The Fight Against Cyber Crime – from Prevention to Prosecution
October 6, 2021 | Webinar
In this episode of the Wednesdays with Woodward® webinar series, we dove into the fight against cybercrime and efforts to enhance cybersecurity across the public and private sectors. We heard from the front lines of the battle as federal cybercrime prosecutor Edward Chang, Assistant U.S. Attorney for the U.S. Department of Justice’s Connecticut District Office, told us about law enforcement efforts to investigate and prosecute cybercriminals. Jeff Klenk, Executive Vice President and President, Bond & Specialty Insurance at Travelers, explained how cyber insurers, in partnership with insurance agents and brokers, are handling the latest cybersecurity losses and advising clients on risk management practices.
This session came on the heels of a White House cybersecurity summit where Travelers CEO Alan Schnitzer joined leaders from business, government and education to discuss what the White House called “the whole-of-nation effort needed to address cybersecurity threats” and the key role that the insurance industry plays in strengthening America’s cybersecurity. The gathering, discussed by Klenk in this program, demonstrated the synergies and common goals between sectors that will be critical to reducing cybercrime.
Watch the Replay
Good afternoon, everyone. And thank you for joining us today. My name is Joan Woodward, and I'm honored to lead the Travelers Institute, which is the public policy and educational arm of Travelers. Welcome to Wednesdays with Woodward, a webinar series that we developed last year to convene leading experts for conversations about today's biggest challenges.
As always, we'd love for you to be part of this conversation with us today. Cybersecurity, the hottest topic out there for businesses. So please submit your questions to the Q&A feature at the bottom of your screen. We're going to get to as many as we can. But don't wait till the end of the session, so put those in the Q&A feature as soon as you think of them.
We have a really great lineup of fall programming beyond the cyber event today. So be sure to stay in touch with us. We put this in the chat feature. And so go there, join our mailing list. We have just a ton of webinars of really, really interesting folks we're going to bring to you, or you can connect with me directly on LinkedIn. There's the link right there in the chat feature.
We also have a survey about today's program. If you just take a few seconds to fill that out towards the end of the program-- it's in the chat feature-- we'd really appreciate it. So before we get started, I'd like to share the disclaimer about today's program with you. You don't have to read at all, but there it is. As always, we're thrilled to be joined by our partners today.
We have a number of partners, the Risk and Uncertainty Management Center at the University of South Carolina, Darla Moore School for Business, the American Property Casualty Insurance Association, the University of Connecticut Business School and Master's in Financial Technology program. The Metro Hartford Alliance is a partner today, and the Connecticut Business and Industry Association.
So a huge thanks for all your collaboration with our partners and a special welcome to the members joining us today. So let's get started, folks. Picture this. A colleague opens her laptop, finds a [AUDIO OUT] flashing on her computer at 8 o'clock in the morning. She just sat down. The company's computer network has been locked.
Your data is encrypted by criminal hackers who are now demanding ransom, payable, of course, in cryptocurrency. Pay them the millions they are demanding, and you'll get the keys to unlock your systems, maybe. Don't pay them, and your business could be shut down. Either way, your company's reputation is immediately at risk. And it could take weeks or months before you're back in business.
This is the nightmare scenario that businesses are facing today, and we see it everyday at Travelers. That's why we are all about education. And today's program is no different. The threat is real, and the businesses are really shuttered by these events. In fact, our latest Travelers Risk Index, released just this week, found that cyber risk is the number one concern across all company sizes.
Yet according to our survey, despite these heightened concerns, many businesses admit that they have not implemented basic preventative measures that are critical to protecting their data and their assets. So we've seen recently how just with a stolen password, criminal activities can threaten our critical infrastructure, like our energy grid or energy network or food supply. This is not good.
This is an all hands, all industries, all sectors on deck moment. The insurance industry really does play a critical role strengthening our cybersecurity through this risk management techniques that we know for so many years. That's why just a few weeks ago, President Biden invited our CEO Alan Schnitzer to join other tech CEOs of all the big tech companies for a summit to address these threats at the White House.
So when Alan sat down with President Biden and other tech CEOs, it was really a moment, we think, a pivotal moment in terms of educating our customer base, our agent, our brokers. And so we launched these webinar series to do just that. Alan also announced that Travelers, with our deep bench of experience, will be working with the National Institute for Science and Technology or NIST to help companies and government agencies build this security technology.
So what can we do to prepare our systems? How can we mitigate risk and prevent these attacks when it happens? Who goes after these criminals? Lucky for us, we have two experts today to help us explore these issues and just in time for Cybersecurity Awareness Month. So without any further ado, a big welcome to Eddie Chang.
Eddie Chang is the Assistant US Attorney for the District of Connecticut at the US Department of Justice. And he's a federal computer crimes prosecutor. In 2021, Eddie prosecuted members of the Crypt4U group, which helps cyber criminals modify malicious software to avoid detection by antivirus software. I'm really proud to say that Eddie is a former colleague of ours from 2016 to 2020.
He led the Travelers Risk Control Practice, where he was involved in underwriting, risk control, CAT analysis for the company's cyber insurance products. Prior to that, Eddie worked as a prosecutor in Connecticut and the Southern District of New York, where he received the Distinguished Service Award from the Attorney General Eric Holder for his work in prosecuting cyber criminals.
Thank you, Eddie, for being here. Also joining me today is my colleague Jeff Klenk, Executive Vice President and President of Bond and Specialty Insurance here at Travelers. Jeff plays a key role in the recent White House meetings with Alan. Jeff manages our Travelers worldwide surety and management liability offerings, which includes cyber insurance.
Prior to that, he was responsible for management liability businesses here. And with that, I'm really pleased to turn over the podium and the stage to a US Assistant Attorney General Eddie Chang. Eddie, thank you for being here.
