Pratum Blog

Image of code and locks over money

If your cyber insurance premium blew up this year, you’re not alone. Cyber insurance rates have increased 110% in the U.S. for the first quarter of 2022 according to Marsh's Global Insurance Market Index. And to make the situation even more frustrating, the application process has become extremely complex as insurance companies ask hundreds of questions at renewal time.

In this post, we’ll describe the key ways you can get lower cyber insurance premiums and survive endless underwriting questionnaires while still getting the coverage essential to your business.

How to Reduce Your Cyber Insurance Premiums

The following policies and tools have the dual benefit of making you more secure and convincing underwriters that you’re a lower risk. Ross Ingersoll, an executive risk & cyber account executive at one of Pratum’s insurance-industry partners, Holmes Murphy, in Des Moines, Iowa, points to three security policies/tools every insurance carrier wants to see.

Multifactor Authentication

“MFA is, by far, the leading indicator to prevent ransomware losses, and it’s the number one thing carriers are looking for,” Ingersoll says. Without a sound MFA policy, you may be denied coverage. And a general answer of “yes, we have MFA” won’t satisfy most carriers. They want details on how your MFA policy protects admin level users, secures all remote access and secures corporate email on non-corporate devices and web apps.

Endpoint Detection-and-Response

Ransomware struggles to get past these systems that can catch threats early and shut them down. An IBM study found that organizations using security AI and automation spend 80% less handling a breach. A solution like Pratum’s Managed XDR can detect anomalous activity, correlate actions into a threat picture and proactively shut down attacks. And that often happens in milliseconds.

Solid Backup/Recovery Procedures

Ingersoll asks his clients: “Do you have an offline or segregated backup solution? Have you tested it frequently? Monthly? Quarterly? Is access to the backup restricted by MFA? Along with that, do you have an incident response plan to access the backup and have you tested the IR plan?”

Why Premiums Have Jumped

The last couple of years have rocked the cyber insurance landscape with three factors hitting almost simultaneously. Insurance companies had set rates artificially low because they lacked enough history to do accurate underwriting. Then the ransomware wave and remote workforces arrived simultaneously, sending claims skyrocketing.

Put all that together, and you get an industry trying to right-size its revenue in a hurry by jacking up rates. At the same time, cyber insurance companies have taken other steps to control their losses:

  • Stop offering coverage. Some companies have decided it’s not worth the risk. Reuters has reported that Lloyds of London, which owns 20% of the worldwide cyber insurance market, won’t be taking on cyber business in 2022. And with fewer companies offering coverage, rates go up.
  • Reduce limits. You may not be able to buy the same coverage this year at any price.
  • Make underwriting tougher. “Five years ago, if you had antivirus and a firewall, you qualified,” says Ingersoll at Holmes Murphy. Now, Pratum sees applications drilling down on clients’ cybersecurity positions with 250 or more detailed questions.
  • Deny coverage. Some clients simply get labeled too risky to cover. Or they can’t get coverage for specific high-ticket threats, such as ransomware attacks.

A Case Study In Lower Cyber Insurance Premiums

You probably can’t avoid a price hike. But your actions can lead directly to lower cyber insurance rates. Consider the following story from Ingersoll of Holmes Murphy:

Ingersoll recently met with a client six months before their cyber insurance policy was up for renewal. The client lacked several of the key security tools described below, but on Ingersoll’s advice, they quickly ramped up their security posture.

To measure the ROI, Ingersoll got insurance quotes before the improvements and after. With no security adjustments, the $3 million policy’s price would have jumped from $20,000/year to $80,000/year. And ransomware incidents would have been limited to $100,000 of coverage.

With the new security policies/tools in place, the client kept their original coverage amounts and saw the price rise to $35,000. That’s still a 75% increase—but it’s a lot better than paying 300% more for less coverage.

“The increase may be inevitable,” Ingersoll says. “But you can manage the increase while maintaining a robust policy. That’s the moral of that situation.”

How to Prepare for Tougher Underwriting

Along with focusing on the key areas mentioned, you should brace for a significant time investment at policy renewal time. For both new policies and renewals, expect a long list of questions probing deeply into your information security policies and tools. We recently helped a client respond to 275 individual questions from their cyber insurance carrier.

So start 5-6 months before the renewal is due and get help from third-party experts such as Pratum and an experienced insurance broker.

Expect questions like these:

  • What percentage of your IT budget is allocated to information security?
  • Do you have a Chief Information Security Officer or equivalent?
  • Which cybersecurity frameworks do you follow?
  • Do you engage a third party to provide an assessment of your cybersecurity program and controls?
  • How do you track your software inventory by operating system and application version?
  • Do you implement standard audit logging policies for hardware devices and software?
  • What are your password policies?
  • How do you encrypt data?

