Reinsurance
Product Family
Claims
Risk Consulting
Media Center
Get In Touch

Fourteen seconds. That was the prediction in 2017 on how often a business would endure a cyberattack by 2019. By October 2019, however, the actual figure was much worse. Every ten seconds, cyber thieves are trying to gain access into a business’s systems.

If 2019 proved anything, it was that hackers are becoming much more cunning in both their methods and their targets. The amount of money lost to cybercrime in 2019 - $2 trillion. By 2024, losses are expected to top $5 trillion.

That number could increase, particularly since cybercriminals frequently change how they attack. For companies trying to stay ahead of hackers, it becomes a struggle to eliminate one vulnerability as another is evolving.

Yet often, the method by which hackers breach systems is a common one. In fact, phishing via email or social media continues to top the list of how hackers are getting in. Phishing attacks make up 90 percent of data breaches, and phishing attempts have increased 65 percent in just the last year (2018-2019).

The problems are only increasing. In 2018, reports of credential compromise increased 70 percent over 2017, a 280-percent increase from 2016.

Still, knowing how hackers are getting in – and who they’re targeting – can go a long way to putting preventative measures in place. Let’s consider the three key trends in cybercrime that have dominated the conversation in 2019.

1. Ransomware
In 2019, ransomware grew in scope and frequency, signaling that this is the preferred method of attack for many cybercriminals. Ransomware attacks are growing at a rate of 350 percent each year. The reason – these attacks are easier for hackers to deploy and net higher payouts. They simply access the system, lock out users, and demand ransom to restore systems and files.

Yet even this method continues to evolve. Hackers, looking for the ultimate payout for their efforts, are now targeting companies that house their data or online access of multiple organizations. Vendors that are being used by many companies are a prime target as hacking into one system could net them access to hundreds or even thousands of customer systems such as a payment processor.

By all accounts, ransomware is expected to continue its exponential growth as a preferred method for cybercriminals. The top causes of ransomware to date are careless employees (51 percent), ineffective antivirus protection (45 percent), and outdated or unpatched software or security (26 percent).

Fortunately, these causes can be addressed effectively by most companies. Training employees on how to spot and handle fraudulent emails or phone calls requesting proprietary information can reduce significantly the risk of employee error. A clear process for reporting suspected activity should be part of a company’s overall risk reduction strategy.

Likewise, IT departments should be conducting regular updates of all software and security applications, as well as ensuring that current antivirus programs are able to respond to new threats as they emerge.

The top causes of ransomware to date are careless employees (51 percent), ineffective antivirus protection (45 percent), and outdated or unpatched software or security (26 percent).

2. Public Entities Targeted
In 2016, there were 46 publicly reported ransomware attacks on state and local governments . By 2018, that number had risen to 53 incidents. By early 2019, there were already 21 attacks on the books. While that number is disturbing, reports say the true total is much higher as many state and local governments are unwilling to publicly acknowledge cyberattacks.

Many high-profile ransomware attacks are helping to shed light on the risks that municipalities and government entities face. In May 2019, the city of Baltimore was hit with its second ransomware attack in just 14 months. The 2019 attack cost the city over $18 million. The original ransom demand, which the city refused to pay, was $76,000. The first cyberattack hit the city’s 911 emergency system and caused a limited disruption.

Small entities are not immune to attack. The town of Wilmer, Texas was hit with a ransomware attack in August 2019, an attack that shut down the entire network – from the police department to the library – in a town of just under 5,000 residents. And location is equally irrelevant to cyber thieves – from Johannesburg, South Africa with over 5.6 million residents to the northernmost, sparsely populated Nunavut province in Canada, hackers are looking for easy prey.

To thwart cybercriminals, public entities, who typically have little to no cybersecurity budgets could still be utilizing some of the same type of preventative strategies as mentioned previously – educate employees on proper response and reporting, update systems and applications regularly, and make sure antivirus protection is up-to-date and scalable to handle new threats.

3. Biometrics
Facial recognition. Fingerprint scanning. Retina scans. Today’s identification tool is also a hotbed of exposure, both from hackers and litigants.

Some states are setting up protections. Illinois is one of them, having enacted the Biometric Information Privacy Act, 740 ILCS 14/1, et seq. ("BIPA") to regulate companies that collect and store Illinois citizens' biometrics, such as fingerprints. The BIPA establishes standards for how employers must handle Illinois employees' biometric identifiers and biometric information, and ultimately mandates that reasonable safeguards are put in place.

In a 2018 case, a teenager visiting an Illinois Six Flags amusement park became central in a case involving what companies can and cannot do with biometric data they collect. The teenager was fingerprinted as part of the process of purchasing a season pass. The attempt to verify the identity of the purchaser resulted in a successful lawsuit in which the company was cited for having violated the state’s biometric privacy laws that require notice and consent, even without the need to show harm.

More recently, a logistics company that provides operations and management services to senior living communities throughout the US, including facilities in Illinois, found itself in the middle of a “BIPA” violation. The company uses a biometric time tracking system that requires employees to use their fingerprints as a means of authentication, rather than key fobs or identification cards. Employees are required to have their fingerprint scanned to enroll in the database. The plaintiff, on behalf of the class, alleged that the company did not comply with BIPA in connection with its collection and use of the fingerprints. An early settlement in this case was reached however, total defense costs plus the settlement on a class basis totaled approximately $600,000.

In any case in which biometric data is collected and/or stored, companies should operate with transparency. Clearly disclosing of the practice and obtaining written consent protects both the company and the owner of the biometric data. Also, companies should include how the data will be used and stored in any disclosure and consent process.

Halting hackers at the door
Cyber risks are evolving in both scope and form. From ransomware attacks to biometric exposures, cyber liabilities are being reshaped. For your company to stay ahead, you should be partnering with an experienced insurer that has a team of experts who can help with both prevention strategies and incident response.

Whether it is ransomware threats or the exposures stemming from using biometrics, your company should be reviewing systems and policies to ensure that both system preparedness and compliance with privacy laws are adequate. Also, know how your carrier will respond, and what your responsibilities are in the event of a breach or a violation of privacy regulations. Your carrier can help you build a sound plan and deliver an insurance package that fits your risk exposure.

  • About The Author
Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha
 
Subscribe

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.