Thank you, Joan. It's a pleasure to be here. Thank you for inviting me. Thank you to the Travelers Institute and to all the other great sponsors of this event. Having the government and the business community come together to work on this problem is a really important goal, I think, that we're all trying to work towards. And so this event is one important step in that direction.
So for the few minutes that I have to start off with opening comments, what I'd like to do is to kind of go over the past six months or 12 months what I think are some of the really exciting developments in the work that's being done by the US Department of Justice, by the FBI, and by the rest of the government in trying to tackle cybercrime and ransomware in particular.
And it's really just a very quick survey of everything that's going on. I'm going to try to explain what has been happening as well as why, in my opinion, I think it's really exciting and interesting and what to take away from it. And we're going to start with basically four big pillars of organizing the work that's being done. The prosecution, which we all know the government is doing, the FBI, the federal prosecutors work on.
The disruption activities, which I think are really interesting, the things that the US government is doing to try to help protect companies. And then finally, collaborative efforts that are ongoing. So we'll start with prosecution. Of course, as a prosecutor, that's where I've got to start. And really, there's been a lot of progress that's being made in this space in going after the bad guys.
I'll start with the case that Jane mentioned, which is the Crypt4U prosecution that was done out of the District of Connecticut. So what is crypting? Crypting is the answer to the question that I think a lot of people have, which is-- and a lot of your clients or your business customers may have, which is, well, I have antivirus software on my computers. Isn't that good enough? Aren't I safe?
And the answer to that is no because criminal groups are out there, obviously, trying to defeat all these security mechanisms that companies are using, including antivirus. And crypting is one of the technologies that criminals use to basically encrypt their viruses and their malware. So the Crypt4U prosecution was an offshoot of a case that I would say started back in 2012.
And we prosecuted two individuals, one, a Russian national that was arrested in California when he was transiting through and another, an Estonian national who was extradited from Estonia for running a crypting service. And I think the great message there is as I said, this is a case that started in 2012 basically. Goes way back then when we started investigating a botnet called Kelihos.
And over the past nine years, the investigation has continued during the time that I was away from the US, away from the government, went back to the government. And we're finally prosecuting these individuals and bringing them to justice. So I think it's important for the cybercriminals are getting the message that, hey, if they engage in this type of crime, they're putting many years of their lives at risk.
And they're going to have to be hiding for many years, which is why I like the case, not just the fact that I was involved in it. The second one is this couple of-- sorry, but going back to the first slide, the Kolpakov case. Again, these cases, other than the Crypt4U case were not mine. I don't want to be taking credit for them but to give you a highlight of what the Department of Justice is doing.
Kolpakov is a great case with actual-- like going after the hackers who are out there getting into the computer networks. What they were doing is this group of four defendants and others that haven't yet been apprehended, they were getting into the payment system information. So they would break into restaurant chains, other large companies and steal payment card information.
And they were selling that on the dark web. I think that if any of you were involved in cybersecurity, cyber insurance industry back a few years ago, you'll know that all the PCI data, the Payment Card Information, all those breaches, this is one of the big groups that was involved in all of that. A Kolpakov was just sentenced earlier this summer. He received seven years as his jail term.
And during the sentencing proceedings, he was reportedly responsible for approximately a billion dollars in losses to the companies that were breached. So really significant case. Those defendants, interestingly, were extradited from all around the world-- Germany, Poland. Kolpakov was arrested in Spain. And one of the defendants was from Thailand.
The third case I have on this slide is US v. Harmon. And one of the interesting things about that case is we often tend to think of about these sophisticated cyber criminals as being outside the United States, operating in Eastern Europe or other places, China or Russia, things like that. So the Harmon case was a defendant in Ohio, actually. And what he was doing is he was running what's known as a Bitcoin mixer.
So I'll get into that a little bit. Bitcoin, I think we all know by now, that's the cryptocurrency. And the idea with Bitcoin is not that it can't be traced, because it can be traced, but that it's anonymous. So what the criminals do to try to get around the fact that it can be traced is they run the Bitcoin through like a tumbler or a mixer and try to disguise the Bitcoin where it's coming from.
And then they move on with it. And obviously, for those of you who know anything about criminal law, what that's known as is money laundering, right? So there was this individual in Ohio. He was running essentially amounts to a money laundering service that was being used very heavily by one of the largest darknet forums that is used by criminals, AlphaBay.
And so I think it's a great exciting case. The message there, obviously, is that, hey, it's not just the bad guys around the world that we're going after. If they happen to be in the United States and committing these types of crimes, they'll be prosecuted as well. The other message, I think, that's really important is that the government is not just focusing on hackers.
It's not just the people like the Kolpakovs and the FIN7 group that are being targeted but people that are providing the support services, like the Bitcoin mixing services with a Crypt4U crypting services. That's the focus of the investigative and prosecutorial activity. So the next big area that I think the Department is involved in-- and I think this is really exciting-- is disruption activities.
So basically, taking away the tools and the infrastructures and the profits that the cybercriminals are using and hoping to gain from what they're doing. First big case-- and I'm sure a lot of you have heard about it-- is the takedown of a botnet called Emotet. So very quickly, a botnet is basically a very large network of compromised computers that are being used for illegal purposes. And there are many botnets out there.
They're used for a lot of different crimes. Emotet, in particular, was connected very closely to a form of ransomware known as Ryuk, R-Y-U-K. And if you've been in the cyber insurance industry for a while, you're probably very familiar with the idea that Ryuk was responsible for a lot of damage. And it's continuing to be responsible for a lot of damage to businesses around the country. So the takedown took place earlier this year.
And the really exciting thing about this takedown is not only did the government cooperate with nine different countries-- eight or nine different countries, nine, including the United States-- in taking down this worldwide infrastructure of servers and all the other computers that are used to run the Emotet botnet, but they took the aggressive step of actually using the Emotet botnet to clean infected computers.
