Travelers Cyber Webinar

(DESCRIPTION) 

Logo: Travelers. Text: Cyber Webinar. Building a stronger defence: Lessons in cyber breach response. November 2023. Chris McMurray speaks to us from the upper right corner of the slide presentation seated in front of a white background. 

(SPEECH) 

Thank you all for attending our webinar today. For those that don't know me, I'm Chris McMurray, managing director for cyber at Travelers Europe. And over the next hour, we will look to give you an insight into the fast moving cybersecurity landscape, the current threats and trends that we are seeing, and how your clients can help reduce their cyber exposure. 

To do that I'm delighted to say, we are joined by Arran Roberts from Kennedy and Paul Wales from Kroll. Both Arran and Paul have been involved in a number of Travelers insurance cyber breaches and have played a valuable role in getting insurance back up and running following these events. 

In addition, Chris Scott, claims team manager at Travelers, will give specific insight into what we are seeing in our portfolio. And James Doswell, a senior risk management consultant for cyber, who plays a key role in our overall cyber proposition, will be giving some insight into how your insureds can reduce their cyber risk, whilst also giving a brief overview as to how our risk control offering can benefit those insureds. 

(DESCRIPTION) 

Text: Disclaimer: The information provided in this presentation is for general information purposes only. It does not constitute legal or professional advice nor a recommendation to any individual or business of any product or service. Insurance coverage is governed by the actual terms and conditions of insurance as set out in the policy documentation and not by any of the information in this presentation. 

(SPEECH) 

Before we get started, just some housekeeping. We will be recording today's event, but only the speakers in the presentation will be visually and audibly recorded. All attendees are muted just so that our speakers can be clearly heard. 

So if you do have any questions, can I ask rather than shout out, if you can pop these in the chat Q&A function which appears at the bottom of the screen, and we'll look to address these at the end. 

So without further ado, let me hand over to Chris Scott, our claims team manager here at Travelers to get us started. 

(DESCRIPTION) 

Chris Scott. 

Thanks, Chris. 

(DESCRIPTION) 

Claim Trend Analysis. Two pie charts, one labeled 2019 and one labeled 2023. The 2019 pie chart shows 20% GDPR Breach, 20% Lost/Stolen Device, 13% Phishing Attack, 7% Ransomware, 40% Social Engineering. 

(SPEECH) 

So I'm going to talk to you about some of the claims we've seen here at Travelers. I'm going to walk you through the past few years of our cyber claims portfolio and looking at the trends that we've seen. 

So first, it's clear to say that we've seen a bit of a diversification of the types of claims that we've seen within the portfolio since 2019. There have, however, been four main areas that have remained constant in the portfolio. So these are social engineering, ransomware, external hacks and GDPR breaches. 

If we go back to 2019, we, in Travelers, saw an eruption of social engineering claims. And they accounted for around 40% of the claims we experienced. Moving on to 2020, we had four main areas identified, but the largest chunk of those, which represented about 50% of the claims we received, were external hacks. 

That theme continued in 2021, with a further 50% of the claims being attributable to external hacks in that year as well. But we did see in 2021 an increase in social engineering frauds. 

2022 saw a good mix of different types of claims in the portfolio itself. There was a notable surge in cookie claims. They later fizzled out after Lloyd and Google. But the clear leaders from a volume perspective were social engineering and ransomware claims. 

(DESCRIPTION) 

The 2023 pie chart shows, 38% Social Engineering, 10% GDPR Breach, 3% Malware, 8% Third Party Vendor Breach, 6% SAR and Access Issues, 7% Ransomware, 3% Liability, 4% External Hack, 1% Crime, 2% Lost/Stolen Device, 7% D E C, 8% Phishing, 2% Unauthorised Access. 

(SPEECH) 

That brings us to the current year, 2023. And, again, clear leader from a volume perspective is social engineering frauds. So that as a percentage basis has meant consistently between 30% and 40% of the claims we've received since 2019. 

We've also seen the emergence of a number of new trends, which have been down as a result of environmental factors. So third-party breach-- sorry, third-party vendor breaches, for example, have become more common in our books since 2022, and that's primarily been as a result of companies streamlining their businesses. 

There have been more phishing attacks and business email compromises, which are normally the precursors to social engineering frauds. And that's partly linked to the hybrid working environment since the pandemic. And, finally, we saw a surge of ransomware attacks in 2022, and that slowed down dramatically on the Travelers book in 2023, which could potentially be as a result of the increased use of multi-factor authentication and potentially threat actors being engaged elsewhere. 

So we've had a look at the types of claims that we're seeing. I'm going to move on to the next slide to have a look at the frequency of claims that we see on the book. 

(DESCRIPTION) 

Text: Claim Frequency. Two bar charts. The first shows years 2018 through 2023. The shortest bar is 2018, then they increase until they peak at 2022. 2023 is shorter than 2022 and the second tallest bar. The second bar chart shows each month of 2023. The tallest bar is October, second tallest is September matching with March, then February and June, then July and August, then April, then May, then January is the shortest. 

(SPEECH) 

So there's been a marked increase on the Travelers claims portfolio since 2019. That's, in part, down to the evolving threat landscape, and also down to the growing book. But, generally, we've seen volumes increase year-on-year by around 50% with the exception of 2023. 

It is anticipated that by the end of this year, we will see more claims that we did see in 2022, but the increase won't be as we've seen in prior years. 

So over on the right-hand side there, I've included the 2023 figures, just to see where we're seeing the claims on a monthly basis. And it's fair to say that over the last few years, there has been a certain element of seasonality to the cyber claims. We certainly see less activity during the summer months and a notable increase in claims activity as we end Q3 and enter into Q4. 

