In March of this year, CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million to regain control of its network after a ransomware attack. The Chicago-based company reportedly paid hackers two weeks after a large amount of company data was stolen. CNA officials were also locked out of their own network, according to individuals familiar with the attack, neither of whom was authorized to discuss the matter publicly.

CNA did release a formal statement stating the company consulted and shared intelligence with the FBI and the Treasury Department’s Office of Foreign Assets Control about the attack and the hacker’s identity.  The Treasury Department’s said last year facilitating ransom payments to hackers could pose sanctions risks.

Ransom Payment Trend

As Companies rarely disclose ransomware attacks or payments it is difficult to know actual past payments. According to Palo Alto Networks, the average payment in 2020 was $312,493, a 171% increase over the prior year. The $40 million payment by CNA is bigger than any previously disclosed payments to hackers, according to three people familiar with ransomware negotiations.

Ransomware demands have increased exponentially in the last six months, according to Melissa Hathaway, president of Hathaway Global Strategies and a former cybersecurity adviser to Presidents George W. Bush and Barack Obama.

The average ransom demand is now between $50 million and $70 million, Hathaway said. While those demands are often negotiated down, she stated that companies are frequently paying ransoms in the tens of millions of dollars, in part because cyber insurance policies cover some of the cost.

A taskforce of security experts and law enforcement agencies estimated that victims paid about $350 million in ransom last year, a 311% increase over 2019. The task force recommended 48 actions the Biden administration and private sector could take to mitigate such attacks, including better regulation of the digital currency market used to make ransom payments.

The task-force report, prepared by the Institute for Security and Technology, was delivered to the White House days before Colonial Pipeline Co. was compromised in a ransomware attack.  Bloomberg reported that Colonial paid the hackers nearly $5 million shortly after the attack.

What Is Ransomware?

Ransomware is a type of malware encrypting a victim’s data demanding a payment to unlock access to the data. Cybercriminals also use ransomware to steal too. The hackers then ask for a payment to unlock the files and promise not to leak stolen data. In recent years, hackers have been targeting victims with cyber insurance policies and huge volumes of sensitive consumer data that make them more likely to pay a ransom, according to cybersecurity experts.

The CNA hackers used malware called Phoenix Locker, a variant of ransomware dubbed ‘Hades.’ Hades was created by a Russian cybercrime syndicate known as Evil Corp., according to cybersecurity experts. Evil Corp. was sanctioned by the U.S. in 2019. Unfortunately, it is difficult to pinpoint blame as hacking groups share code or sell malware to one another.

Phoenix Locker appears to be a variant of Hades based on overlap of the code used in each, according to Barry Hensley, chief threat intelligence officer of cybersecurity firm Secureworks Corp. “We have a high degree of confidence this is a Hades variant,” Hensley said. He said they have not determined which hackers used the Hades variant to attack CNA.

Hades was created by Evil Corp. to bypass U.S. sanctions placed on the hacking group, according to research published in March by the cybersecurity firm CrowdStrike Holdings Inc.

CNA, which offers cyber insurance, said its investigation concluded that the hackers were a group called Phoenix not yet subject to U.S. sanctions.

The average ransom demand is now between $50 million and $70 million, subject to negotiation. Companies are frequently paying ransoms in the tens of millions of dollars, in part because cyber insurance policies cover some or all of the cost.

Aspen Insurance Agency is in Denver, CO, and services clients nationwide. We are a family run business working with multiple insurance carriers to offer our customers the coverage they need at the lowest possible cost. We offer a wide range of personal, commercial, and professional insurance to residential and commercial customers enabling the cheapest rates available. Call to speak to one of our insurance professionals and see how painless insurance shopping can be.

Computers are everywhere: homes, business, libraries, schools, even in your pocket, if you own a smart phone. Computers are used for entertainment, business operations, navigation, government administration, heating, and cooling: the list goes on and on. As ubiquitous as computers have become, criminals are increasingly attempting to extort money or use our personal information to create a duplicate of our identity, destroying our finances through impersonation.