So if your computers in the United States were infected by Emotet, then foreign law enforcement and the FBI collaborated to use the Emotet botnet to basically clean Emotet off the infected computer. Amazing stuff, right? If you think about it, it's just something that we were actually working on a number of years ago.
But making sure that that can happen in a way that's legally sound, approved by a court, and safe for everybody involved is just an amazing thing for the government and for us to be able to do to protect society from cybercriminals. There's going to be another example of that further down the road as well. But it's a big step to be able to take the attackers' weapons and use it against them, if you will, to wipe out their botnet.
On the second bullet that I have on this slide is the Colonial Pipeline case. And this made all the headlines. So I'm guessing I'm telling you something that you already know. But very briefly, Colonial Pipeline was a victim of ransomware by the DarkSide group. And they paid approximately 75 Bitcoin in ransom.
About a month later, the US government was able to seize a pretty large portion of that ransom payment and forfeit it and basically, take it back from criminals, which, again, thinking in terms of being outside the box, not just going for traditional investigate and prosecute, being able to reach out into their wallets and take back the lands and proceeds is new and amazing and something that is really exciting.
And I think one question that comes up when people talk about this particular case is how repeatable is this. Is this something that can be done frequently to other ransomware payments? And I think the answer to that is it remains to be seen. There isn't any public information yet about how the government obtained the keys to seize back that ransomware payment.
So we don't yet know exactly whether that's going to be repeatable. We do know that there have been other cases where the government has seized illegal Bitcoin proceeds. And so it's certainly a tool that is in the law enforcement toolbox that I think we'll be trying to take advantage of more in the future. The third case I have up here is something that just happened last month.
It involved the Suex cryptocurrency exchange. And what the government did here, Suex was a cryptocurrency exchange that even though it wasn't actually registered or officially located in Russia, had very close ties to Russia. And from all indications, it appears to have been operating from Russia.
And what the government did through the US Treasury Department now, not necessarily Department of Justice-- although, I'm sure Justice was involved-- was to list Suex as an OFAC, Office of Foreign Asset Control, or OFAC-controlled entity so that it's illegal to do business with Suex or with any of the cryptocurrency addresses that were controlled by Suex. So this is, again, the first time that a cryptocurrency exchange has been listed as an OFAC-prohibited partner.
And I think it also is really exciting because it shows, again, this out-of-the-box thinking that the government is taking. We're not just going after these criminals as if they are run-of-the-mill, generic criminals that you think the government prosecutes on a daily basis but really, taking all the possible tools that are out there to apply pressure to cybercriminals and to really reduce the ransomware problem that is so endemic nowadays.
The other big thing that Treasury did-- and I think that people in the field might be aware of, of course-- is they issued an advisory guidance on reporting of ransomware payments. And this is an important aspect if you were working with businesses that might potentially be hit with ransomware, if you are an insurance agent or broker who might have to advise your client, for example.
Because this advisory guidance from Treasury basically suggests that if a business pays a ransom, they can substantially protect themselves from an OFAC violation by reporting that ransom payment to law enforcement. So it's a very controversial question, honestly, about whether businesses should and should not report ransomware payments.
Certainly, from the business's perspective, businesses want to keep the fact they've been hit confidential. From the law enforcement perspective, I would say that law enforcement does do everything possible to try to keep that information confidential. This is a step towards trying to encourage greater reporting of ransomware payments.
It's another sign of the whole-of-government approach to trying to combat the ransomware problem. So that's where things are on disruption. Let's talk about next slide, protection. So the first bullet that I've got here on protection is an exciting operation that was done by-- and I say exciting perhaps too often because I'm easily excited by novel, cyber criminal interdiction activities.
But Microsoft Exchange Server operation, if you haven't read about it in the news, earlier this year, I think in April-- well, in March actually. It was announced that there was a very significant vulnerability in the Microsoft Exchange Server. Microsoft Exchange is the email system that is used by so many companies around the country and around the world.
And so the fact that there's a vulnerability in the Microsoft Exchange Server software is a huge problem. So what happened was Microsoft and a lot of industry groups tried to get companies to clean up their Microsoft Exchange Servers. And most companies comply. Most companies were able to do that and kick the bad guys off their networks.
But even after all that and even after the DHS, Department of Homeland Security, and FBI issued an advisory notice, warning people about this vulnerability, still there were hundreds of companies around the country that still we're not just showing that they were vulnerable but were showing that they had actually been compromised, that the bad guys were actually on their network as a result of this Microsoft Exchange Server vulnerability.
So the operation out of the Southern District of Texas was for the government, with court authorization, to go in and clean off the Microsoft Exchange Server web shells that the bad guys were using to access those servers. Really, really exciting that the government was able to take that step. Again, to be honest, I think there are differences of opinion about how far the government should go when that kind of authorities should be exercised.
And I can certainly understand that. But the fact that tool is available for the government to use in really critical dangerous situations, I think, is a big step forward in terms of where we are in protecting the community against cyber criminals. Second to all this, very quickly, Infragard and iGuardian.
In terms of protection, iGuardian and Infragard, those are the ways that the FBI provides for companies to work with the FBI in terms of its cyber protection role. So Infragard, for those of you who aren't part of it, is a critical infrastructure protection group that companies can join.
And I say that, but I've got to caveat it because critical infrastructure, for those of you who are thinking, oh, that's just the fin sector or energy sector, transportation sector. It's really broadly defined. Financial services, broadly, is part of critical infrastructure as well as a total of 16 sectors. So probably, most of you as well as many of your clients could be part of Infragard.
You could be part of the iGuardian reporting tool for cyber incident reporting. The third recent development in terms of trying to help the business community protect itself, I would say, is there's a new website out there called stopransomware.gov. It's not ransomware.gov. I think it's interesting. There's a lot of portals out there, obviously.
