PowerPoint PresentationSupply Chain
The Challenge Over the past year, Municipalities and government entities have increasingly been in the news with reports of Cyber attacks and Data Breaches more so than ever seen before in our history.
Between the management of complex infrastructure, ever stretching budgets and the responsibility of protecting and processing sensitive data for the population of their towns and cities, active adversaries have increasingly become smarter in their tactics for targeting municipalities with headline-grabbing Cyber attacks. This is with the purpose of stealing and extorting funds, causing disruption, for political advantage, or simply for bragging rights in the hacker community.
These attacks are being undertaken by many culprits ranging from opportunistic individuals, to organized groups. Whilst investing in your IT Security is the most comprehensive form of defense, Cyber attacks can also be caused as a result of an employee error or ‘clicking on a bad link’- so how can you protect yourself against that? Employee security training is one of the most effective methods, but people are ultimately human and can make unintentional mistakes.
Introduction Municipalities are responsible for vital public services which are critical to the people and businesses in their community. Municipalities can often store large quantities of citizen’s personally identifiable information and sensitive corporate information; both highly valuable assets for active adversaries, looking to steal the data for their financial gain. In addition, municipalities are reliant on technology across their infrastructure in order to provide critical local services. As technology becomes more embedded within these organizations, so increases the threat landscape and sophistication of Cyber attacks from active adversaries. With data breaches of Cities and Municipalities frequently in the news headlines, attacks can often affect these entities for days, weeks and even months later causing not only a strain on operations but significant rectification costs, reputational harm, large data losses and interruption to their organization and operations.
MUNICIPALITIES
One of the most common forms of malicious attacks for Municipalities and Government entities are Ransomware Attacks. Ransomware is designed to infiltrate an organizations information technology infrastructure and computer networks. Once the active adversary has infiltrated just one single computer terminal or end point such as devices connected to the network they often are able to spread ransomware throughout the entirety of the organizational information technology infrastructure. Once the ransomware is activated it instantly blocks (often utilizing encryption) user access to the information technology infrastructure, rendering an organizations unable to operate or otherwise even communicate. Common outcomes of Ransomware attacks include:
- Ransom demands from the active adversary payable in Bitcoin cryptocurrency in order to regain access to your valuable data. Ascent claims statistics indicate an average demand exceeding one hundred thousand dollars in 2019. Ransom demands however can regularly exceed millions of dollars.
- When ransom demands are not paid this can result in active adversaries publishing your valuable data online, resulting in costly lawsuits from third parties for breaching confidential data in addition to investigations and heavy fines from the Privacy regulator.
- Inability to access critical data, IT systems or networks resulting in total cessation of operations, projects and transactions equating to hundreds or thousands of dollars in costs.
- Addition cost of overtime for employees to respond to the incident or costly outsourced IT security to help resolve the incident.
- Reputational damage and a cost of a PR company to manage media and press releases.
- In extreme cases, the corruption of data rendering it unrecoverable, forcing organizations to restore their networks from scratch, suffering downtime and unforeseen overheads as a result.
- The average time to identify and contain a data breach, or the "breach lifecycle," can be more than two hundred and fifty days. Speed of containment can significantly impact breach costs, which can linger for years after the incident.
Common Municipality Cyber Claims
Privacy & Data Exfiltration
Municipalities are often responsible for a number of critical public services. They can therefore often store a high volume of citizen’s sensitive personally identifiable information (PII) in addition to valuable data. This can often include, but is not limited to, voting registrations, tax information, licences, fees, planning permissions, permits, municipal transportation data, housing information, credit card details, addresses to name of a few. As such, municipalities are enticing targets for active adversaries, looking to steal this data for financial gain. Common outcomes include:
- Employees utilising weak password combinations provide a seamless entry point for an active adversary to access their targets computer networks. Utilising a number of readily available attack methods, active adversaries can gain log in credentials and network access to access and exfiltrate PII.
- Phishing - One of the most common types of attacks, phishing attacks are used by active adversaries in an attempt to gain access to a municipalities networks and access confidential information. Often disguised in the form of emails from seemingly trusted sources, these communications contain malicious code embedded in the file that once opened, will infiltrate your network.
- Employee errors account for more than 70% of all cyber claims. Given the sensitivity of the data stored on file, one email to the incorrect recipient containing PII could result in potential third party liability, legal costs, as well as reputational damage. In addition, the accidental deletion of data and records, could result in significant reconstitution and recovery costs.
- Credit card details is highly attractive data for active adversaries, presenting an opportunity to sell on via illegal websites for illicit purchasers to fraudulently use. The recovery costs would include not only notification costs to affected individuals, but also credit monitoring, often amounting to hundreds of thousands of dollars.
Ransomware, Extortion and Business Interruption
Breach Response 24/7/365
Access Industry Specialist Public Relations Firm
How does a Cyber Policy really work?
Did you know?
• All Ascent Municipality policyholders are eligible to a free one- hour Cyber Security Consultation with our partner Breach Response Specialists.th better managing a cyber and network security stance
Provide IT forensic
expertise and assistance
cyber event
complex litigation
vulnerabilities
cybersecurity
Extortion experts who can engage with active adversaries for ransom demands
Specialist public
Coordinate first
service providers
notifications
address
Public organisations are characterised by tight fiscal constraints, which often correlates with insufficient investment in network security. Coupled with interconnectivity amongst various counsel sectors, municipalities are a prime target for ransomware attacks and the consequence of ‘turning a blind eye’ to cyber security can have a drastic adverse financial impact.
Over a period of months, an active adversary has noticed a spike in successful lucrative cyber-attacks within the municipal sector, reported in the press. They have never tried to attack the sector, presenting the perfect opportunity for a new challenge! They trawl the internet, searching for their next target. It is not long before they identify a city, with a population of two hundred and fifty thousand people. Like many other municipalities, its responsibilities span social housing, the police force, public transportation, recycling, waste disposal and budgetary control. This provides a range of potential targets to exploit for financial gain. This municipality is particularly enticing however, as the website makes publicly available the email addresses of all employees within the counsel.
The active adversary now begins their exploration through the web, and soon identifies a publicly available URL which gives access to an online portal through which council members remotely access their network. Armed with the necessary web address, and a number of employee email addresses, the active adversary faces a final challenge- to identify an employee password so that they can access the municipalities networks.
The active adversary launches a brute force attack, a method in which password automation software uses numerous password combinations in rapid succession to try and gain access to the network. Given weak password security, it is not long before an employee password is identified, and the active adversary seamlessly logs in.
Undetectable, the active adversary deploys advanced scanning software- an application that reveals potential weaknesses and security vulnerabilities within the network. In particular, the active adversary looks to find the location of any data backups of sensitive information, aware that if they are able to encrypt these, they will have more leverage to demand a ransom payment in exchange for surrender of this valuable information. In this case, the city has failed to save data backups externally, enabling the active adversary to access an archive of personal information and sensitive individual records.
They are now fully equipped to launch their attack! Using a strain of ransomware, a malicious code carefully designed to infiltrate and spread through an organisations information technology infrastructure and computer networks, the active adversary successfully encrypts 80% of the municipalities networks including work stations and servers, as well as all of their backups
within 6 hours. The attack is deployed early on a Sunday morning, when the active adversary is confident that there will be limited staff utilising their computers, and few IT personnel on site to remediate.
An employee working over the weekend realises that they are unable to access their account via the remote server and reaches out to the IT manager to escalate the issue. With many people working remotely, the employee is used to glitches in their system, so this does not initially raise any alarm. It is not until they check their emails via their work mobile phone that they notice the ransom note demanding five hundred thousand dollars to be paid in cryptocurrency, in exchange for the decryption of their data. In addition, the note threatens that the active adversary has also gained access to sensitive government data, and without full complicity they aim to release this on the public internet.
At first, the IT manager is confident that they will be able to restore the systems from backups. They recently tested their back up infrastructure with no reported issues. However, these backups exist on the same network infrastructure that has been infiltrated, so it is fast discovered that they too have been entirely encrypted.
The counsel now has a number of significant dilemmas at hand: - They operate under a tight budget, and do not have access to five hundred thousand dollars; - Even if they were able to obtain the funds, they do not know how to obtain cryptocurrency; - They hold the confidential data of two hundred and fifty thousand data subjects which would result in costly notification requirements; - With the networks encrypted, online residents are unable to access online payment systems to pay for things such as parking tickets or water bills - Although the networks of the counsel and the police force are not connected, they are worried that the active adversary will launch another attack.
Financial Loss to company:
$375,000
$200,000
Legal costs and Fees - Costs associated with hiring specialist data and privacy lawyers to determine the extent of any unauthorized access to confidential information, and potential legal liability.
$75,000
Event Support Expenses – Costs to hire a public relations and crisis management firm to mitigate reputational damage and avoid loss of any customers or future business.
$20,000
Notification Costs and Credit Monitoring- Costs to notify the affected data subjects:
$1,200,000
$1,870,000
Network Interruption and Recovery - Ransomware
No matter how much cyber security awareness, training and education is provided, all it takes is one employee to cause an incident. Once access has been enabled to an insured’s networks, active adversaries can monitor operations almost undetectable while collecting the information required to deploy an attack. Given the expertise of these active adversaries, sufficient cyber insurance is imperative to mitigate against costs incurred.
An employee who works in the government housing sector of a small municipality, receives an email from a trusted colleague named Taylor with the subject title: “Employee of the Month: You Have Been Nominated!” Without further thought, they open the email and click on the prompt stating ‘congratulations- find out why you have been nominated’. This then takes them to a new web browser, which prompts them to enter their Office 365 log in credentials.
Unbeknownst to the employee this email is a cleverly designed baiting e-mail from an active adversary. Baiting attacks target an individual’s curiosity or entice users with a reward for clicking on link that will trick users into sharing their login credentials. Baiting attacks can commonly be found on infected websites and email communications and may offer something free or for financial rewards. In this case, a free prompt was enough to entice the employee, and in entering their Office365 details, they unknowingly handed over their log in credentials to the active adversary. Had the employee hovered their mouse over the sender’s email address they would have spotted that the e-mail address was in fact fraudulent- with Taylor@ourtown.com altered to show Taylor1@ourtown.com.
The active adversary is now fully equipped to seamlessly log in to the employees Office 365 account, where they store countless confidential documents in folders and e- mails, containing the personally identifiable information of one hundred thousand citizens within the municipality who rely on government housing. This includes names, email addresses and banking details, amongst others.
As the employee enters their Office 365 log-in details, and have not been directed to the correct and usual landing page, they become suspicious. They try their password a number of times, certain that the combination is correct, but they are still denied access. Something about this doesn’t seem right, so as a precaution, the employee sends a direct email to their colleague Taylor to verify the validity of the email. It is confirmed to be fraudulent.
Impact:
$55,000
Event Support Expenses – Costs to hire a public relations and crisis management firm to mitigate reputational damage and avoid loss of any customers or future business.
$20,000
Legal costs and Fees - Costs associated with hiring specialist data and privacy lawyers to determine the extent of any unauthorized access to confidential information, and potential legal liability.
$75,000
Total Loss covered by Ascent CyberPro insurance : $150,000
If the department had installed multifactor authentication for employees logging in to their work account then this compromise wouldn’t have been so easy! Unfortunately, it is fast discovered that the active adversary has successfully accessed the employees account.
Immediately, the employee changes their log in details, blocking future access to the active adversary. The incident was escalated immediately and the IT manager is confident that the active adversary would not have had enough time to access any confidential information, however a specialist IT forensic team are contacted to verify this.
While no confidential information was accessed in this incident, the forensic investigators still needed to verify that no data had been exfiltrated. This is a costly operation, far exceeding the departments annual cyber security budget.
Ascent’s Cyber Policy provides a 24/7 incident response hotline, forensic investigators and experienced vendors specialising in credit monitoring and notification services in the event of a security and privacy incident.
CLAIMS SCENARIOS
Security and Privacy
At least half of all Municipality and Government Entity claims triggered Ascent’s Cyber Policy Security and Privacy module with many of these incidents involving a data breach of sensitive or valuable Personal Identifiable Information (PII) of third parties. Many of these incidents were as a result of phishing attacks or employee errors.
Network Interruption and Recovery
Nearly one third of all Municipality and Government Entity attacks triggered Ascent’s Cyber Policy Network Interruption and Recovery module with many losses due to ransomware, malware infections, phishing scams, resulting in long periods of disruption and network outages.
Social engineering
Successful social engineering losses were the third highest reported claim for Municipality and Government Entities that triggered Ascent’s Cyber Policy Social Engineering module.
Losses for social Engineering can range from a few thousands to many millions of dollars, however can be regularly seen between $150,000-$225,000.
Other general observations
- Since 2014, Ascent has seen an estimated 233% increase in the frequency of reported Cyber attacks against Municipalities and Government entities.
- Class Actions are on the rise for data breaches of Municipalities and Government Entities potentially costing thousands and even millions of dollars.
50%
31%
12%
7%
Other
Optio brings together the specialist expertise of Ascent Underwriting, Cove Programs and Bay Risk Services to create one of the largest independently owned specialty MGAs, managing in excess of $250 million GWP.
We are here to drive innovation in insurance to manage risk more effectively. By harnessing expertise and embracing technology, we strive to evolve with the needs of our business partners.
Using a combination of technology and market specialists, we create new products, services and solutions that bring efficiency to the market. With an open culture and unified approach, our people aim to form strong, long-term relationships with business partners so we can exceed expectations every time.
Products available: