Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.
In 2023, over 102.4 million records were breached via ransomware attacks on tech companies. That’s the highest number recorded across any industry, according to Comparitech’s worldwide ransomware tracker.
It’s safe to say that it isn’t an easy time to keep up with digital risk. To help our broker partners and their clients stay informed (and prepared!) Corvus’s Tech E&O underwriters are keeping an eye on what’s next for the Tech E&O market.
Mass vulnerability exploits are casting a wide net of victims — a particular concern for tech companies facing downstream risk.
Privacy litigation is on the rise and technology companies are facing increased scrutiny over how they’re handling consumer data.
As digital risks continue to evolve, underwriting and claims teams with significant Cyber and Tech E&O experience are uniquely equipped to walk you and your clients through every stage of their policy (and ensure you get the coverage and protection you need).
In 2023, we experienced a “new normal” of ransomware. More than 300 victims were posted to leak sites each month, shattering previous record highs. A contributing factor to the heightened activity was a series of successful vulnerability exploits, especially zero-days.
In prior years, our claims data pointed to spearphishing — a form of phishing in which individuals are targeted with a specific message — as the leading method of initial entry for threat actors. But ransomware groups are now reaping the rewards of more concentrated efforts. Just one mass exploit can equal immediate access to thousands of victims, and after CitrixBleed, GoAnywhere, and MOVEit (to name a few), security teams were stretched to their limit last year.
Technology companies represented 7.9% of all ransomware victims, second only to the Manufacturing industry in 2023. Through the exploit of MOVEit alone, ransomware gang, CL0P, was able to access data from IT giants such as IBM, Cognizant, and Deloitte. By targeting widely used products, such as Progress’ managed file transfer software, MOVEit, threat actors are casting a wide (and often fruitful) net. But for many organizations in the tech industry, the risk is double-fold.
Technology companies rely on software for day-to-day business, but many also create and manage their own software and digital tools. What if there is an unknown vulnerability that makes them, and all of their customers, the next target?
For technology companies looking to combat rising cybercrime, it isn’t just about protecting themselves. At the end of the day, they’re responsible for the security of the products they develop and sell. Welcome to downstream risk.
Naturally, the Cybersecurity and Infrastructure Security Agency (CISA) didn’t miss the events that unfolded over the last year. It’s not new; downstream risk has plagued cybersecurity experts (and victims) for years, with high-profile attacks such as Kaseya and SolarWinds long before MOVEit.
But with so many high-profile victims, the MOVEit exploit was relatively unprecedented in scale — and much of that is due to the organizations caught in the crosshairs. Over 2,700 organizations were impacted, but many of those never even touched the exploited software. For example, when National Student Clearinghouse (an educational reporting non-profit) was breached, it unwittingly exposed data from over 1,000 downstream U.S. colleges.
That’s the kind of scenario CISA is looking to prevent. But the onus of responsibility is falling on the shoulders of tech companies with new “Secure by Design” security recommendations, which ask that organizations take ownership of the security outcomes of their customers.
With heightened risk and heightened responsibility on the horizon, there’s never been a better time for technology companies to invest in their security controls and overall cybersecurity strategies.
In 2022, pixel technology made headlines when reports cited that 30 percent of the top 100,000 websites sent customer data back to Meta. Long story short, unseen Javascript code was transmitting (sometimes) personal information back to Meta for tracking and advertising purposes. This was a problem, of course, when it was revealed that one-third of the top 100 hospitals in the United States were sending patient data back to a third-party platform.
And it wasn’t just Meta’s pixel. Class action lawsuits have cited the use of cookies, tracking technology, analytics tools — anything that is allegedly collecting data without user consent.
Since then, the Federal Trade Commission and the U.S. Department of Health and Human Services Office for Civil Rights (OCR) have issued clear guidance in regards to protecting private health data: “Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information.”
At the end of 2023, there were 265 lawsuits filed that raised privacy concerns related to the plaintiffs’ use of ad-tracking technology. Now, the entire tech industry is under a microscope when it comes to how they are obtaining and using consumer data.
Yes, tech giants like Google, Amazon, and Meta are responsible for most of the noise, but the expectations for “data dignity” apply to everyone. Gone are the days of believable ignorance.
There’s a demand for more transparency around data. Users should be informed about what information is being collected, how it’s being used, and who it’s being shared with.
As technology companies look for the right coverage options, they’ll most likely be asked to answer longer questionnaires around their data practices as regulations change by the day. Insurers want to know that consumers are getting the opportunity to opt-out, and that once their data is collected, it is being handled carefully.
That’s where an additional layer of privacy concerns comes into play. Once an informed consumer trusts an organization with their data, can they trust that they are doing everything in their power to protect it?
Again, technology companies are being asked to shoulder more responsibility when it comes to having adequate safeguards in place if an attack occurs. In 2020, software company, Blackbaud, experienced a ransomware attack that impacted more than 13,000 companies. They did not disclose that threat actors accessed sensitive data, such as bank accounts and social security information, which resulted in a $3 million penalty in 2023.
Transparency extends beyond asking for users to opt-in. It also requires that organizations have the right controls and procedures in place so that if an attack happens, they can minimize the impact to their customers — and respond accordingly if sensitive data is stolen. (Of course, your Tech E&O insurer will help here!).
As far as security controls and data protections go, expectations have never been higher. But threat actors are working harder, too. Ransomware groups are shifting their focus to vulnerability exploits, and they have their eyes on victims with large swaths of data — like tech.
The cyber climate for technology companies is getting complicated. Fallout from scrutiny towards Big Tech, varying privacy expectations across states, and increasing liability concerns have made finding the right coverage more important — and more challenging. Here’s what you need to know as you explore Tech E&O coverage options this year:
At this point, most clients are aware of ad-tracking technology and the associated risks. But when it comes time to fill out Tech E&O applications, they should be well-informed on how they are storing data, if their privacy policies address any ad-tracking technology, and that their consumers can consent to the usage of these technologies.
Penalties for wrongful collection of data can be devastating. As the adequate handling of sensitive information becomes increasingly important in the face of sweeping cybercrime, experienced brokers — and carriers — can be great assets to help clients understand exactly what risks they’re facing (and what they should do to mitigate their exposure).
With increased risk against the tech sector, certain organizations (like software companies) may face sweeping generalizations or exclusions when looking for coverage. That’s where specialization is key. By working with underwriters who are experienced in the industry, they’ll work with your clients and their unique challenges — not write them off because of it.
Risks are evolving by the day. Underwriters who dedicate most of their time to Tech E&O and Cyber have unparalleled knowledge of the exposures your clients are facing. But it’s not just our underwriters who understand what tech is facing, our in-house claims and Risk Advisory experts also have a vast knowledge of the complex regulatory and privacy landscape. This real-time input helps us make personalized (not knee-jerk) decisions when calculating risk.