You can Google ransomware, you'll get a ton of information out there. I like stopransomware.gov because they are actually in the process of crowdsourcing what are bad ransomware practices. In other words, they are in the process of putting together a list of what companies should not be doing, things that they need to watch out for in terms of vulnerabilities and difficulties.
And they've crowdsourced that. So right now, you can actually go to stopransomware.gov, and the link is bad practices. And you can join that crowdsourcing effort, contribute your thoughts about what mistakes companies might be making that make them vulnerable to ransomware. And literally, any individual on this call can contribute to the effort.
The other thing I like about stopransomware.gov is that it gives you access to a very easy way to report, being a victim of ransomware. There's a reporting tab. And so if one of your clients or if your company unfortunately gets hit with ransomware, you can certainly go to stopransomware.gov to report it.
The fourth big area, I think, of activity that I want to touch on is collaboration efforts by the government with the private sector and by the government among other government entities. There's a new Department of Justice Ransomware and Digital Extortion Task Force. So there's a lot of task forces out there.
But the fact that DOJ is putting together this task force, specifically targeting ransomware and digital extortion and they're doing it in a very broad way-- they're not just saying, we're going after the Ryuk ransomware guys or the whatever name your flavor of ransomware. They've very broadly defined the focus of this task force as ransomware and everything that supports the ransomware ecosystem.
So that includes, for example, the crypting services that were the target of the Crypt4U prosecution. It includes the Bitcoin and cryptocurrency laundering services that I mentioned earlier, like Helix. It includes things like bulletproof hosting, the services that are allowing ransomware actors to host their ransomware servers, in a way that law enforcement can't take them down.
So it's really a very broad based approach to coordinate the government's efforts against ransomware. And it really shows how much emphasis the Department of Justice is putting on stopping this problem. The second bullet is the Cyber Information Sharing and Collaboration Program. One of the concerns that we often hear about from the business sector is that the information sharing is too much one directional.
The CISCP program, which is run by Department of Homeland Security, is that other direction. It's a big part of that other direction. It's where the government is actually sharing back out indicators of cybersecurity risks and vulnerabilities that businesses need to be aware of. So if your business doesn't already have a source of cyber intelligence, this is a great free source for getting that kind of information and using it as part of your protective effort.
And the third effort that I want to highlight, really, is the local FBI cybercrime outreach effort. And it's important for everybody on this call to realize that wherever you are in this country, no matter how big or small a town you're in, there is an FBI cybercrime squad assigned to your area. And part of what they are actually judged by, for their annual reviews and metrics, is how effective their outreach program is.
So I know of many cases where groups of people, whether it's an insurance agency or whatever, bringing together its clients or some local Better Business Bureau organization puts together some kind of a program. And they invite somebody from the FBI to come and give a presentation. And I think that the local FBI offices will be very receptive to you reaching out to them to get them involved in a presentation like that.
The other really important thing to know about the local FBI cybercrime squad is if you work with businesses or you have a business where you are potentially at risk for a cyber event, which would pretty much be everybody with a business, it's really good to know who to call with an issue, if something were to happen to your business.
Being able to report very quickly is the best first step to being able to get law enforcement to help stop a crime in progress. And that includes in the cyber area. And I think that local cybercrime squads are very willing to at least reach out to have that phone call with you so that you can know who is the supervisor of the local FBI cybercrime squad.
And you can have that in your Rolodex. So if you or your client needs to make that call, you'll have that handy. So in terms of collaboration, those are the three kind of top-of-mind things. Now, I was also asked to suggest some resources for businesses to learn more about this stuff to improve their cyber security. A lot of resources out there.
Like I said, you could Google and spend weeks on end reading about this. The first and foremost recommendation I would make for a business that wants to improve its cybersecurity is to review the incident response plan. Ask the IT team, ask your third-party service provider about the incident response planning, and hopefully, there is one.
And that incident response plan should include a lot of information, including who to call, the attorneys that you would call, your insurance carrier, your insurance broker or agent, all that contact information that you're going to need when something happens. And if the business, if your business or the business you're working with doesn't have an incident response plan, well, that's the first place to start in terms of preparing something.
Other resources to be aware of, I think, first and foremost, the Internet Crime Complaint Center, IC3.gov. They are a first-stop resource for reporting crime. You can report ransom there as well. You can report other types of crime there, such as business email compromise events. The third resource that I've put up here for you to consider is the CISA website, Cyber Infrastructure Security Agency, I think, something like that.
But they have a great source of-- they have great subscriptions, alerts, and bulletins that you can sign up for. And they're not overly technical. There's four or five different levels of alerts that you can subscribe to. And even if you're not deep into the weeds of cybersecurity, you might find it interesting to get reporting of, oh, hey, you know, Blackberries are-- actually, Blackberries, for whatever reason, are a recent report which is why it's top of my mind.
But apparently, people are still using attacking Blackberries. But if there were a attack on iPhone iOS 13, for example, that's the kind of thing that would be reported in some of these bulletins. So you can pick the right level of reporting that's of interest to you and stay up to speed with what's going on in the cyber crime and cybersecurity world. With that, let me turn it over to Jeff. I hope I didn't take up too much time. Jeff, all you.
If anybody didn't know that Eddie was a smart and well-connected person before, you know it now. And one of the things that I would love for you to take away from what Eddie talked about is how the government really is trying to do more things to combat this problem. And we'll spend a little time talking about over the next five or 10 minutes. I thought it might be helpful to everyone to just talk about insurance for a second.
And while these statistics go through 2020 and they are domestic US statutory, written premium and there's more premium internationally and there's E&S, there's a lot of different ways to look at this. I think, there's two good takeaways on this slide. Number one, you can see the continued growth in the marketplace. And I think that's steady.
I think you've seen it happening for a long period of time. And it is begging the next question of where is it going in the future. And I wouldn't answer that question even if I wanted to for a host of reasons. But there are lots of predictions out there that you can read and find yourself, that say, this could quadruple or quintuple in X period of time.