So there's varying reasons for this. But my own view is that the threat actors operate much like any other business. And they work to annual targets. So there's more activity towards the year end. And that also goes hand in hand with our insured companies, who are, perhaps, also focusing on year end targets and potentially less vigilant to cyber attacks. 

So I'm going to move on to the last slide for myself. I'm looking at the severity of the claims that we've seen within the Travelers book. 

(DESCRIPTION) 

Text: Claim Severity. Two bar charts. The top chart is titled, Combined Severity by Year (excluding Ransomware). The x axis shows various claim events, each with colorcoded bars representing years from 2018 to 2023. The y-axis goes from 0 on the bottom to 500,000 at the top in increments of 50,000. The events Brute Force Attack, Crime, Cryptojacking, IP Breach, Lost/Stolen Device, Network outage, Reputational Harm, and SAR have no bars. GDPR Breach has a bar for 2019 at about 25,000 and a bar for 2022 at 100,000. Malware has 2020 at just over 100,000 and 2021 at just under 100,000. Phishing attack has 2019 at below 50,000, 2021 at just above 50,000, and 2023 at about 25,000. Service Provider Attack has 2022 at about 25,000. Social Engineering has 2021 at just over 150,000, 2022 at almost 450,000, and 2023 at about 10,000. System Vulnerability has 2021 at 150,000 and 2022 at about 5,000. 

(SPEECH) 

So the front runner, which has been removed from the top chart, is ransomware. So with ransomware itself, obviously, there is the cost of the demand, which, if paid, can be relatively sizeable. There's the additional IT legal and regulatory costs associated with the attack, as well as the sting in the tail of the business interruption flowing from the attack itself, which can be a significant amount of the claim. 

So as I say, we've stripped out ransomware itself because that can skew the figures. But if we take ransomware aside from a severity perspective, the next trend there that we've seen from a severity perspective is social engineering. And that's remained consistent throughout the years. Closely linked to that is phishing attacks, which is, as I mentioned before, a bit of a precursor to social engineering frauds, and they've been equally consistent throughout the years, albeit not as costly from a severity perspective. 

(DESCRIPTION) 

The second bar chart is titled Average cost of incurred files. It has the years from 2018 to 2023 on the x-axis, each with two bars, a red one showing Average Cost on incurred files and a blue one showing Excluding the 1 million-plus-pound payments. The y-axis goes from 0 at the bottom to 350,000 at the top, in increments of 50,000. In 2018, both bars are at 0. In 2091, both bars are at 50,000. In 2021, the red bar is 300,000 and the blue is 50,000. In 2022, both bars are just above 50,000. In 2023, both bars are just above 50,000, slightly shorter than the 2022 bars. 

(SPEECH) 

So looking at the second chart at the bottom there and stripping out the million pound plus payments on the claims files because, let's say, they can skew the figures, we can see that the average cost per claim has increased gradually over time. Current costs of an average cyber claim in 2023 is around the 65,000-pound mark. 

So I hope you found that useful. A little bit of an insight into the claims that we're seeing here at Travelers. And I'm going to pass over to Arran now, who's going to have a look at the trends from a market-wide perspective. 

(DESCRIPTION) 

Arran Roberts. 

(SPEECH) 

Thanks, Chris. 

(DESCRIPTION) 

Text: Legal. What is the role of the legal team? A photo of a glass spiral staircase from below with people walking up it. Text: Advise on notification obligations: ICO, FCA, employees, customers and authorities. Coordinate and instruct other vendors. Advise on overall response strategy. Advise on exposures. Logo: Kennedys. 

(SPEECH) 

So before I delve into the world of the claims that we deal with and some of the trends that we're seeing at the moment, I thought it might be useful to take a bit of a step back and to talk a little bit about what our role is as the legal team is when we wade into these incidents, and when Chris and his team bring us in. 

So we're typically one of the first vendors on the ground when an insured suffers an incident. So we're typically on a first call with that insured within a maximum an hour of them reporting an incident. So we really do come in the kind of crisis stage for insureds. And I think our biggest role, aside from all the technical stuff, is to put a bit of a virtual arm around them and start to try to take some of the pressure off and guide them through the incident, which, hopefully, they've never had to deal with before. 

So we very much appreciate that we deal with these things day in and day out, and you become a little bit desensitised to it. But for the insureds that we work with, it's probably the first time they've had to deal with anything like this. So first and foremost, our role is to give them some reassurance and help them understand what the process is going to look like. 

In the very, very early stages of an incident, where we're, obviously, very mindful that there are some fairly scary deadlines out there from a legal perspective. So under the GDPR, we've potentially got 72 hours from understanding that something has happened to being in a position where we have to make notifications to regulators. 

And more so these days, we're not just looking at the UK landscape. Most organisations have some exposure across jurisdictions these days. So we also have to think about the cross border side of things in a lot of cases. And there are lots of frameworks out there now that mirror the GDPR in most respects. So we might not just have those GDPR deadlines, but we might have other countries to think about as well. 

And then alongside those data protection obligations, we have to think about the professional regulatory landscape. So we might have other regulators that take an interest in these things. So the easy ones off the top of your head, the FCA, the SRA, the Charity Commission, all take a really keen interest in these types of incidents. And there are notification thresholds at play there. 

Moving on to the more human side of that, we also think about who else we need to be telling about these incidents in the very early stages. So who are the key stakeholders that we need to be making aware of this incident very quickly? One that people tend to forget about is employees. They're often one of the first groups to be impacted by these types of issues. So what do we need to be saying to our own staff whose day jobs are impacted? They might be worried about whether they're going to have a job at the end of this, rightly or wrongly. 

And then externally, we need to think about what customers can see. So depending on the nature of the incident, it might be very, very obvious that something has happened because there is operational disruption. So we'll be very quickly thinking about what we need to be saying to who. 

