How The Cyber Insurance Industry's Bottom Line Is Fueling Ransomware
Furnished content.
The past decade or so has seen an explosive upward trend for the cyber insurance industry. Given the rise of malware, particularly of ransomware, it's perhaps not surprising that an insurance market sprouted up around that reality. It's gotten to the point that those of us who's day to day business is managing client networks in the SMB space are now regularly fielding requests for how to obtain cyber insurance.But when you begin to dig into how that industry operates and the methodology by which it advises its clients, it becomes quickly apparent that the cyber insurance industry itself is fueling the growth in ransomware attacks worldwide. ProPublica has a long and fascinating post on the topic, first discussing a real world example concerning a municipality that was hit with ransomware, attempted to resolve this on its own through restoration of backups, but ultimately was advised by its cyber insurance partner to pay the ransom. In doing so, the municipality was out only its $10k deductable, while the insurance company paid out over $400k to the attacker. This was seen as a good deal for the municipality.But was it? It turns out that the IT department for the city was putting together a restoration plan. That plan would take time to implement, require the involvement of outside consultants, and would require overtime work by the IT staff. All of that, of course, would be paid for by the cyber insurance company if the city went down that path. Instead, the ransom was paid.This highlights two troubling trends in the cyber insurance industry. The first trend concerns how insurance companies advise their clients when attacked... and why they advise them in the way they do.A spokesperson for Lloyd’s, which underwrites about one-third of the global cyber-insurance market, said that coverage is designed to mitigate losses and protect against future attacks, and that victims decide whether to pay ransoms. “Coverage is likely to include, in the event of an attack, access to experts who will help repair the damage caused by any cyberattack and ensure any weaknesses in a company’s cyberprotection are eliminated,” the spokesperson said. “A decision whether to pay a ransom will fall to the company or individual that has been attacked.” Beazley declined comment.Fabian Wosar, chief technology officer for anti-virus provider Emsisoft, said he recently consulted for one U.S. corporation that was attacked by ransomware. After it was determined that restoring files from backups would take weeks, the company’s insurer pressured it to pay the ransom, he said. The insurer wanted to avoid having to reimburse the victim for revenues lost as a result of service interruptions during recovery of backup files, as its coverage required, Wosar said. The company agreed to have the insurer pay the approximately $100,000 ransom. Examples of this abound throughout the rest of the post. Essentially, the insurance company simply calculates what will be the more expensive payout for the insurer: the ransom or the cost of recovery? If the cost of the ransom is less, the insurance company advises, and sometimes pressures, the client to decide to pay the ransom. This can often times look like the better option, as recovery from malicious disaster is time-consuming and comes without the assurance that a full recovery is even possible. What's a $10k deductible compared with a city's systems being down for two weeks? This can seem like a win for the insuree, or at least the most mitigated loss possible.The problem is what this does throughout the rest of the world, which is troubling trend number two.As insurance companies have approved six- and seven-figure ransom payments over the past year, criminals’ demands have climbed. The average ransom payment among clients of Coveware, a Connecticut firm that specializes in ransomware cases, is about $36,000, according to its quarterly reportreleased in July, up sixfold from last October. Josh Zelonis, a principal analyst for the Massachusetts-based research company Forrester, said the increase in payments by cyber insurers has correlated with a resurgence in ransomware after it had started to fall out of favor in the criminal world about two years ago.One cybersecurity company executive said his firm has been told by the FBI that hackers are specifically extorting American companies that they know have cyber insurance. After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware, Wosar said. Hackers could also identify insured targets from public filings; the Securities and Exchange Commission suggests that public companies consider reporting “insurance coverage relating to cybersecurity incidents.” To some degree, this happens whenever insurance is introduced into a specific market. Nefarious actors recognize how insurance companies calculate their decision making and react accordingly. Now that cyber insurance is commonplace, and given that those insurance companies very often recommend paying malware ransoms, there are more attacks asking for more money more often.The cyber insurance companies, in the interest of maximizing income and minimizing payouts on their own policies, are actually fueling the ransomware industry. You might guess that the industry would see this as a problem. Given the data, however, it's likely that the increase in attacks the insurance industry is fueling ultimately benefits the cyber insurance industry.Driven partly by the spread of ransomware, the cyber insurance market has grown rapidly. Between 2015 and 2017, total U.S. cyber premiums written by insurers that reported to the NAIC doubled to an estimated $3.1 billion, according to the most recent data available. That reads like a classic case of causing the problem for which you sell the cure. Nobody is suggesting that cyber insurance companies are doing this on purpose, of course, but that is indeed the practical effect.The real problem is that all of the incentives are wrong here if the ultimate goal is less ransomware. Fortunately, there will come a point where diminishing returns for the industry will incentivize it to try to reduce attacks. That's why, as the post notes, the best solutions for how to prevent ransomware attacks may well end up coming from the insurance industry itself.But in the meantime, ransomware continues to grow and grow, supercharged by the profit and loss needs of the industry that's supposed to oppose it.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 10-Sep-2019
path: /Policy | permalink | edit (requires password)
Investigation Uncovers Mass Purging Of Phoenix Police Department Misconduct Records
Furnished content.