I think when you look at the 2021 results so far, what's likely to be reported on the next part of the right, you can keep in mind two things. There's a lot more news about breaches and ransom attacks happening. And so buying rates continue to move up. And there's also been a persistent and widely reported on dynamic of price increases.
And so when you add more buyers and price increases to it, you can draw your own conclusions about what those next bars might look like. And so that's a little bit of context for you. Moving on, I think that the next conversation that we should talk about is ransomware. And my partner Eddie talked about it a little bit. And I'm assuming, of the 1,000 plus of you that are on the phone today, you really sort of have a definition for it.
But I'm just going to do 5 seconds. Think of a threat actor using malware or in some way, getting into a system and taking control of it and holding that customer, that business, extort them for ransom. And so how can that happen? And I'm not going to spend a lot of time on that. Maybe an employee clicks on the wrong thing in an email that they shouldn't, and it exposes a vulnerability.
Maybe that company or the software that they happen to deploy for their company had an updated security patches regularly, and it left them exposed. Maybe there were other vendors that they did business with that led them to having some type of exposure, and ultimately their system was exposed, hacked, and they lost control of it.
As is reported there in the middle of that page, those ransomware attacks are happening right now about every 11 seconds somewhere. I've seen and we've got some exhibits, I didn't put it up today, about how that has accelerated. And it's gotten to this point now, and it's continuing to move exponentially as we move forward.
I think that with all of the examples-- and there are more-- of the way that systems can be vulnerable for the threat actors to get in there really puts the emphasis on something. That vigilance, relative to cybersecurity, is critical. So that when we talk about this for the next few minutes and you have a takeaway, there is no getting around that vigilance relative to cybersecurity.
And Eddie talked about having a response plan and resiliency, so you can get your systems back up and running. The best offense here is to have a really as strong a defense as you can. But we'll talk in a few minutes that no one is really invulnerable to this issue. Cyber is the number one risk management concern across all businesses, as Joan reported earlier according to the Travelers Risk Index.
And that's a broad based survey that Travelers does to really find out how risk managers at companies of all shapes and sizes are feeling about their risk profile and what they're doing about those risks. Cyber had already fallen-- had already been, number one, it fell off the page a little bit during the pandemic, and it's back to number one again. Why is that?
Well, makes sense, right? Eddie talked about pipelines, hospitals, Fortune 100s. There was a question in the chat that I noticed a minute ago. Are small businesses having this problem? Every single day. In our own claim activity, I can tell you that constantly, small businesses are suffering these same types of exposures. Government agencies report having this problem.
And so when we talk about it, there's nobody, there's no organization that is immune from this exposure. And so it's important to remember that that's what's going on. This is the reality we live in right now. And so moving on, that leads us to how is it possible that an insurance executive or an insurance company gets invited to the White House?
I've been in the insurance business for about 30 years now. That was noteworthy to me. It was wonderful that we were asked to participate in the meeting with President Biden and his administration. My youngest son still thinks I have a personal relationship with President Biden, and I have not chosen to remove that expectation from him.
This is just close to cool I get as a member of the insurance community. But essentially, the President pulled together many different industries and perspectives to get after-- and I love the quote at the bottom that the administration released-- that the President met with private sector and education leaders to discuss the whole-of-nation effort needed to address cybersecurity threats.
You've heard a little bit from Eddie about that, but there's a bunch of other things that need to happen. The technology industry needs to do things. Insurance can add different things to the process. And it really is a broader issue. We often come at these things of as an insurer, what do we want to do in order to address this issue for our policyholders?
But it's also important to have a broader view, a broader perspective, and that collaboration is critical. So what are the types of things-- moving ahead, you can see who was at this meeting. And I touched on this already. Those were some pretty big names. There were about 40 attendees representing several different industries. And what did they discuss?
Well, we prepared for weeks, months, in advance with the administration to frame out that conversation. But on the day, the group really delved into a host of issues, things like hardening security and infrastructure, the role of cryptocurrency and what we might do in order to address related crypto issues, the role of law enforcement, which Eddie spent a lot of time on today.
The importance of education, making sure that people understand what these exposures are and the simple things that they might be able to do, like multifactor authentication or other things in order to protect and harden their own infrastructure. And we talked about data sharing, which is something I'll spend more time on in a few minutes.
Those were some of the key topics, but we certainly discussed more. But there's an understanding among the whole group that real progress is going to take a robust public-private partnership. And then it's not just one lever that's going to be pulled. And so after that meeting-- Ann is part of it, too. But after that meeting, we've really spent some time thinking about what is it that insurance and insurance industry can do to help affect or change these dynamics.
Well, before I get into the two big takeaways that we're focused on right now, I want to start with insurance is already doing a lot. If you think about claims payment, you think about helping a company spread that risk and make that terrible day when they have the problem manageable and not threaten their survival, that's not a small thing.
In addition to that, the insurers, like Travelers and others, provide preclaim assistance to try and help companies figure out. Like I've seen in the chat, questions about what is a good exchange or a bad exchange? What are the best practices? How do I come up with a resilience plan? Those are services that insurance companies are helping policyholders with before they have a claim.
And on the day that they do have the claim, we're helping a point breach coaches, forensics experts, other lawyers, and other folks to help them get back up and running. So that's what we're already doing. But taking that broader lens on how are we going to help the broader issue, I think that insurers are uniquely positioned to assist in two other ways or related ways that might be helpful.
First, all insurers currently underwrite. They have guidelines. They have standards that they're implementing before they write an insurance policy for a cyber risk. It is possible that we, as an industry, could encourage better cyber hygiene standards through our underwriting requirements.
And so some level of consistency, some level of minimum thresholds, how can we get best practices out on a broader basis through the actual procurement of the insurance itself? And so that's an opportunity that we're uniquely positioned to help influence. The second is on data. I could tell you from my first conversations with the government on this topic, all the way through to the preparation for and post the White House Summit, they're very interested in data.
And like we all think to ourselves, well, they have the FBI. They have the CIA. The IRS has a lot of information, right? The government knows everything. Insurance companies are actually on the front end with customers on a lot of this in terms of claim, what the demands are, how did the bad guys get into the systems, when does somebody decide to pay a ransom or not, and what are the factors involved in that, and the ultimate dollar resolutions on some of these things.
And so the aggregation of that data and how it can be used to get better outcomes is something that I think the insurance industry is also uniquely positioned to. And fortunately-- moving to our next topic-- Travelers, more than a year ago, partnered with six other at the time-- and now, we have seven other, for a total of eight founding members of an organization called CyberAcuView.
And the objectives of that organization are on the page right here, and I'll run through them quickly. Aggregation and sharing of high-level cyber data. Knowing that this is a new, unique, accelerating and dynamic exposure, how can we benefit the industry and ultimately our policyholders by making sure that that data on performance in the cyber world is available and usable?
Common definitions and standards around cyber so that when we talk about our results, we're all using the same language. It's another objective of CyberAcuView. Proactive and consistent engagement with regulators, engagement with law enforcement, how do we collaborate to get after systemic risk?
These are all things that we, from an industry perspective, we're already investing in and talking about, which, I think, plug very nicely into what the government is looking for in this whole-of-nation effort that is required. And so with that, I would leave you with there's a lot going on in the cyberspace from an insurance perspective.
There are claim frequencies, severity, variety dynamics that are incredibly dynamic and changing constantly. And we are actively engaged in it as an industry and looking forward to partnering more as we move forward with the government. And with that, I will turn it back over to my partner Joan for some other questions.
Terrific. Jeff and Eddie, thank you so much for that broad overview, especially just hearing, really, the practical advice, Eddie, that you gave. And one of the questions that's come up a lot in the Q&A feature-- and we're just going to hit it real quick because I know you have a quick answer.
How can some of our agents who might want to host these FBI sessions with their educators and informers and awareness sharers, how could they contact their local FBI representative? Is there a website that they should go and plug in their zip code or something like that?
Yeah. If you go to the fbi.gov website, so it's fbi.gov/contact-us/field-offices. Well, you should be able to Google it. But you can find the correct field office. And then you would just call the office's phone number and ask to speak to the supervisor of the cyber crime squad. And that supervisor, if you just let them know what kind of event you're hosting, the size of the audience, what topic you're interested in, hopefully, they're going to be able to help you out.
Great. And you know, before the pandemic, Eddie, we were on the road a lot with Jeff and Tim Francis and the whole team doing just that. We partnered with the FBI, Department of Homeland Security, and other agencies. And they will come to speak at your event. They want to be out in the public domain talking about all the information that they have for your clients.
So don't hesitate. Just because you might be a smaller agent doesn't mean they won't come out to your event. Just have a brown bag event with lunch with your insurance, and I'm sure you'll have a very successful one. So we look forward to being on the road more doing that. But Eddie, describe for us how rapidly cybercrime has really increased over the past couple of years.
And has the remote work environment-- has that accelerated this? Is that why we're seeing more and more because we're working remotely?
So there's a couple of questions there. So cybercrime has definitely increased, according to the IC3, the Internet Crime Complaint Center that I mentioned previously. They issue an annual report on cybercrime statistics. And over the past three years from 2017 to 2020, the number of incidents that were reported to IC3 increased by 2 and 1/2 times.
Now if you look specifically at ransomware, which is a topic at the forefront of everybody's mind, over the three-year period, the number of reported ransomware incidents increased five times. I'm sure those of you, who are familiar with the stats from the insurance side of things, would echo that you have seen that level of increase, if not worse.
In terms of whether remote access is, in part, responsible for this increase, I think that's really hard to tease out. I do think that remote access as well as remote computing technology that was coming even before the pandemic has contributed to the increase in cybercrime activity. And by that, I mean, specifically cloud computing. A lot of companies have moved their email services out into the cloud.
And when you put your email into the cloud and it's secured only by a password, as opposed to something more secure, like multifactor authentication. I think there are a lot of criminal matters that we're seeing. And I'm sure in the insurance world, you're seeing a lot of claims where there are Microsoft or other email provider breaches that are being caused as a result of the email being out in the cloud and the remote access.
Terrific. OK, so to all of our 1,300 viewers out there, we're going to ask you a question. We're turning the tables here, and we're going to ask you a polling question. If you haven't done this yet, it's not scary on Zoom. So we're going to put up this question. How many of you use multifactor authentication? So don't be afraid. This is all anonymous. How many of your businesses require and use the multifactor authentication?
So hopefully, a lot. And then Jeff, I'm going to turn to you to talk us through these results. I'm seeing on my screen that about 86% of the audience says yes. So we still have 6% who are not sure, which is not good. You should know whether or not you're using this. And 7% actually say no. So Jeff, what do you make of these results? Are you encouraged? 86%.
Well, you know, Joan, you've done this with us long enough to know that's a better number than we've seen. And there's usually a disconnect between this is a really important issue and I'm really not going to do that much about it, right? So multifactor authentication, there are several studies out there that say nine plus out of 10 ransomware events would have been preventable with multifactor authentication in place with the insured.
So if I told you, you had a better than 90% chance of not getting this disease or something else if you had it, normally that logic would bear. Took a long time to get this country to get people to wear seat belts, and it took education. And it took cars that did it for you, and it took a lot of different things. People have been trying to get me to eat my vegetables for a long period of time, too.
And so at the end of the day, I see we're making progress. We can't let up the education and the importance of things like that. And I'm a little encouraged by the number on this poll anyway.
Good. All right, Eddie, we're going to get back to you. What is the profile of a criminal hacker you found the Crypt4U folks? I mean, how do you find them? What are their motives? Obviously, money, but who's backing them?