And, actually, that can be quite difficult because it's only in the middle of these incidents that actually a lot of organisations realise that working out who they need to tell is quite difficult without the computer systems. So often, we'll walk into to one of these first calls, ask who we need to tell, and the answer will be, well, we don't know because all of our contracts are stored on a server that's been impacted by the incident. 

So it's always handy to have that stuff in hard copy. And it's a real tip that we always give to insureds. In those very early stages as well, we'll be thinking about who else we need to bring on board. So first and foremost, I'll let Paul talk to you shortly about his team's involvement on the IT forensic side. But we will be thinking about who else we need to bring in to support the insured. And that might also include crisis communications, if we have an incident that might have a public interest angle where the media may become involved or where the impact is such a wide ranging issue that we need to make sure that the messaging is right from the very outset. 

And then on the more longer tailed side of things, we'll be with the insured throughout the incident. We'll be on update calls with the forensic team on probably a daily basis in the early stages of an incident. And we'll be guiding them through and advising them on strategy as things change. So it may not be until we have a little bit more information from the forensic investigation that actually some of these legal and regulatory thresholds are met. So we will be there every step of the way to advise them on the changing landscape. 

And then, again, as we move through even more widely than that, on the exposures that may be coming down the line, both in terms of the regulatory framework, but also on the third-party claim side, which Chris spoke about a moment ago. So we'll look forward to understand what the potential liabilities are in the longer term. 

(DESCRIPTION) 

A clipboard with a checklist. Text: Evolution of regulatory investigations. Increasing focus on "big picture" points. For example: Itemised lists of data, Scrutiny of policies, Evidence of senior management engagement, Due diligence with third party vendors 

(SPEECH) 

So just moving on to the next slide, I thought rather than focus on the technical aspect of these incidents, I'd take stock of some of the trends that we're seeing on the very legal side of things. And the one that really springs out to me over the past, I would say, six or 12 months is an evolution in the way that the regulators are looking at these incidents and the way that they're approaching their investigations. 

So what we've seen, particularly from the ICO, but not just the ICO or other regulators, professional regulators, as well, and also supervisory authorities across Europe, we've seen them take a very big step back from the very fine detail of an incident. So we used to see questions very heavily focused around how the incident had happened, what security measures were being put in place to prevent that happening again. 

And that still forms a big part of what the ICO, for example, want to understand about an incident. But what we're increasingly seeing them doing is using the incident as an opportunity to take a step back and look at the wider compliance landscape. And they're all the pre-breach compliance things that the insureds should have in place before an incident ever occurs. 

And the ICO is seeing this as a bit of a launch pad to encourage organisations to have those measures really well lined up before an incident happens with using those incidents as an opportunity to carry out a little bit more scrutiny of what's going on in the background. 

So by way of an example of what we're seeing on the ground, when we're liaising with the ICO, we're seeing them ask for things like, if we tell them a particular server is encrypted and we don't have access to it, they'll ask us for an itemised list of the personal data that was kept in that location. So what they're getting at there is that organisations should be, on the front end before anything happens, understanding the layout of their environment, where they keep personal data, what's stored where. So that when something like this does happen, they have a pretty rough and ready idea of what data might be in scope. 

And that data mapping exercise is really, really useful for us because it's often not until way into the forensic investigation and the restoration that we're able to actually get a good idea of what data might be affected. So that's a pressure point that the ICO likes to test. 

The other thing they routinely ask for now is copies of policies that relate to both data protection and IT security practices. So things like, what is your retention policy for documents? And on the back of that, where we have told them that data has been affected, they've asked for the date of the oldest record that we've identified as being in scope. So, again, trying to flush out whether, A, companies have those policies in place, but, B, that they're actually complying with them because if they've got a retention policy that says, we'll keep things for six years. And, actually, we're telling them that there's a record from 2001, that is in scope, they know that there's potentially a more systemic issue there. 

Tied to that, what they also increasingly want to see is evidence that senior management are really engaged in this process. And that data protection and security are really baked into the culture of the organisation. And that that's being addressed at a really high level. It's being properly invested in. So we've seen them ask for things like board minutes to evidence that these issues are a standing agenda item. So that's one thing that is quite easy for organisations to implement. 

And then, finally, and tied to one of the other trends I wanted to just talk about briefly is due diligence with third-party vendors. Now, most organisations have got some third-party software or service provider that they will outsource some personal data to. The big ones that are easy to think about are HR. Most companies have an external HR platform these days, payroll providers. There are lots of third-party databases for customer engagement, email platforms, that sort of thing. 

And, historically, I think it was seen as a bit of a get out of jail free card by organisations when they pushed the responsibility for this data out to a third party. What the ICO has done is rein that back and say, OK, but you're the data controller. So, actually, you need to be carrying out some real due diligence on the organisations that you are engaging with and making sure that they are the right fit for your organisation, that they have the right security in place, and that you actually have a way of checking and regularly updating with them on those issues. 

So where this really comes into play, which I'll just pop up on the next slide, is the increase in supply chain attacks that we've seen over the last 12 months or so. 

(DESCRIPTION) 

A close-up photo of hardware. Text: Supply Chain Attacks. Compromise of a trusted third party supplier (e.g. MSPs, software providers), Potentially multiple victims from a single attack, Possibility to monetise each victim independently. 

(SPEECH) 

So what these incidents involve is we will have one of those third-party suppliers that a client is working with routinely, and they will be very trusted suppliers like managed service providers who deal with IT provisions, software providers, or service providers like the ones I've just spoken about. 

And what threat actors have realised over the last 12 months or so is that these are great opportunities for them to do minimum work with maximum effect. So they can use these trusted third parties. And by breaching their environments, they can potentially impact all of the clients that they have downstream. So the really obvious example of this that you've probably all seen was the MOVEit breach earlier this year. And I think Paul will touch on that as well in a moment. So I won't go into too much detail, but that was a file transfer platform provider. 

