PowerPoint PresentationSupply Chain
The Challenge Over the past year, Municipalities and government
entities have increasingly been in the news with reports of Cyber
attacks and Data Breaches more so than ever seen before in our
history.
Between the management of complex infrastructure, ever stretching
budgets and the responsibility of protecting and processing
sensitive data for the population of their towns and cities, active
adversaries have increasingly become smarter in their tactics for
targeting municipalities with headline-grabbing Cyber attacks. This
is with the purpose of stealing and extorting funds, causing
disruption, for political advantage, or simply for bragging rights
in the hacker community.
These attacks are being undertaken by many culprits ranging from
opportunistic individuals, to organized groups. Whilst investing in
your IT Security is the most comprehensive form of defense, Cyber
attacks can also be caused as a result of an employee error or
‘clicking on a bad link’- so how can you protect yourself against
that? Employee security training is one of the most effective
methods, but people are ultimately human and can make unintentional
mistakes.
Introduction Municipalities are responsible for vital public
services which are critical to the people and businesses in their
community. Municipalities can often store large quantities of
citizen’s personally identifiable information and sensitive
corporate information; both highly valuable assets for active
adversaries, looking to steal the data for their financial gain. In
addition, municipalities are reliant on technology across their
infrastructure in order to provide critical local services. As
technology becomes more embedded within these organizations, so
increases the threat landscape and sophistication of Cyber attacks
from active adversaries. With data breaches of Cities and
Municipalities frequently in the news headlines, attacks can often
affect these entities for days, weeks and even months later causing
not only a strain on operations but significant rectification
costs, reputational harm, large data losses and interruption to
their organization and operations.
MUNICIPALITIES
One of the most common forms of malicious attacks for
Municipalities and Government entities are Ransomware Attacks.
Ransomware is designed to infiltrate an organizations information
technology infrastructure and computer networks. Once the active
adversary has infiltrated just one single computer terminal or end
point such as devices connected to the network they often are able
to spread ransomware throughout the entirety of the organizational
information technology infrastructure. Once the ransomware is
activated it instantly blocks (often utilizing encryption) user
access to the information technology infrastructure, rendering an
organizations unable to operate or otherwise even communicate.
Common outcomes of Ransomware attacks include:
- Ransom demands from the active adversary payable in Bitcoin
cryptocurrency in order to regain access to your valuable data.
Ascent claims statistics indicate an average demand exceeding one
hundred thousand dollars in 2019. Ransom demands however can
regularly exceed millions of dollars.
- When ransom demands are not paid this can result in active
adversaries publishing your valuable data online, resulting in
costly lawsuits from third parties for breaching confidential data
in addition to investigations and heavy fines from the Privacy
regulator.
- Inability to access critical data, IT systems or networks
resulting in total cessation of operations, projects and
transactions equating to hundreds or thousands of dollars in
costs.
- Addition cost of overtime for employees to respond to the
incident or costly outsourced IT security to help resolve the
incident.
- Reputational damage and a cost of a PR company to manage media
and press releases.
- In extreme cases, the corruption of data rendering it
unrecoverable, forcing organizations to restore their networks from
scratch, suffering downtime and unforeseen overheads as a
result.
- The average time to identify and contain a data breach, or the
"breach lifecycle," can be more than two hundred and fifty days.
Speed of containment can significantly impact breach costs, which
can linger for years after the incident.
Common Municipality Cyber Claims
Privacy & Data Exfiltration
Municipalities are often responsible for a number of critical
public services. They can therefore often store a high volume of
citizen’s sensitive personally identifiable information (PII) in
addition to valuable data. This can often include, but is not
limited to, voting registrations, tax information, licences, fees,
planning permissions, permits, municipal transportation data,
housing information, credit card details, addresses to name of a
few. As such, municipalities are enticing targets for active
adversaries, looking to steal this data for financial gain. Common
outcomes include:
- Employees utilising weak password combinations provide a seamless
entry point for an active adversary to access their targets
computer networks. Utilising a number of readily available attack
methods, active adversaries can gain log in credentials and network
access to access and exfiltrate PII.
- Phishing - One of the most common types of attacks, phishing
attacks are used by active adversaries in an attempt to gain access
to a municipalities networks and access confidential information.
Often disguised in the form of emails from seemingly trusted
sources, these communications contain malicious code embedded in
the file that once opened, will infiltrate your network.
- Employee errors account for more than 70% of all cyber claims.
Given the sensitivity of the data stored on file, one email to the
incorrect recipient containing PII could result in potential third
party liability, legal costs, as well as reputational damage. In
addition, the accidental deletion of data and records, could result
in significant reconstitution and recovery costs.
- Credit card details is highly attractive data for active
adversaries, presenting an opportunity to sell on via illegal
websites for illicit purchasers to fraudulently use. The recovery
costs would include not only notification costs to affected
individuals, but also credit monitoring, often amounting to
hundreds of thousands of dollars.