So I think there's-- I'm being overly simplistic here. I tend to think of criminal hackers as falling into two groups. There's the ones that are nation state backed and acting on behalf of foreign adversarial nations. And then there are those who, I would say, are straight up cyber criminals who are motivated by greed.
But the range of-- you think about cybercriminal, and it's not really just that super sophisticated cyber hacker genius that's out there doing this, because the cyber criminal ecosystem is very complex. So you might have that super genius who's writing the malware, the Emotet software, whatever, but they're selling it.
And it's being used by much less sophisticated criminals, people who are not able to write their own code but are just applying tools to break into other businesses' networks, which is a big part of the problem, is that the really sophisticated ones are hiding behind all these other cyber criminals that are deploying these tools. And it makes it really difficult to go after what we typically think of as the ultimate real hackers that would really like to be bringing in prosecution.
All right. So Jeff, back to you on the underwriting. You talked about this. Let's go a little deeper. How do you really assess? When you're looking at a potential client to underwrite a cybersecurity policy, how do you really assess their organization's cyber vulnerabilities?
Sure. So starting from the premise that I started with it, nobody is going to be invulnerable from these attacks, right? All insurers are going to have their standard underwriting lenses. They're going to talk about claims experience.
They're going to ask certain questions about security controls. They're going to look at the size of the company. And they're going to look at what industry they're in because we do all believe, our own way, which industries might be a little bit more prone to having issues or not.
But beyond that, I think underwriting for cyber has gotten more sophisticated, where we, for example, and other companies out there using third-party resources or other tech-driven platforms to try and go out and look at a potential insured platform to say, do they have exposed ports that have issues?
Have they been patching regularly? Or is there traffic on the dark web selling email addresses or mentions of them in bad places? So I definitely believe we are moving further down the path from an underwriting perspective, where that will be more and more important for cyber. And we've seen that happen really over the last several years.
OK. All right. Audience members, we're going to have another question for you here. We have this two-part question. So first question is, when hit with a ransomware attack, what percentage of the time do your clients end up paying the ransom? 100%, 75%, 50%, and so on. So that's the first question. This is mostly, of course, for insurance agents and brokers out there.
What percentage of the time do your clients end up paying the ransom? All right. It's looking like it's about 75% is the answer that we got mostly here. OK. So between 75% and 100% of the time. That makes up over 40% of our audience answers there. So a lot, they're paying it a lot according to this. Only 11% say never there.
So a second question, on average, over the last year, how much ransom is paid in these cases? So there, we're looking at between 25,000 to 500,000. A couple have said over $500,000 to $1 million. So this is real money at stake. Jeff, does this kind of jive with what we're seeing now at Travelers in terms of paying the ransomware? Because that's the first question.
Eddie, as you said, what do you advise someone to do? Pay it or not pay it? What do you make of these, Jeff?
Without getting into our specific results, I would say these answers don't surprise me. I think it's important to remind everybody that at the end of the day, it's the victim company that's deciding whether to pay the ransom or not. It's not the insurance company. And there were some pre-questions that were submitted asking about, well, if they don't pay, are there other parts of the coverage that would respond for the cost and ultimately the repair?
And depending on the coverage that was purchased or who it was purchased from, yes. So the decision to pay the ransom or not is in the hands of the customer. There's a couple of really important dynamics around that. The federal government would really encourage you-- I'm not speaking for Eddie. This has actually been said by a lot of agencies. They don't like ransom payments being made.
It potentially incentivizes the bad guys. It does a lot of things that the government wouldn't like. We have certainly engaged in those conversations. And I've heard a lot of other companies who have been breached. Including companies that have been breached and who refused to pay the ransom have advocated, including to the administration, you can't take a company's ability to pay the ransom away because that's potentially their death.
There are some of these companies, including the large ones that you would think that could survive this, that if their systems were completely shut down, companies that you would think would be fine, technically could be out of business within about 30 days. And so for their shareholders, for their employees, for their customers, if they had a choice to pay a ransom or die, it's very difficult to say that you would take that out of the hand of the individual.
By the way, I'm making that argument from the leader, a CEO of a huge security contractor that you would be stunned to have heard that they were a victim. They chose not to pay it. They don't believe it's possible to completely defend yourself from these but is advocating for the fact that the government shouldn't take that position. That's pretty powerful to me.
Yes, definitely. We have a question coming in from agent Dan Molineaux. What is the likelihood that eventually, insurers will stop underwriting ransomware? Now, that's a good question.
Can I have that one, Eddie?
That's totally yours, Jeff.
You know, Dan, that's good to hear that you're on this and that you're asking that question. That's a great question. I have a lot of faith in the fact that insurance companies will be able to figure this one out and to work with our brokers and agents and with the customers to get this right. I believe it is an insurable risk. There are some dynamics. I mean, the trends are not good.
The government is also involved here and might have some thoughts about what should or shouldn't be paid for, and they're getting more and more active. And so there's some dynamics there. We will absolutely be enhancing underwriting. You've seen the pricing dynamics as a result driven, in large part, by this experience.
But I have a lot of faith in the insurance industry being able to work with our customers. This is the number one exposure they say they have. And we have a real need to focus on that and try and be there for them.
OK. A lot of questions, Eddie, coming in for you on the OFAC question. Should the government make it mandatory to report the cyber attacks? Obviously, you're saying you're encouraging that. But people are afraid. They don't want to tell the government that they've been hacked. So how do you get around that?
Well, so there are some sectors that reporting is already required. I think, for example, defense contractors are required to report a ransomware attack. Currently, there isn't mandatory reporting. But what OFAC basically has done is that if you are subject to a ransomware demand, you have to make certain that the payment that you're making is not being made to prohibited entity-- somebody that's been identified by OFAC as being involved in ransomware or as being a prohibited entity basically. Let me take that back.