And what the threat actor group that managed to impact that service did was they were able to take data out of that platform relating to a huge heap of the provider's clients. And they were then able to monetise or attempt to monetise each victim individually. So from that initial compromise, they were able to hit hundreds of end victims. And this is something that we expect to see a continued growth of. 

It's clearly incredibly lucrative. And whilst it takes some sophistication, some of the bigger groups, it seems to be emerging as a trend for. So CL0P that were involved in the MOVEit breach, we've seen a trend of them attempting to or managing to hit particular vulnerabilities hitting this type of supply chain provider. 

So it's something that we expect to see more going forward. But where this really ties back to what I was speaking about before is that supply chain due diligence. And a great example of this is an incident that we dealt with over the last few months. So we dealt with a mid-size law firm, whose environment was impacted through a vulnerability that was a zero day vulnerability, completely unknown at the time. 

It wasn't until several weeks into the incident that we actually became aware that this was a zero day vulnerability that no one knew about at the time. And that zero day vulnerability affected a telephone system that was outsourced to a third-party provider. So we saw that as a bit of a get out of jail free card, with the regulators presented it very much as this was a zero day. There was nothing that anyone could have done about it. 

And, actually, the firm had pretty sophisticated security in place. They were actually able to disrupt the attack. So data was taken, but nothing was encrypted. And despite that, we went through months of back and forth with the ICO because they wanted to see evidence that there had been some real thought process into how this vendor had been selected, whether it was the right fit for the business, which was quite tricky, and where the problem arose because it was a service provider that the firm had worked with for 20 years. 

The services they provided had really evolved over the course of that incident-- of that period and hadn't necessarily been documented along the way. So whilst it there was lots of security in place, it was quite sophisticated. It actually took us having a face-to-face meeting with the ICO to persuade them that everything was as it should be. 

This was something that no one could avoid because that issue with the contractual documentation with a third-party provider immediately piqued their interest. So I think the take home message from this is that there's lots of work that insureds can do on the front end before an incident ever happens that will put them in the best place that they could be in with the regulator in the, unfortunately, quite likely event these days that something does happen. 

So that's it from me. A bit of a whirlwind tour of the legal side of things. I'll hand over to Paul to talk about the forensics. 

(DESCRIPTION) 

Paul Wells. 

(SPEECH) 

Thanks, Arran. Good afternoon, everyone. If you could just pop it on to the next slide, thank you. So just to introduce myself, my name is Paul Wells from a company called Kroll. Kroll do a number of different things, but I'm here today to talk to you about digital forensics and incident response team, of which I am a member. 

What we do, why it's important, and, again, a little bit talking about some of the trends and new emerging trends within the industry at the moment. 

(DESCRIPTION) 

A photo of a row of blue cables plugged into hardware. Text: Digital Forensics and Incident Response (DFIR). What is the role of the DFIR team? Investigate the incident. Determine root cause. Identify what data was impacted and how. Provide cyber threat intelligence. Advise on containment and remediation. Logo: Kroll. 

(SPEECH) 

So first of all, what does the digital forensics and incident response team do during a cyber incident and the response to cyber incident? Well, really, I see our primary role is to identify the facts of an incident. And that's so important, because very often, when you have these major cyber incidents, there's an awful lot of confusion sometimes. So we often refer to it as the fog of war. But once you've had a major incident, systems are down, data is deleted, nobody really knows what has happened at that early stage and what's been impacted on it.

And so our role is to investigate, identify the facts. And then those facts can inform Arran's team and the work that she will be doing. It will inform the communications team in terms of what statements are going to be made. And really, if you're trying to do all that work without access to the facts of an incident, then you're going to take some steps wrong.

It's also important that the work is done by a specialist team so that the forensics work is done by an external forensics provider, such as Kroll, for a number of reasons. First of all, expertise. It's quite a specialist area. Most of my team have law enforcement background or deep expertise within IT and IT security.

And so we have vast experience in terms of handling evidence. And we have that independence. Some organisations may try and do their instant response work by their in-house security team, which can-- we've seen that cause problems because they've had competing priorities of restoring systems. So they might have overwritten data. They may make assumptions in terms of what's happened. So an external DFIR team, such as ourselves, can give that independence and that external expertise.

So in terms of what we're doing then, when we're investigating the incident, we normally have a couple of areas that we want to focus on. First of all, it's always critical for us to try and determine what the root cause of the incident was, what was the primary factor, which led to this cybersecurity incident?

Now, these could be a number of variety of different things. It could be an unpatched firewall system, for example, which was vulnerable to an attack. And the attackers got in that way. It could have been an end user clicking on a phishing link and letting the attackers in through that way. It could have been a misconfiguration of a service, which allowed attackers in.

So until you know what that root cause is, it's very difficult to be able to say that an incident has been contained. So certainly, that identification of the root cause, how they got it in the first place, is one of our primary goals. And then also, once we've determined the root cause, what have the threat actors done whilst they've had access to the environment?

So how long have they been in there for? Were there for only a short period of time, a couple of hours? Were they only on one system? Or were they in there for weeks and made their way across the network accessing a variety of different data and exfiltrating it?

And, obviously, that's important to determine for a number of reasons. Certainly, it will, again, inform potentially some of the notification obligations in terms of if data has been accessed or exfiltrated. It will also inform the containment and restoration that the victim will need to do in order to be able to repair their systems. And it's going to inform any communication that is done to stakeholders, members of staff, customers, et cetera.