Ransomware, Extortion and Business Interruption
Breach Response 24/7/365
Access Industry Specialist Public Relations Firm
How does a Cyber Policy really work?
Did you know?
• All Ascent Municipality policyholders are eligible to a free one-
hour Cyber Security Consultation with our partner Breach Response
Specialists.th better managing a cyber and network security
stance
Provide IT forensic
expertise and assistance
cyber event
complex litigation
vulnerabilities
cybersecurity
Extortion experts who can engage with active adversaries for ransom
demands
Specialist public
Coordinate first
service providers
notifications
address
Public organisations are characterised by tight fiscal constraints,
which often correlates with insufficient investment in network
security. Coupled with interconnectivity amongst various counsel
sectors, municipalities are a prime target for ransomware attacks
and the consequence of ‘turning a blind eye’ to cyber security can
have a drastic adverse financial impact.
Over a period of months, an active adversary has noticed a spike in
successful lucrative cyber-attacks within the municipal sector,
reported in the press. They have never tried to attack the sector,
presenting the perfect opportunity for a new challenge! They trawl
the internet, searching for their next target. It is not long
before they identify a city, with a population of two hundred and
fifty thousand people. Like many other municipalities, its
responsibilities span social housing, the police force, public
transportation, recycling, waste disposal and budgetary control.
This provides a range of potential targets to exploit for financial
gain. This municipality is particularly enticing however, as the
website makes publicly available the email addresses of all
employees within the counsel.
The active adversary now begins their exploration through the web,
and soon identifies a publicly available URL which gives access to
an online portal through which council members remotely access
their network. Armed with the necessary web address, and a number
of employee email addresses, the active adversary faces a final
challenge- to identify an employee password so that they can access
the municipalities networks.
The active adversary launches a brute force attack, a method in
which password automation software uses numerous password
combinations in rapid succession to try and gain access to the
network. Given weak password security, it is not long before an
employee password is identified, and the active adversary
seamlessly logs in.
Undetectable, the active adversary deploys advanced scanning
software- an application that reveals potential weaknesses and
security vulnerabilities within the network. In particular, the
active adversary looks to find the location of any data backups of
sensitive information, aware that if they are able to encrypt
these, they will have more leverage to demand a ransom payment in
exchange for surrender of this valuable information. In this case,
the city has failed to save data backups externally, enabling the
active adversary to access an archive of personal information and
sensitive individual records.
They are now fully equipped to launch their attack! Using a strain
of ransomware, a malicious code carefully designed to infiltrate
and spread through an organisations information technology
infrastructure and computer networks, the active adversary
successfully encrypts 80% of the municipalities networks including
work stations and servers, as well as all of their backups
within 6 hours. The attack is deployed early on a Sunday morning,
when the active adversary is confident that there will be limited
staff utilising their computers, and few IT personnel on site to
remediate.
An employee working over the weekend realises that they are unable
to access their account via the remote server and reaches out to
the IT manager to escalate the issue. With many people working
remotely, the employee is used to glitches in their system, so this
does not initially raise any alarm. It is not until they check
their emails via their work mobile phone that they notice the
ransom note demanding five hundred thousand dollars to be paid in
cryptocurrency, in exchange for the decryption of their data. In
addition, the note threatens that the active adversary has also
gained access to sensitive government data, and without full
complicity they aim to release this on the public internet.
At first, the IT manager is confident that they will be able to
restore the systems from backups. They recently tested their back
up infrastructure with no reported issues. However, these backups
exist on the same network infrastructure that has been infiltrated,
so it is fast discovered that they too have been entirely
encrypted.
The counsel now has a number of significant dilemmas at hand: -
They operate under a tight budget, and do not have access to five
hundred thousand dollars; - Even if they were able to obtain the
funds, they do not know how to obtain cryptocurrency; - They hold
the confidential data of two hundred and fifty thousand data
subjects which would result in costly notification requirements; -
With the networks encrypted, online residents are unable to access
online payment systems to pay for things such as parking tickets or
water bills - Although the networks of the counsel and the police
force are not connected, they are worried that the active adversary
will launch another attack.
Financial Loss to company:
$375,000
$200,000
Legal costs and Fees - Costs associated with hiring specialist data
and privacy lawyers to determine the extent of any unauthorized
access to confidential information, and potential legal
liability.
$75,000
Event Support Expenses – Costs to hire a public relations and
crisis management firm to mitigate reputational damage and avoid
loss of any customers or future business.
$20,000
Notification Costs and Credit Monitoring- Costs to notify the
affected data subjects:
$1,200,000
$1,870,000
Network Interruption and Recovery - Ransomware
No matter how much cyber security awareness, training and education
is provided, all it takes is one employee to cause an incident.
