The Changing Nature of Cyber Extortion Presented by: Brian Rosenbaum LL.B. National Director, Legal and Research Practice, National Cyber Practice LeaderSeptember 13, 2017Aon Risk SolutionsAon Cyber and Privacy PracticePresentation to FEI BC

Aon Risk Solutions | Aon Cyber and Privacy Practice 2

Agenda

1. Cyber Extortion by the Numbers2. The Types of Cyber Extortion

– Opportunistic Extortion– Targeted Extortion– Proactive Extortion– Injunctive Extortion

3. Cyber Extortion Response Considerations4. Overview of Extortion Coverage in Typical Cyber Policy 5. Cyber Extortion Coverage Issues

– War/Terrorism Exclusion– Demand for Money Trigger– Extortion Expense Coverage– Limitation With Respect to Threat Actor– Limitation to Electronic Records– Extortion Coverage in Kidnap, Ransom, and Extortion (KRE) Policies– Social Engineering and Phishing Attacks

6. Questions/Comments

Aon Risk Solutions | Aon Cyber and Privacy Practice 3

Cyber Extortion by the Numbers

• Since 2015, Cyber extortion has become one of the most significant exposures for most organizations

• 2016 saw a startling increase in the number of organizations that encountered some form of ransomware

• According to Kaspersky Labs almost 2.6 million organizations globally encountered a ransomware attack between April 2016 and March 2017 (an increase in 11.4% over the previous 12 months)

• Overall, according to Verizon, cyber extortion attacks increased 50% in 2016 and in 2017 for an overall doubling in the last two years

• Ransomware attacks are becoming increasingly more targeted, hitting financial infrastructure across the globe

• The Verizon report when on to say that bitcoin demands increased and that the most frequent business sectors for cyber extortion attacks were government, healthcare and financial services

• Overall, ransomware crime is now costing organizations across the globe between $1-2 billion

Aon Risk Solutions | Aon Cyber and Privacy Practice 4

Types of Cyber Extortion: Opportunistic Extortion

§ A threat typically in the form of malware that encrypts data and demands a small payment in order for you to decrypt it

§ The threat is usually generic and is typically sent to multiple individuals or organizations without focus/restriction

Aon Risk Solutions | Aon Cyber and Privacy Practice 5

Types of Cyber Extortion: Targeted Extortion

§ Typically involves mission critical systems or sensitive information that is stolen or rendered useless unless a ransom is paid.– Often involves a threat to publicly release stolen data – Commonly executed by organized threat actors

Aon Risk Solutions | Aon Cyber and Privacy Practice 6

Types of Cyber Extortion: Proactive Extortion

§ Criminals have yet to access systems or manipulate / delete information, however they threaten to unless a ransom is paid

§ Very much akin to what would traditionally be known as “paying protection” money

Aon Risk Solutions | Aon Cyber and Privacy Practice 7

Types of Cyber Extortion: Injunctive Extortion

§ Similar to proactive extortion, criminals have access to sensitive information or systems however:– They threaten to act on it unless an individual carries our an action, ceases

to do something they have been doing or provides access or information to the criminal

– Does not involve a demand for money or property, rather the demand is for an action by the victim

– Attacks are typically covert and not broadcasted publicly

Aon Risk Solutions | Aon Cyber and Privacy Practice 8

Cyber Extortion Response Considerations

Typical response considerations

Type of extortionOpportunistic Targeted Proactive Injunctive

Response steps § Identify threat§ Identify and sever

backdoors/remote access

§ Remove threat§ Pay ransom/

restore backup to recover

§ Determine the credibility of threat/source

§ Identify and sever backdoors/remote access

§ Full forensics review§ Pay ransom/

restore backup to recover

§ Determine credibility of threat

§ Review/enhance security controls/ processes

§ Establish an heighted-state of alert

§ Pay ransom/wait for criminal reaction

§ Determine credibility of threat

§ Review/enhance security controls/processes

§ Establish an heightened-state of alert

§ Comply with criminal demands or refuse and wait for criminal reaction

Extortion demand (Bitcoin)

None

Timeline to recovery

1 week 1 month + 1 – 2 weeks 1 month +

First party recovery costs

Aon Risk Solutions | Aon Cyber and Privacy Practice 9

Overview of Extortion Coverage in Typical Cyber Policy

The when:Look at the definition of network extortion threat (or equivalent):

– Any credible threat or series of related threats directed at an insured to:• Harm the insured by using its third party private or confidential

information for a nefarious purpose, including destroying that information found on an insured’s computer system or shared computer system

• Cause a network security or privacy breach• Tamper with, delete or destroy data• Restrict or inhibit access to an insured’s computer system or shared

computer system– Where a demand is made for the insured to make a payment or a series of

payments, or otherwise meet a demand, in exchange for the mitigation or removal of such threat or series of related threats

§ The definition should also address a threat or series of threats that have already commenced