Rise in Computer Crime

Computer crime is not decreasing:

• In 2020, 300 million people were affected by data breaches: 80% of the nation’s population.
• 91% of organizations experienced at least one damaging cyber attack over the past two years. 60% had two or more over the past two years.
• 1 in 4 businesses experienced a cyber event in 2020.
• Ransomware attacks (where villains lock computer until a ransom is paid for release) exceeded one million dollars in 2018: in 2020, it was more than $30 million!

As a result of the rise in computer crime, 78% of risk managers now purchase some level of cyber insurance, up from 34% in 2011.

Business Cyber Protection

As the majority of cyber criminals are overseas where law enforcement may not be able to reach. Business owners might evaluate their internal business cyber protection. Even well-defended companies experience cyber losses. What can a business owner do?

First and foremost, each business owner should have a robust cyber security plan in place. One that is continually updated as new weapons are wielded by criminals.

To begin with:

Maintain A Robust Perimeter Defense: Many networked computer systems are protected by a firewall: think of a firewall as the castle wall. The wall keeps invaders out allowing entry only through a protected gate. The firewall is absolutely the first line of defense. However, be concerned if it is the only line of defense. If the walls are breached, invaders may be inside with complete access to customer data and individual computers.

Change Passwords every 30 days: over 55% of unauthorized access is from “spoofing” a legitimate user. Criminals have become sophisticated in their use of social media and publicly available information to induce employees to click on links installing malware software on your systems. Such malware lies hidden tracking every keyboard click, including the capture of passwords, customer social security numbers and birthdates and a lot more. By changing passwords, it reduces a criminal’s ability to impersonate your employees.

Install Anti-virus Security Solutions: Install products such as Norton or McAfee on all computers and keep the software up to date. In 2020, 360,000 new malicious files were detected each day. Current virus software will capture and isolate the software for review and deletion, before inflicting damage.

Restrict Browsing: Every company uses internet browsing for business purposes. However, criminals will upload malware to appear as a seemingly innocent picture or video (cute kittens, romping puppies!) which, when clicked upon, is designed to infect the computer without the user knowledge, then seek and infect other computers on your network.

Minimizing Risk of Cyber Attacks

Six of ten small to medium sized business (under $250 million annual revenue) have no cyber insurance protection. Business owners should consider the cost of losing all business data or paying a ransom for locked out computers and the impact these situations represent. Consider investing in risk management protection by expanding coverage such as:

• Breach Response Costs
• Cyber Extortion/Ransom
• Business/Dependent Business Interruption
• Systems Failure/Dependent
• Systems Failure Digital Asset Recovery
• Cyber Crime (Social Engineering, Funds Transfer Fraud)
• Bricking

Speak to your Aspen Insurance industry expert to discuss possible options expanding your cyber security insurance and general liability insurance.

Aspen Insurance Agency is in Denver, CO servicing clients nationwide. We are a family run business working with multiple insurance carriers to offer our customers the coverage they need at the lowest possible cost. We offer a wide range of personal, commercial, and professional insurance to residential and commercial customers enabling the cheapest rates available. Call to speak to one of our insurance professionals and see how painless insurance shopping can be.

The United States are a litigious society: every business must be aware of and protected from suits brought for any number of reasons. However, there are five types of suits more common than all others. Most, though not all, may be covered by insurance.

1. Employment Discrimination and Wrongful Termination

Many lawsuits filed against businesses are based on allegations of discrimination, harassment, retaliation, or wrongful termination. Most workers are protected from these acts by federal anti-discrimination laws, including:

• Title VII of the Civil Rights Act: Bars employers from discriminating against workers based on sex, race, religion, color, or national origin.
• Pregnancy Discrimination Act: Prevents employers from discriminating against a woman because of pregnancy or a related condition.
• Equal Pay Act: Requires employers to pay men and women the same wages if they perform equal work in the same workplace.
• Age Discrimination in Employment Act: Prohibits employers from discriminating against employees ages 40 or older based on their age.
• Title I of Americans With Disabilities Act (ADA): Prohibits discrimination against qualified employees who have a disability.