There's nothing about American policing that police unions can't make worse. A powerful obstacle standing in the way of accountability and transparency, police unions ensure Americans remain underserved by their public servants.Police unions have defended such things as tossing flashbang grenades into rooms containing infants and the elimination of drug testing for officers. They've repeatedly tried to thwart legislation that would provide more public access to police misconduct records and have often verbally attacked anyone who questions the actions of law enforcement.What they're best at doing is tipping the scale in favor of bad cops. Apparently laboring under the pretense that even a bad cop is a better person than anyone not wearing the blue, unions effectively neutralize oversight by ensuring city and state agencies cannot easily access discipline records. Then they go further, preventing even the police from policing themselves.Justin Price's report on the whitewashing powers of the Phoenix (AZ) PD's union contract is a jaw-dropping read. But it's not an anomaly. There are contracts like this in place all over the nation. But AZ Central's investigation shows just how much has been swept under the rug to "protect" cops from the people they serve.Phoenix Police Sgt. Philip Roberts was suspended from the force for 30 days after an internal investigation concluded he failed to properly manage a 2015 incident where officers shot and killed a mentally ill man.Lt. Dalin Webb received a written reprimand for his 2013 arrest on domestic violence charges in which he reportedly shoved his wife and choked his teenage son.Officer Joshua Wayne Beeks was suspended for 15 days when the Department discovered he was involved in three unauthorized high-speed pursuits in a single year that killed two people.But there's little indication in Phoenix Police Department personnel and internal investigations records that those officers were ever disciplined.That's because Roberts, Webb and Beeks, like hundreds of other Phoenix police officers in recent years, were allowed to erase records of their misconduct from files kept by the Police Department.The practice, which the Department refers to as "purging," has been standard for more than two decades under the police union's contract, but the public has been unaware of it.The contract also prohibits misconduct detailed in the purged records from being considered in future disciplinary investigations or performance evaluations. If the goal is to keep bad cops employed indefinitely, it's been super-effective. Over 500 of the city's 3,000 officers have had their pasts memory-holed by the union contract, covering over 600 misconduct incidents ranging from failure to complete reports to deployments of excessive force.The purging prevents even internal investigators from discovering patterns of misconduct that should result in harsher discipline or termination. It also prevents plaintiffs suing officers over violated rights from obtaining key background info that could indicate an officer is a longtime abuser of citizens. In one case cited in Price's report, the PD began purging an officer's records as soon as the officer had been served.The lack of a paper trail results in things like this happening:Purged records don't appear in a file review.Those records also don't show up during annual performance evaluations.Officer Kevin McGowan, for example, earned top marks in his 2015 evaluation despite being disciplined for serious misconduct during the previous year.An internal investigation concluded McGowan used excessive force when he stomped on an 18-year-old man’s neck, driving his face into the tile floor of a convenience store and knocking out three of the man's teeth.The incident was captured in surveillance footage taken from the store. McGowan was initially fired, but the union interceded and he ended up with only a 30-day suspension. A few years later, the disciplinary files were purged, resulting in this cop being commended for being such a great cop. Phrases like "positive attitude" and "community contributor" were tossed around by supervisors unaware of McGowan's recent past.AZ Central's investigation involved comparing the list of disciplinary files sent to the city's Human Resources Department by the Fiscal Management Bureau with the list of misconduct records maintained by the PD's Professional Standards Bureau. What's considered to be an officer's "permanent record" is maintained by the city's HR department. "Maintained" is definitely overstating things.By cross-referencing the two sets of records, The Republic identified hundreds of disciplinary cases that had been hidden from internal affairs and the Department's leadership.Over five years, records of 90% of all sustained misconduct investigations had been erased. Some of these records are supposed to be maintained for at least five years, according to the contract language. But AZ Central found multiple cases where files had been memory-holed ahead of schedule. Files detailing incidents that resulted in suspensions of over 80 days are never supposed to be purged, but the investigation discovered many of those were missing as well.The PD explains away all this opacity by saying it increases officer morale. And of course it would. Many employees in many different fields would feel better about themselves and their jobs if they knew their misconduct would never be used against them. But the PD doesn't serve itself. Or at least, it shouldn't. It serves the public. And nothing about this union contract shows any concern about the public or its morale.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 10-Sep-2019
path: /Policy | permalink | edit (requires password)
|
|