Aon Risk Solutions | Aon Cyber and Privacy Practice 10

Overview of Extortion Coverage in Typical Cyber Policy

The what:Look for a definition of the type of expenses covered:§ Extortion expenses include reasonable and necessary expenses incurred by

an insured resulting directly from a network extortion threat– Ransom payment (in legal tender or crypto-currencies)– Other consideration surrendered as payment

To a natural person or group believed to be responsible for a network extortion threat

§ Extortion expenses should also include reasonable and necessary expenses incurred to mitigate or reduce any ransom payment, access to forensics, legal advice and public relations consultants

Aon Risk Solutions | Aon Cyber and Privacy Practice 11

Overview of Extortion Coverage in Typical Cyber Policy

The how:Look at the applicable insuring agreement:§ The insurer will reimburse extortion expenses incurred by an insured in

response to a cyber incident first discovered by any control group memberduring the policy period– Coverage is provided on a reimbursement basis rather than “pay on behalf”

because an Insurer has an economic motive to pay the least amount under the policy. The insured needs to determine what is the best course of action to address an extortion threat.

– First discovered by any control group member keeps knowledge of and response to an extortion event within the scope of the duties of those executives who have authority to acknowledge the threat, make decisions; and manage the response

Read your policy to determine if and when the insurer’s consent may be contingent to coverage.

Aon Risk Solutions | Aon Cyber and Privacy Practice 12

Cyber Extortion Coverage Issues: War/Terrorism Exclusion

§ All cyber policies have some form of a war and/or terrorism exclusion that states the insurer won’t be liable for losses arising out war, insurrection, riot, civil commotion or disobedience

§ Some forms of this exclusion are so broad that they incorporate language that could preclude coverage for “acts of foreign enemies”; which might include state sponsored cyber attacks

§ Example: Terrorism means an activity that involves… an unlawful act or a threat thereof that appears intended to intimidate or coerce a civilian population or disrupt any segment of the economy of a… state or country…

§ This type of exposure should be covered under a cyber extortion insuring agreement, so the war exclusion should have the necessary exception language to not apply to cyber-terrorism

§ Example: This exclusion… shall not apply to the premeditated use or threat of disruptive activities against a computer system or network by an individual or group of individuals… with the intention to cause harm, further social, ideological, religious, political or similar objectives or to intimidate any persons in furtherance of such objectives

Aon Risk Solutions | Aon Cyber and Privacy Practice 13

Cyber Extortion Coverage Issues: “Demand for Money Trigger”

§ “Traditional extortion threats always involved a demand for money or something of tangible value

§ As a result, the typical cyber policy provides for investigation expenses and ransom payments when there is a cyber security threat or privacy threat for the purpose of demanding money, securities or other tangible property

§ The reliance on a “money demand” trigger can limit coverage in the case of an extortion attack where no money is demanded but instead the demand of the victim organization is to do or not do something

§ For broader cyber extortion coverage (especially for high-profile organizations which could be the subject of a hacktavist extortion attack) it is important to try and amend the policy so that the “demand for money” trigger is not the only trigger for the investigation expenses and other first party coverage that is generally available for cyber extortion

§ Example: network extortion threat means any threat…where a demand exists for the Insured to make a payment or offer up other tangible property or otherwise meet a demand in exchange for the mitigation or removal of such threat

Aon Risk Solutions | Aon Cyber and Privacy Practice 14

Cyber Extortion Coverage Issues: Extortion Expense Coverage

§ In addition to the ransom payment, the typical cyber policy will provide the insured with certain expenses

§ The devil is in the details as to what is included in those expenses§ With respect to the ransom payment coverage, is the language limited to the

payment of money or does it extend to securities and other tangible property, including bitcoin and cryptocurrency?

§ The insured organization will typically need coverage for expenses to investigate the cause and the credibility of the extortion threat and mitigate the expenses associated with the threat

§ There is variance amongst insurers with respect to this wording§ The best wording is an amalgam of all the policy wordings available in the

market§ Example: Cyber extortion expenses means any and all reasonable expenses

incurred by an insured resulting from an extortion threat including the payment or surrendering of money or other consideration (including Bitcoin)…including but not limited to the reasonable investigation expenses incurred to determine the cause and the credibility of the threat

Aon Risk Solutions | Aon Cyber and Privacy Practice 15

Cyber Extortion Coverage Issues: Limitation With Respect to Threat Actor

§ Some policies require that the threat of extortion emanate from a “natural person”

§ This requirement could compromise coverage where the threat is made by an organization or group such as Anonymous

§ Example: The insurer shall pay extortion expenses resulting directly from an insured having surrendered any funds or property to a natural person who makes a threat directly to an insured during the policy period

§ It is therefore important to ensure that the threat actor language extends to organizations, corporations, nation states for the broadest cyber extortion coverage

Aon Risk Solutions | Aon Cyber and Privacy Practice 16

Cyber Extortion Coverage Issues: Limitation to Electronic Records

§ Typical cyber policies provide extortion coverage where there is a security threat

§ Extortion threat is often defined as various intrusions on, or gaining access to, a computer system

§ Example: Extortion threat means a declaration made by a party that it has gained access or alleges to have gained access to an insured’s computer system and intends to… sell or disclose a record to another person…

§ Although not common, extortion can involve paper records, which would not be held in a computer system

§ Even though many wordings extend the definition of record or data to include paper records, the language requiring that the extorting party gain access to a computer system eliminates coverage for paper record extortion

§ So to ensure the broadest cyber extortion coverage, ensure that the policy contains language that extends the insurance to situations where a party has physically stolen paper records and is holding them until some demand is met

Aon Risk Solutions | Aon Cyber and Privacy Practice 17

Cyber Extortion Coverage Issues: Extortion Coverage in Kidnap, Ransom, and Extortion (KRE) Policies

§ Many insured organizations purchase KRE insurance believing that the extortion section of this coverage is the same as that offered by a cyber policy

§ In fact, the two policies cover very different types of information§ KRE covers IP/information owned by the insured organization, while cyber

extortion insurance covers confidential information of individuals or business partners that is in the care, custody, and control of the insured organization

§ The triggers under some KRE policies are limited to the introduction of specific perils computer viruses/malware into the insured’s computer system whereas the typical cyber policy will trigger where there is a more general threat to an insured’s computer system

§ KRE policies do not offer the broader first party costs found in cyber policies to investigate the veracity of a threat

Aon Risk Solutions | Aon Cyber and Privacy Practice 18

Cyber Extortion Coverage Issues: Extortion Coverage in Kidnap, Ransom, and Extortion (KRE) Policies

§ There is also a lack of severability in the KRE policy so insureds guilty of wrongdoing can negatively impact coverage for all insureds

§ KRE policies typically do not have deductibles, whereas cyber policies do§ To the extent there is coverage for an extortion threat under both a KRE and

cyber policy, the policies’ “other insurance clauses” will have to be crafted to ensure there is no question about which policy will respond to a threat

Aon Risk Solutions | Aon Cyber and Privacy Practice 19

Cyber Extortion Coverage Issues: Social Engineering and Phishing Attacks

§ Social engineering refers to the use of identity deception and psychological manipulation to gain the confidence of an employee and induce him or her to part with an organization’s money or securities or divulge confidential information

– Criminals use a combination of emails and phone calls to perpetrate a fraud and scam companies out of large sums of money

§ Often, the fraudsters targets businesses that work with foreign suppliers or regularly perform wire transfer payments

§ According to the FBI:– Law enforcement globally has received complaints from victims in every U.S. state

and in at least 79 countries– From October 2013 through February 2016, law enforcement received reports from

17,642 victims– This amounted to more than $2.3 billion in losses– Since January 2015, the FBI has seen a 270 percent increase in identified victims

and exposed loss

Aon Risk Solutions | Aon Cyber and Privacy Practice 20

Cyber Extortion Coverage Issues: Social Engineering and Phishing Attacks

§ Fraudsters are well organized and will have great knowledge of the targeted company in order to have convincing arguments with their victim

§ There are two primary types of social engineering fraud:– President/Executive Impersonation– Vendor/Client Impersonation

President/Executive Impersonation§ The fraudsters impersonate an executive of the company (e.g. the President, CEO,

CFO) and typically research an organization’s procedures and chain of command before contacting a specific employee such as a manager, an accounts payable clerk or another employee responsible for instigating wire transfer payments

Vendor/Client Impersonation§ Fraudsters impersonate a vendor indicating that payment information has changed and

asking a payment to be sent to a new account § Fraudsters may also impersonate a client and place a fake order for goods and services

Aon Risk Solutions | Aon Cyber and Privacy Practice 21

ICyber Extortion Coverage Issues: Social Engineering and Phishing Attacks

§ Many insureds are surprised to learn that there is no coverage for these types of attacks in the typical cyber policy as these policies only provide coverage for losses resulting from the unauthorized disclosure of confidential information that leads to financial loss not direct financial losses as a result of being duped into giving up money or information

§ In addition there is no coverage under the typical commercial crime policy or general liability policy for social engineering/phishing losses

§ General liability policies do not provide for 1st party loss and any 3rd party coverage is limited to change of data or deletion of data which results in loss

§ Base wording in crime policies do not cover the voluntary parting of money or information in the computer fraud and funds transfer insuring agreement

§ For this reason, insurers have created a Social Engineering Endorsement (also known as “Payment Diversion Endorsement”)

§ Coverage is sub-limited – usually $250,000 – Some insurers have started offering $500K to $1M depending on comfort with

internal controls– Other Insurers will offer full limits subject to a call back/adherance to protocols

§ Insurers typically charge additional premium (from 10-15%)§ An insured will also be required to complete a supplemental application prior to obtaining

the coverage to ensure that adequate payment verification protocols are in place§ Beware of preconditions to coverage such as a call back requirement

Questions/Thank youImportant: This report contains proprietary and original material which, if released, could be harmful to the competitive position of Aon Reed Stenhouse Inc. Accordingly, this document may not be copied or released to third parties without Aon’s consent.