Until July 2, many cybersecurity experts knew little about Kaseya, a privately owned provider of IT management software services. That is the scariest thing about the hack of one of the firm’s software packages, which enabled thieves to encrypt the data of as many as 1,500 companies and demand $70 million in ransom to date.
This cyberattack marks a fresh and dramatic escalation of the threat that ransomware poses to organizations around the world. It follows on the heels of recent hacks of a leading meat processor, a major provider of email services, and network management supplier SolarWinds. And importantly, it widens the threat aperture to small and medium-sized companies – including a Swedish grocery chain that was forced to close – that are the main market for Kaseya’s software.
These growing attacks underscore the urgent need for companies and governments to collaborate in the fight against ransomware criminals. This involves sharing information about threats and software vulnerabilities and developing incident-response plans. The Federal Bureau of Investigation and the US Cybersecurity and Infrastructure Security Agency have been working with Kaseya to respond to the attack and reach out to affected victims.
Insurance Industry Challenge
The surge in ransomware also poses a challenge for insurers. Ransomware attacks grew by 485 percent last year, and more companies are buying cyber insurance. The percentage of Marsh’s US clients with coverage more than doubled to 47 percent in the past five years.
This environment has diminished the profitability of the cyber insurance market. The sector has reacted by demanding more underwriting information from clients and, at times, limiting coverage and increasing rates for businesses in challenged industries or with inadequate controls. Further compounding the issue, it has been asserted that cyber insurance may increase the propensity of companies to pay off hackers as that can enable a quicker recovery and minimize the business interruption that a loss of data would entail.
These challenges will only increase. Companies rely on an ever-growing network of technology service companies, a trend that has intensified with a pronounced shift to digital services during the pandemic. Software vendors in turn depend on their own supply chains of companies, component suppliers, infrastructure services, and other so-called fourth parties. The resulting digital ecosystems are typically nonlinear, often highly interdependent, fluid, and relatively opaque.
For businesses, this creates challenges for resiliency and disaster recovery preparedness. For insurers, the lack of supply chain transparency makes it difficult to assess their aggregate exposure. They struggle to consistently track who their customers are reliant upon and to determine the full financial impact of a major cyber event, which can affect thousands of seemingly unconnected organizations.
At Kaseya, for instance, only about 50 customers were affected by the attack on its software for the remote management of servers and personal computers on IT networks, CEO Fred Voccola told clients in an online video. But many customers are managed service providers that deliver those services to small and medium-sized companies, and as many as 1,500 of those companies were impacted by the ransomware.
Ransomware thieves are increasingly targeting these networked vulnerabilities. Why hack one company, hospital, or local government when you can reach thousands through a piece of widely distributed software? Tools for carrying out such attacks, which once were the province mainly of big power intelligence services, are now readily available to criminals on the dark web.
Insurers Can Drive Better Cyber Hygiene and Risk Management
In the face of this escalating threat, insurers have a big role to play beyond risk transfer by promoting strong cybersecurity practices and culture across the private and public sectors. In addition to responding to events, they must continue to adopt a more-preventive posture by working with clients to increase awareness of the threat posed by ransomware and other attacks, and prodding them to encourage safer cyber hygiene by staff and better risk management across the organization.
Since interests are aligned, companies and insurers also should collaborate more closely with government authorities to help combat ransomware. The latest incident should spur the implementation of Biden’s recent Executive Order that aims to use the US government’s buying power to drive safer cyber practices across the economy. And if ransomware continues to increase and insurance becomes harder or too costly to obtain, pressure may grow for some kind of federal backstop for cyber risk transfer, akin to the government’s flood insurance program for business and homeowners.
If there’s a silver lining to the recent spate of attacks, it’s that they are exposing the scale of the threat for all to see, and act upon. Whereas companies used to be reluctant to disclose attacks, Kaseya was quick to acknowledge this one, and Voccola welcomed offers of help from competitors and the government. “We all have to step back and realize this is the world we live in,” he told clients in the video.