Once access has been enabled to an insured’s networks, active
adversaries can monitor operations almost undetectable while
collecting the information required to deploy an attack. Given the
expertise of these active adversaries, sufficient cyber insurance
is imperative to mitigate against costs incurred.
An employee who works in the government housing sector of a small
municipality, receives an email from a trusted colleague named
Taylor with the subject title: “Employee of the Month: You Have
Been Nominated!” Without further thought, they open the email and
click on the prompt stating ‘congratulations- find out why you have
been nominated’. This then takes them to a new web browser, which
prompts them to enter their Office 365 log in credentials.
Unbeknownst to the employee this email is a cleverly designed
baiting e-mail from an active adversary. Baiting attacks target an
individual’s curiosity or entice users with a reward for clicking
on link that will trick users into sharing their login credentials.
Baiting attacks can commonly be found on infected websites and
email communications and may offer something free or for financial
rewards. In this case, a free prompt was enough to entice the
employee, and in entering their Office365 details, they unknowingly
handed over their log in credentials to the active adversary. Had
the employee hovered their mouse over the sender’s email address
they would have spotted that the e-mail address was in fact
fraudulent- with
[email protected] altered to show
[email protected].
The active adversary is now fully equipped to seamlessly log in to
the employees Office 365 account, where they store countless
confidential documents in folders and e- mails, containing the
personally identifiable information of one hundred thousand
citizens within the municipality who rely on government housing.
This includes names, email addresses and banking details, amongst
others.
As the employee enters their Office 365 log-in details, and have
not been directed to the correct and usual landing page, they
become suspicious. They try their password a number of times,
certain that the combination is correct, but they are still denied
access. Something about this doesn’t seem right, so as a
precaution, the employee sends a direct email to their colleague
Taylor to verify the validity of the email. It is confirmed to be
fraudulent.
Impact:
$55,000
Event Support Expenses – Costs to hire a public relations and
crisis management firm to mitigate reputational damage and avoid
loss of any customers or future business.
$20,000
Legal costs and Fees - Costs associated with hiring specialist data
and privacy lawyers to determine the extent of any unauthorized
access to confidential information, and potential legal
liability.
$75,000
Total Loss covered by Ascent CyberPro insurance : $150,000
If the department had installed multifactor authentication for
employees logging in to their work account then this compromise
wouldn’t have been so easy! Unfortunately, it is fast discovered
that the active adversary has successfully accessed the employees
account.
Immediately, the employee changes their log in details, blocking
future access to the active adversary. The incident was escalated
immediately and the IT manager is confident that the active
adversary would not have had enough time to access any confidential
information, however a specialist IT forensic team are contacted to
verify this.
While no confidential information was accessed in this incident,
the forensic investigators still needed to verify that no data had
been exfiltrated. This is a costly operation, far exceeding the
departments annual cyber security budget.
Ascent’s Cyber Policy provides a 24/7 incident response hotline,
forensic investigators and experienced vendors specialising in
credit monitoring and notification services in the event of a
security and privacy incident.
CLAIMS SCENARIOS
Security and Privacy
At least half of all Municipality and Government Entity claims
triggered Ascent’s Cyber Policy Security and Privacy module with
many of these incidents involving a data breach of sensitive or
valuable Personal Identifiable Information (PII) of third parties.
Many of these incidents were as a result of phishing attacks or
employee errors.
Network Interruption and Recovery
Nearly one third of all Municipality and Government Entity attacks
triggered Ascent’s Cyber Policy Network Interruption and Recovery
module with many losses due to ransomware, malware infections,
phishing scams, resulting in long periods of disruption and network
outages.
Social engineering
Successful social engineering losses were the third highest
reported claim for Municipality and Government Entities that
triggered Ascent’s Cyber Policy Social Engineering module.
Losses for social Engineering can range from a few thousands to
many millions of dollars, however can be regularly seen between
$150,000-$225,000.
Other general observations
- Since 2014, Ascent has seen an estimated 233% increase in the
frequency of reported Cyber attacks against Municipalities and
Government entities.
- Class Actions are on the rise for data breaches of Municipalities
and Government Entities potentially costing thousands and even
millions of dollars.
50%
31%
12%
7%
Other
Optio brings together the specialist expertise of Ascent
Underwriting, Cove Programs and Bay Risk Services to create one of
the largest independently owned specialty MGAs, managing in excess
of $250 million GWP.
We are here to drive innovation in insurance to manage risk more
effectively. By harnessing expertise and embracing technology, we
strive to evolve with the needs of our business partners.
Using a combination of technology and market specialists, we create
new products, services and solutions that bring efficiency to the
market. With an open culture and unified approach, our people aim
to form strong, long-term relationships with business partners so
we can exceed expectations every time.
Products available: