largest volume of claims at 20%, with the healthcare industry close behind at 18%. On average, in 2021, large companies had claims of $8.5 million per incident, and small and medium-size enterprises (SMEs) had claims of $198,000 per incident.
“Most of the insurance industry is seeing SMEs ($100 million companies) having losses every day,” said Greisiger. He emphasized that business interruption has substantially added to total losses. The NetDiligence study showed that the average business interruption cost for an SME jumped to $707,000 in 2021, more than double the cost in prior years.
“The smaller the organization, the more impactful that [business interruption] can be simply because they don’t have the resilience capability built in or even the people capabilities to support some of those types of short-term impacts,” said Greisiger.
Max Henderson agreed and added to the list of possibilities for the increase. “There are a lot of reasons these numbers are driven up,” Henderson said. He attributed the losses to “things as simple as having a flat network or having simple patch management or perhaps buying a tool but not having anybody monitoring it.”
The panel also discussed how the human element impacts the cause of loss, particularly in BEC exploits, and how education and employee training are key to managing cyber risk. In closing, the panel offered several resources available for cybersecurity victims.
Conclusion
Bad actors are working to infiltrate the networks of companies worldwide, but law enforcement agencies, cyber insurance carriers, and cybersecurity providers are working to prevent them from achieving success. You can reach out to the IC3, your insurance carrier, or a cybersecurity provider if you are experiencing a cyber threat or are a victim of a cybercrime. Listen to the full webinar to find out more.
The post Experts Discuss Cyber Risk, From Law Enforcement to Insurance Claims appeared first on Pondurance.