But it can be hard. Both that determining root cause and identifying what data is impacted can take a lot of time. And this is something-- when Arran mentioned a minute ago about a lot of the good work that her team does in terms of handholding with the client and talking through people who have never experienced quite often anything like this before, we also help with that handholding exercise and try and manage their expectations quite often in terms of how long this investigation is going to take.

Very often, when we have those first calls, the victim is often talking in terms of hours to get their systems back and to recover and to find out exactly what has happened. And very often, we have to manage that expectation and explain that this is a process where the investigation will likely take days into weeks. Recovery is going to be weeks into months potentially. And then, obviously, any notification and communication process, that could be potentially into years.

So certainly, that's quite an important part of the role is managing their expectations in terms of exactly how long this investigation is going to take. And also, exactly what we're going to be able to determine as well. These threat actors, we see them more and more trying to perform anti-forensics techniques to try and frustrate our investigation. We see them deleting logs. We see them clearing the history of what they've done. We see them, obviously, encrypting data as well. And all those efforts make it harder and harder for us to determine exactly what actions the threat actor took and when.

So the other things that we'll help clients with, we'll help victims with is cyber threat intelligence as well. So to help them determine who this threat actor is, what their motivation is. Typically, that means they're financially motivated. Most threat actors are looking for a payday. Not all of them. You do get nation state threat actors who are more motivated with the contents of data. But, usually, especially for ransomware, especially for email compromises, the vast majority of them are financially motivated.

But we can help determine the exact group who we believe to be responsible for this. And that can help in terms of identifying exactly what ransom figure they're after. If it's a ransom motivated group, what techniques they might have used, will they have exfiltrated data? Some groups purely go for exfiltration, which I'll talk about in a minute. Other groups aren't that sophisticated and will just go for encryption, and are be much less likely to be stealing data as well.

So that cyber threat intelligence can help inform the victim's response in terms of what they suspect the impact might have been on them. And, finally, the other task that we perform is we help advise on containment and remediation.

Now, obviously, that's advise. Certainly, my team within Kroll, we won't be doing the remediation ourselves. We won't be going in and resetting people's passwords, but we will work with the victim to explain exactly what steps they need to do to contain this incident.

So what are the accounts that need resetting? What other steps do they need to go through? What malicious IP addresses do they need to block? All those steps that they need to take so we can make the assessment that the incident has been contained and remediated.

So that's a very, very brief overview of what the DFIR team do during one of these responses. And I'll just move on to some of what we see as some of the current emerging trends.

(DESCRIPTION) 

A graphic of a padlock surrounded by circuit network lines. Text: Emerging Trends. Ransomware as a service. Ransomware without encryption: CL0P MOVEit vulnerability. Lockbit builder leak: explosion in new groups. Business email compromises bypassing MFA.

(SPEECH) 

And I've tried to pick out a few things here that I think are interesting. So moving away, perhaps, from numbers and incident types into specific techniques that we see threat actors using more and more.

So the first one on my list here is ransomware as a service. Now, I suppose in terms of emerging, this is something that's been happening over the last couple of years. But really, we see increasingly see this as a model the threat actors are doing, which is where you have different groups within the threat actor model.

So you have a provider who provides ransomware as a service. You can essentially sign up for this as a franchisee. And you will get probably a copy of an encryptor. You will get access to their infrastructure. So their leak sites where they host data. You might get access to their communication tools. And you might get access to a particular playbook of this is how the step-by-step access, the step-by-step guide to performing a ransomware attack.

So if you sign up for that as an affiliate, you would pay a percentage of any ransom that you manage to extort. You'd pay that back to the ransomware operator.

So why do we see this as a significant trend, this ransomware as a service? Well, two reasons, really. First of all, it really lowers the bar for entry into becoming a ransomware operator. Two, three years ago, if you wanted to set up a ransomware group, you needed to recruit some very, very specialist talents. You needed people who were very good at writing encryption that was uncrackable. You needed somebody that knew how to host the data. You need to have somebody who could gain access. You needed probably English language skills. You need all these different skills. And you needed to directly recruit them into your group.

These days, as an affiliate, you don't really need any of those skills or certainly not many of those skills. You can just sign up for an affiliate with one of these sites. And you pretty much get everything provided for you. So it's really lowered the bar in terms of the requirements for access.

Secondly, why is ransomware as a service a particular problem as well? It gives much greater sophistication because they can pool their resources. It means that the sites, the data hosting sites for these groups are increasingly complicated, increasingly user-friendly with a number of different features now because they host data for lots and lots of victims of lots and lots of affiliates.

So this allows a number of different techniques, such as auctioning off of stolen data. Now, it's something that we see ransomware as a service groups providing. So if the victim doesn't pay a ransom now, rather than just leaking the data, a lot of these sites now offer the data for sale to a single person purchasing it.

So all these new techniques that are only possible because this is shared infrastructure by these ransomware as a service groups. So, although, this is something, as I said, this has been emerging over the last couple of years, this is something we see more and more of these groups moving towards ransomware as a service.

The second thing that we've seen is an emerging trend over the last year or so. And this is something that Arran mentioned earlier with the MOVEit exploit. It's ransomware without encryption.

So the CL0P group who were responsible for exploiting the MOVEit vulnerability, which as Arran said, this was a vulnerability that allowed a large amount of data from a large amount of victims to be stolen, pretty much in one hit. This is an absolute classic attack by the CL0P group these days.

CL0P were one of the fairly standard ransomware crews, but they've now moved into attacks such as the MOVEit vulnerability, where they didn't encrypt anything. All they did was just steal the data without encrypting. And we see this on a micro level as well.

So on some victims where they've gained access to their systems, they've just stolen data. They've not performed any encryption. There's a number of different reasons why that we think is likely for this. First of all, probably got a higher success rate. If I'm getting into someone's network and stealing all their data, that's a lot quieter than if I'm going around trying to encrypt everything.