Many states have enacted their own anti-discrimination laws protecting workers. Both state and federal laws apply to applicants for employment as well as employees.

Harassment – Retaliation – Wrongful Termination

Harassment and retaliation are forms of discrimination. Harassment is defined as unwelcome conduct based on race, color, religion, sex (including pregnancy), national origin, age, disability, or genetic information. In a harassment claim, the alleged perpetrator is often a manager or co-worker; the plaintiff claims they reported the harassment to the employer who failed to stop it.

Retaliation is the termination, demotion or other action taken by an employer to punish the employee for filing a discrimination complaint or lawsuit.

Wrongful termination is firing an employee in violation of the law. Most wrongful termination claims against employers are based on allegations of discrimination, for instance firing an employee due to their age.

Small businesses are typically more vulnerable to employment-related lawsuits. Many small companies do not employ human resources professionals to ensure internal personnel actions comply with federal and state laws.

Claims alleging discrimination and other employment-related acts may be insured under an Employment Practices Liability (EPL) policy.

2. Discrimination Suits Not Based on Employment

All discrimination suits are not always brought by employees. Suits may be filed by customers, suppliers, patients, vendors, and other individuals with a connection to the business. For instance, a foreign-born customer sues a restaurant for discrimination alleging the wait staff made derogatory remarks about her native country and then refused to serve her.

Some EPL policies cover discrimination claims filed by individuals who are not employees.

3. Wage Law Violations

Many lawsuits filed against employers are based on allegations that the employer violated a federal, state, or local wage law. These laws are collectively called wage and hour laws.

The Federal Labor Standards Act (FLSA) sets the federal minimum wage. It also governs child labor, recordkeeping, and overtime pay. The FLSA creates two categories of workers, exempt and nonexempt. Generally, nonexempt employees are eligible for overtime pay while exempt workers are not. Many states and municipalities have enacted their own laws regarding wages and overtime pay.

Wage and hour suits are often based on claims that the employer failed to pay either the minimum wage or overtime pay. Workers may also contend that the employer avoided paying overtime by misclassifying them as independent contractors.

Suits based solely on allegations of wage and hour law violations are not likely to be covered by insurance. These types of law suits are not covered by general liability policies and are specifically excluded from employment practices and directors and officers liability policies.

4. Torts

Many suits filed against businesses by third parties are based on torts: violating a person’s civil rights. Two types of torts may lead to lawsuits against businesses: unintentional torts (negligence) and intentional torts.

Negligence committed by a business owner or employee may lead to an accident that causes personal injuries or damaging personal property. The injured party may sue the business or the employee for bodily injury or property damage. Intentional torts like false arrest and wrongful eviction can also generate suits against businesses.

Claims against a business for bodily injury or property damage may be covered under a general liability policy. Claims based on certain types of intentional torts are also covered by liability policies under personal and advertising liability coverage.

5. Breach of Contract

A business owner breaches a contract when he or she fails to comply with its terms. Most claims based solely on breach of contract are not typically covered by liability policies. Employers still may be able to avoid the risk of non-performance through the purchase of a surety bond.

We recommend discussing risk management and mitigation protection with your Aspen Insurance Advisor who can give trusted advice on protections for yourself and your business through small business insurance.

Aspen Insurance Agency is in Denver, Colorado, and services clients nationwide. We are a family run business working with multiple insurance carriers to offer our customers the coverage they need at the lowest possible cost. We offer a wide range of personal, commercial, and professional insurance to residential and commercial customers enabling the cheapest rates available. Call to speak to one of our insurance professionals and see how painless insurance shopping can be.