So I think for businesses, what you have to do is you have to be able to be sure that you're working with a reputable company that is familiar with OFAC constraints and is able to perform the necessary checks to make sure that if you do have to pay a ransom, that you are not violating in OFAC a prohibited entity.
So working with your insurance carrier, working through one of the providers that an insurance carrier makes available to you to make sure that you're not violating OFAC is probably the safest thing to do. The other thing that I was referring to is that OFAC fact does create not a false safe harbor.
But in their recent guidance, they said that if a company makes a ransomware payment and discloses it to law enforcement or to the government promptly and fully, then OFAC will view that as a very favorable factor in deciding whether or not to impose a sanction. So you see, you've got a couple of layers there.
First, use somebody reputable to provide you the advice on whether to make that payment or not. Probably, somebody from your insurance carrier or some other reputable service. And the other one is to seriously think about doing that voluntary reporting to get that backup protection.
Hey, Joan, I know we're at time. There's a great question I'd like to address if it's OK.
Yeah, sure. Go ahead.
John asked the question, is stressing the urgency of MFA to insureds becoming more difficult, when not all insurance carriers seem to be requiring that immediate implementation? That's a great question. And it actually highlights the more we can bring, say, the industry together, the more we can actually work with, say, the NIST framework that the government's got and maybe expanding that to beyond large companies or critical infrastructure.
But to figure out, how does that also relate to, say, small business administration type target companies, right? That whole of nation conversation is broader than just, is it tough on Travelers because we're implementing an MFA strategy, and not everybody's coming along? That's an insurance issue. We sort of understand what that is, and we're dealing with that.
And we're communicating with our distributors and customers, and we're to try and make that happen. I actually think your question is right on the money, though, which is why we've got to have it be broader. It's education, and it's bigger than just the insurance. It's how do we harden and make cybersecurity hygiene better across the board. Good question.
Great question. Thank you for answering that. And we are at time. The hour flew by. I will commit to our listenership that we'll be back, having a Wednesday session again on cybersecurity in the not too distant future. So please do dial in for that. We have a number of other programs this fall. I do want to thank Jeff and Eddie, an incredible amount of information.
We will have a replay. A number of questions came in. Will there be a replay of this session to share with your other office mates? And we will. We'll send that out to all of you as soon as it's available. But in the next couple of weeks, we have Pat Gee, a head of our claim drones and talking about other technology we're using here at Travelers.
October 27, we have our Chief Underwriting Officer Rick Keegan, who doesn't do a lot of public speaking, but he's agreed to join me and talk about the changing appetites or risk out there in underwriting. And then we have a session on November 3 about the opioid crisis. And we have some terrific speakers there, talking about the opioid and what has happened during the pandemic actually.
So you can register for all these programs at travelersinstitute.org. Connect with me on LinkedIn. I do a lot of social media around our programming.
What did we learn? Here are the top takeaways from “The Fight Against Cyber Crime – From Prevention to Prosecution:”
While cyber risk is the No. 1 concern across companies of all sizes, many have not implemented basic preventive measures. That’s what the results of the latest Travelers Risk Index indicate. Klenk said, “There’s no organization that is immune from this exposure. This is the reality we live in right now.”
Cybercrime, particularly ransomware, is increasing rapidly. “If you look specifically at ransomware, the number of incidents increased five times,” said Chang.
“The cybercriminal ecosystem is very complex,” said Chang, describing a vast network in which “genius” coders write malware, then sell it to less sophisticated criminals who use it to extort and take down networks. “A big part of the problem is that the sophisticated ones are hiding behind the cybercriminals that are deploying the tools, and it makes it really difficult to go after the real hackers that we’d like to bring in to prosecute.”
The U.S. Department of Justice (DOJ) and law enforcement are innovating ways to prevent, find and take down cybercriminals, focusing on four key areas: prosecution, disruption, protection and collaboration. Chang cited three recent cases in which cybercriminals were handed substantial sentences, noting that the DOJ is focusing not only on hackers but also on the people who provide support services to them. He then described the many collaborative, out-of-the-box ways the government is helping to protect, prevent and respond to incidents, such as turning a botnet on itself to clean infected computers or seizing cyber ransom payments back from criminals. “Taking away the tools, the infrastructure and the profits that the cybercriminals are using and hoping to gain is an exciting strategy,” he said.
Insurance companies are in a unique position to help. In addition to paying claims, insurers help businesses manage risk, develop resilience plans and respond to incidents. “That’s not a small thing,” Klenk noted. Still, he sees additional opportunities to leverage the industry in the fight against cybercrime, starting with underwriting practices and the ability to encourage better cyber hygiene standards. He also sees data from cyber insurance claims as providing key information about what criminals are demanding, how systems are breached, how often businesses pay ransoms and what they ultimately paid. “The aggregation of that data and how it can be used to get better outcomes is something the insurance industry is also uniquely positioned to do.”
As a founding member of CyberAcuView, Travelers is working with other major insurers to share cyber data, develop data definitions and standards, engage with regulators and law enforcement, and collaborate on systemic risk.
Combatting cybercrime will take a robust cross-industry, public-private effort. Leaders in the insurance, technology, financial and government sectors are working to act, separately and collectively. On Aug. 25, 2021, as mentioned above, Travelers was one of 40 attendees invited to the White House to address the growing cyber threat. Key topics included hardening security and infrastructure, the role of law enforcement, the importance of educating the public about exposures and simple ways to mitigate risk, and data sharing.
Presented by the Travelers Institute, the Master’s in Financial Technology (FinTech) Program at the University of Connecticut School of Business, the American Property Casualty Insurance Association, the MetroHartford Alliance, the Risk and Uncertainty Management Center at the University of South Carolina’s Darla Moore School of Business and the Connecticut Business & Industry Association (CBIA).
Join Our Email List
Get on the list to receive program invitations, replays and more.SIGN UP NOW