It also might mean that my victim might be more willing to pay a ransom to or to have a perceived lack of visibility of the incident, because encrypted systems are very, very visible. Systems, which have only had data stolen are less visible to end users and customers. So the victim might be more motivated to pay a ransom because of that.

Secondly, it's probably cheaper for them. They don't need to worry about having people to encrypt the data. They don't need to licence an encryptor. All they have to do is steal data, host it, and then sell it.

There's a couple of reasons why we think ransomware without encryption is something that's increased and probably going to increase. Another interesting trend we've seen over the last 12 months is the LockBit builder was leaked. So LockBit is one of these ransomware as a service groups. The builder for their encryptor was leaked on the dark web. So that means that pretty much anyone out there now can get a copy of a highly sophisticated encryptor, which means that I don't need-- if I want to, all I need is access to an anonymous email address, and I can set myself up as a ransomware operator.

I don't even need to be involved in one of these ransomware as a service groups, if I don't want to. So again, that is yet again, lowering that bar for access.

And, finally, the last trend I wanted to mention before I move on to the next section is-- I just wanted to talk about something other than ransomware, because that isn't all we deal with. We do see a lot of business email compromises as well. And this is something, which is increased probably over the last six months for Kroll, is another wave of business email compromises.

So this is when Microsoft 365 accounts, for example, get compromised. The threat actor accesses the mailboxes. They're typically after invoice fraud is normally their end goal.

We saw with the introduction of multi-factor authentication over the last couple of years, we did start to see a reduction in these attacks, as the attacks were frustrated by multi-factor authentication because not only did you need the password, you had to convince the victim to enter in their MFA code.

Unfortunately, over the last six months or so, there's been a couple of open source phishing kits been released, which include the ability to capture the MFA tokens that the victim enters and to reuse them essentially.

So these off the shelf kits have made it much, much easier for threat actors to keep on with these business email compromise attacks and to get through MFA relatively easily. So, again, this is a trend that we see continuing. I think there will be some changes to MFA in the way it's implemented, which will hopefully help. But for the moment, that's something we're seeing more of.

Bit of a whirlwind tour through the world of digital forensics incident response and some of the trends we're seeing. I hope that's been interesting. And I'm going to hand over now to the next section, which I think is James.

(DESCRIPTION) 

Text: Cyber Risk: "We can make you better at risk." James Doswell. Logo: Travelers.

(SPEECH) 

Thank you, both. Good afternoon, everyone.

(DESCRIPTION) 

Text: Cyber Risk Mitigation: Some basic steps. A flow chart with three rows of five boxes each, each with an event inside. The arrows point to the right between each step, and at the end of the each row, they point down to the first box in the next row. The first box reads, IT Asset Management, then Framework, then Ways in/out of a company IT architecture, Vendor Control and Access, Principle of Least Privilege (POLP). The next row of boxes reads, Separation of duty on admin accounts, Secure accounts with SSO/MFA/PAM, Endpoint protection via EDR, Patch Management. The last box in the row is in blue. It says, Consider proactive defence. The next row says, Backup immutability, SIEM/Log gathering, Monitoring systems, DR/BC plan with executive buy-in, Cloud layers for DDOS/IPS/DLP.

(SPEECH) 

So first of all, how can we actually mitigate some of these risks? How can you and your clients reduce exposure to cyber attacks?

I think, first of all, it's important to note that the scope of insured's IT environments and operational technology environments can vary extensively. So this combined with the security culture of firms, can extend through to the various cyber solutions in place, and that can have a significant impact on the security. So some small companies, for example, can be very comprehensive. Some larger ones can be less so, and vice-versa.

Hopefully, when you look at an insured, at least some, if not all of these points are already implemented. And I should point out here that these really are relatively basic requirements that I'm pointing out here. It's very important as part of cyber risk to understand the estate architecture. And it's really down to IT asset management and hardware auditing that carries out this task, first of all.

If you don't know what you have, how can you be sure if it's protected or vulnerable? So it's absolutely integral that clients do understand what they've got in terms of IT, particularly, where data is stored. Really useful for the insured is to have a framework. And they should be following that. Cyber essentials came out reasonably recently. Cyber essentials plus is the actual-- the independently audited version of that. Then you've got the more comprehensive audit side of things with ISO27001, SOC2, which I kind of view as a living, breathing, everyday application of security. And then you've got the America NIST. And there are several other frameworks as well.

And these provide clear sets of requirements. And they're very much areas for the clients to actually ensure that all of those points are in place. It certainly gives us a very good understanding of their environment.

So it's important to understand potential ways in or out of the organisation. For example, are there multiple offices offering VPN? Are they interconnected so that an attacker could utilise? If they've compromised one office, could they then traverse globally around the organisation? Is there a small satellite office somewhere that's using old piece of kit that's been forgotten?

What public facing systems are in place that if that front end website is compromised, does it link back to a database that is internal? A SQL injection attack could then allow an attacker directly accessing the core systems.

On the third-party supply chain risk side of things, is there a managed service provider or a vendor who has access into the IT? Quite a common thing. Consider how their access could actually compromise your insured's data are both-- they and the firm's own staff. Are they aligned to principle of least privilege? Are developers, for example, given access to all of the source code or just what they need to do in order to actually carry out their job?

Perhaps some staff have got local admin permissions unnecessarily. It could be. It's quite a common occurrence for developers to have a local admin. And realistically, that access should be controlled, whether it be a PAM solution or whether it be separation of duty. IP theft is a very regular occurrence.

A common point is the separation of duty. Seeing admin staff with full admin rights on a single everyday user account that they're using rather than having a separate account, which they use when necessary. So that's actually something that's quite serious. It can actually allow compromise of MFA. So if for example, an administrator logs in on the day and they're actually using their account, they happen to click on a phishing link, and they've got administrative rights already on their account running, that effectively gives that attacker administrative access straight away. It's really not a good practice.

Securing accounts with single sign on. And this is something we're seeing more and more. That's really great. MFA is something Travelers definitely look for. We look for the various areas of MFA, not just the VPN remote access, but also protection of backups, internal servers, Active Directory Access, email systems, and the network kit itself.

I should point out here that there are different ways of applying MFA. So for example, network kit, quite often, a client may use RADIUS or TACACS solutions, or there could be segmentation of VLANs in place and MFA protected bastion hosts. And they're all equally viable solutions.

So then we have endpoint protection. And there's a multitude of software out there. I won't cover them, but there's multiple ways and multiple solutions available. Some are better than others. One of the issues that we have seen recently is that Black Hat is a very well-known dark web solution that is actually full of the attackers. It's now created a platform that they can use, download exploits, and actually remove some of these solutions. So it's quite serious.

Patch management-- I'm sure you're all only too aware of the vulnerabilities that keep cropping up and the requirement to keep patching software on a never ending cycle. Related to this is something which other than perhaps email filtering is it's not a very often considered practice by companies. Proactive endpoint defence-- and I'll come back to this in a moment.

Backups really are the lifeblood of the company. No backup, it's absolutely integral. In the event of a ransomware event, you either pay and pray or the company probably goes bust. Immutability is what you're looking for with backups. It means that they are not tamperable even by IT staff.

Then we've got SIEM and log gathering. You've got disaster recovery, business continuity, incident management plans. They're all important. It's about getting the data. It's about having a plan, what to do if something is actually detected. If something goes wrong, you need a plan to be able to follow and communicate that and back to the board. And it's important to have that executive level buy in.

And, finally, you've got cloud layer protection. Distributed denial of service-- it came to the forefront, again, recently with Google reporting massive attacks against it. And that's still ongoing. I wouldn't be surprised if this particular method of attack became more prevalent.

It's one of the attacks that's actually really quite hard to defend against without a dedicated cloud layer solution. If you could jump on to the next slide, please.

(DESCRIPTION) 

Text: Cyber Risk Mitigation. Two flow charts, one in red and one in green. They both begin with someone using a laptop, then an arrow that points to the right to a desktop computer, with an arrow that points from it to the right to another desktop computer. The first red flow chart, above the first desktop computer it says, Unpatched computer with serious RCE (remote code execution) vulnerabilities. The second computer says above it, Compromised device. In the green flow chart, the first computer is captioned, Unpatched computer with serious RCE (remote code execution) vulnerabilities but proactive defence. The phrase, but proactive defence, is highlighted in yellow. The second computer is captioned, Kernel I/O chain blocks write of executable code to the device regardless of method.

Text: What constitutes as proactive defence? Whitelisting software: Microsoft Applocker, Threatlocker, Cyberlock (previously Voodooshield). More comprehensive solutions: Carbon Black, Abatis HDF (A W E and Life critical).

(SPEECH) 

So coming back to proactive defence, every month, we see patches coming out. Clearly, there have been some vulnerabilities there in the software the whole time. Once discovered, but unpatched, these are classed as zero day vulnerabilities. Literally the developer has zero days to patch before they can be used by attackers.

And the problem here is even with ordinary patching, it's the time gap between the vulnerability being discovered and declared publicly. And the patches actually coming out and then actually being applied by the end users. We've already seen cyber attacks using the recent AI. It's allowing attackers to start chaining vulnerabilities together.

And they're going to be able to get faster and faster up to the point that patch application can't keep up. And this is where proactive defence is needed. Eventually, it's going to lead to a compromise of environments, if it's not in place.

Many EDR solutions, and they're good products, they tend to respond to attacks reactively rather than totally blocking. And realistically, what I'm trying to demonstrate here is that with products like Microsoft AppLocker, with Threatlocker, Cyberlock, Carbon Black, Abatis, they are proactive. They will sit on your machine. And they will block unknown executable code. And they just stop that attacker, even if there is a vulnerability there, even if it was Windows XP or Windows 7 and older operating system, legacy solutions, that there are vulnerabilities there, they are potentially blockable.

Yes, I get that there's in-memory attacks and so on. And that's for another day. That's far more complicated. And they're actually very, very complicated to carry out.

So moving on, I'd like to introduce you to the risk team.

(DESCRIPTION) 

The Team. Jim Butler, Patrick Dempsey, James Doswell (UK). Footnote text: Supports UK teams, dotted line with US Cyber Risk Management. Text: Rehman Khan, Ken Morrison. Organisations/Business Sectors. FBI, US D o D, US Coast Guard, HTCIA, Financial Sector, Pharmaceutical Sector, Insurance, Academia. Roles: CISO, Executive Director Cyber Defense, Special Agent, Technical Director, VP Information and Cyber Security, VP High Tech Corporate Investigations, Incident Response Manager, Computer Forensics Analyst, Adjunct Professor. Certifications: CISSP, ISSMP, CISM, CISA, CRISC, PCIP, HITRUST, Cisco, GSEC, GCFA, GISP, CEH, AML.

(SPEECH) 

So Travelers risk team consists of Jim, Patrick, myself, Rehman, and Ken. And as you can see, there's quite a background within the security industry of us. And moving on to the next slide, to give you an idea by numbers of what we've actually covered off.

(DESCRIPTION) 

Text: By the numbers. Greater than 120-year cumulative experience. Performed greater than 600 risk assessments (2022). Responded to more than 4,000 email requests (2022). 8 separate Travelers Cyber Insurance Business Units. Around 38,000 Cyber Insurance Policyholders worldwide.

(SPEECH) 

But combined between us, we've got in excess of 120 years cumulative experience.

Last year, we performed over 600 risk assessments with various clients. In excess of 4,000 email requests were actually responded to. And Travelers, it's a 30,000-person organisation. It's got eight separate cyber security insurance business units to it. And there's approximately 38,000 cyber insurance policyholders worldwide.

Next slide, please.

(DESCRIPTION) 

A photo of a laptop on a conference table. Text: Risk Management Team: Focus Points. Here to help with the complex. Previous cyber claims: possibly hard to place business. High or specialist security requirements. Large volumes of Sensitive PII data. Manufacturing: complex environments such as ICS, SCADA, Critical National Infrastructure. Global corporations. Renewals looking to improve their security posture. We can work with the client to better their security within agreed timescales.

(SPEECH) 

So what are we focused on? We focus on previous claims, high or specialist security requirements, large volumes of sensitive PII. And this is when we get involved. It could be a complex manufacturing industry. It could be global corporations. And, realistically, we're there to work with the client to understand their environment and to try and help them better the security within an agreed time scale. It means that you, as a broker, can actually get the business placed.

Next slide, please.

(DESCRIPTION) 

A photo of someone looking at a web conference call on their laptop. Text: What does a risk call cover? Tailored to the client, but example areas include: Frameworks and policies, organisational considerations, supply chain risk, controls, MFA (suitable setups and alternatives, DR/BC/Incident management, Backup and Recovery (immutability), Timescales and possible solutions recommended.

(SPEECH) 

So within a call, here's a rough guide of what we would cover off. They are tailored to the individual clients. Every client has different architecture, different requirements. But there's a real rough guide to what we may cover off. And it's pretty much what I've just covered off with the various frameworks, the organisational considerations, the supply chain controls, MFA, disaster recovery, backup and recovery, and timescales and possible solutions that we can recommend.

Obviously, having dealt with multiple companies, we get that opportunity to understand how one company's fix. And they're able to do something that another company can't. Sometimes we can pass that information across and say, look, this is a really good solution. This works. And sometimes we'll pull it from our security industry contacts.

Next slide, please.

(DESCRIPTION) 

Any questions?

(DESCRIPTION) 

Chris McMurray

(SPEECH) 

So any questions?

I'm just going to say thank you to all our speakers today. I hope you found that informative. And it will help you enable you to have more educated conversations with your clients on the cyber risks that they face and how Travelers can help transfer that risk.

We did have some questions come in during the chat. So if I could put a couple of these to the panel quite quickly, just in the interest of time. One for you, Arran, was on the ICO front. And, obviously, seeing more ICO fines. Are these failings, are they becoming apparent during the investigations, which are then leading to those fines at that point?

(DESCRIPTION) 

Arran Roberts

(SPEECH) 

So we've seen a couple of fines from the ICO. And we have seen some over the last 12 months or so that have referenced things like policies not really being implemented, there being a cultural issue with compliance that they've really highlighted these issues.

They've also flagged that there is an expectation that these things will be in place. What we've really seen an uptick in from the ICO is reprimands. And they're looking a lot more willing to issue reprimands against companies that they see as failing to meet the required technical and organisational measures.

And they don't necessarily have a fine attached to them. But what they do cause is a bit of a reputational issue because they are published. So it's a bit of a name and shame from the ICO. And it is something that we're expecting to continue to rise.

(DESCRIPTION) 

Chris McMurray

(SPEECH) 

Thank you Arran. Hopefully, that answers the question. One for-- we'll pass it to you Chris. The social engineering fraud. The questioner has noted that not all insurers provide this cover in cyber policies, which Travelers do. Does this make up a significant proportion of our claims at the moment? And if so, is this something that has been on the increase over the past 12 months or so?

(DESCRIPTION) 

Chris Scott

(SPEECH) 

Yes, it is, Chris. In terms of percentage basis, social engineering frauds, consistently been about 30% to 40% of our claims make up in the claims portfolio. That has been increasing gradually.

Obviously, we're growing in numbers on the claims portfolio. But the percentage is, like I said, it's top towards the 40% now. And in terms of a severity perspective, I think it falls just behind ransomware as the most severe from a paid out claim. I think it's one that it's going to continue to be there, unfortunately, because the threat actors just continue to evolve and change the way they're committing these social engineering frauds.

I think that's the key part to that one. I think the evolution, as you say, of the type of attack we see in that space is something that it's quite scary to see how that's continued to evolve. And you see, obviously, how the likes of AI technology, perhaps, influence that going forward as well. So certainly, one to keep an eye on.

(DESCRIPTION) 

Chris McMurray

(SPEECH) 

I'll pick one final one here, if I can just flip to the last slide, which is how we actually get terms from Travelers. So if we can go the last slide, please.

(DESCRIPTION) 

Get in touch. Email: cybereurope@travelers.com. Cyber hotline: 0203-207-6530. Website: www.travelers.co.uk/products/cyber dash insurance. Linkedin: www.Linkedin.com/company/travelerseurope. Logo: Travelers.

(SPEECH) 

Here are our contact details here. So you have our general email address, the cyber hotline, the website, and, obviously, our LinkedIn page there. Feel free to reach out to myself or the team individually also.

I would just like to close by thanking our panel members, again, for their time. And of course, all of you for taking the time to attend. I know it's a very busy time of year, so take an hour out of your time is greatly appreciated.

I would just say that cyber is an important part of the business here at Travelers. We are a top five market globally by GWP within cyber. We do bring a lot of experience to the market. We do have a market leading proposition, an appetite for risk from SME level right through to large corporate risks or a primary and excess basis.

I'd be more than happy to chat to you further or any clients and their cyber needs. So it really all remains for me to say, again, is thank you very much for your time. And enjoy the rest of your day.