Pratum’s consultants help organizations create customized security plans that not only help with cyber insurance costs but secure the organization’s future. Contact us today for a conversation about how we can help boost your security posture.

United States FBI Seal overlaid on image of man on computer

“Should we call the cops?” It’s one of the first questions inside the war room of most organizations facing a data breach. And by “cops,” most of us are thinking “FBI.” But will the FBI actually care about your case? Can they help before you even understand what happened? Who would you even call if you wanted to?

FBI Special Agent Dean Neubauer, part of the Omaha, Nebraska, Field Office’s cyber squad, joined Pratum on a panel hosted by Iowa’s Secretary of State. Agent Neubauer’s team includes analysts, computer scientists and CART personnel (the Computer Analysis Response Team that handles digital forensics). His insights reveal what you need to know about working with the FBI on a breach—including steps you can take right now before a breach hits you.

What the FBI Is Watching: Business E-mail Compromise

“Outside of very large ransoms, we see the most damage from business e-mail compromise (BEC), on the order of about $2 billion in business loss per year,” Agent Neubauer says. “A week and a half ago, we dealt with an Iowa company that was a victim of a compromise that cost them $2.3 million.”

BEC scams typically involve a message that seems to come from a co-worker or trusted vendor but includes a bogus link. For example, Pratum recently worked a case in which an accounts payable employee unwittingly sent a $400,000 payment to a malicious actor’s bank account. The hacker inserted themselves into an e-mail thread about a real invoice, then fooled the employee into using a new account number.

In the case Agent Neubauer recently worked, a hacker took control of the company CFO’s e-mail address and tricked employees into transferring funds. The typical cause of these breaches is someone using the same password in multiple places, which makes it far easier for hackers to steal credentials.

The FBI’s Cybersecurity Tips

Clearly, your best strategy is to never need the FBI’s assistance. To secure your system, Agent Neubauer emphasizes several cybersecurity basics.

  • Properly log events and store the records – A system monitoring solution such as SIEM or XDR maintains logs that provide the FBI’s starting point for an investigation. But agents find many organizations using basic systems that retain logs for no more than 48 hours. That’s rarely much help, considering that hackers typically lurk in the system for weeks or months before you detect them. Two days’ of logs gives investigators almost nothing to go on. Pratum’s policy for its SIEM/XDR clients is to retain logs for a full year.
  • Implement Multifactor Authentication – MFA makes you more secure, period. “Ninety-five percent of the business e-mail compromise victims I have contact with don’t have MFA enabled at the time,” Agent Neubauer says. In one recent case, he says, the victim exempted part of its system from using MFA. Guess where the threat actors got in?
  • Patch your systems – This is another classic best practice, but countless organizations let it slide, leaving known vulnerabilities wide open to exploitation.
    Agent Neubauer puts special emphasis on updating VPN devices, which are a favorite target for hackers. In one recent week, Agent Neubauer’s office saw five different Iowa companies exploited via the same SonicWall VPN. The hackers found the vulnerabilities via scanning tools, then sent in human hackers to start pivoting and escalating through the network.
  • Test your backups – It’s not enough simply to have data backups. You also need proof that you can rapidly and reliably restore data from the backups. That means testing them.
  • Beware of professional social media scams – The FBI has seen a spike in hackers phishing employees through LinkedIn or other professional social media platforms rather than through their company e-mail account. Scammers send the victim a link to an attractive job listing or a document that appears valuable. The link often leads to what looks like an Office 365 login page. In reality, it’s a credential harvester that hackers use to steal login information. But again, if you have MFA in place, they won’t be able to get in, even with your credentials.

When to Contact the FBI

Notify the FBI as soon as you suspect an attack. For example, your team may spot a phishing e-mail before anyone in your office falls for it. Telling the FBI about it lets them add the spoofed domain to the files accessed by offices nationwide.

Some organizations hesitate to call the FBI because they fear word will get out about their breach. But Agent Neubauer says the FBI won’t leak the information. “We won’t go to the media, with the exception of issuing a press release following an arrest,” he says. If you hear that a victim company is working with the FBI, that’s because the victim company or one of its vendors alerted the media.

Even if you’re not currently dealing with a breach, the FBI likes to hear from you. “It gives us a chance to network and establish relationships,” Agent Neubauer says. “That way in the future, you’re not having to cold call and work through to the cyber squad. When minutes matter, that’s critical.”

How to File a Report

The process starts when you file a report with the Internet Crime Complaint Center (IC3) at this site . Reporting your breach can activate the FBI’s recovery of assets team, which could dramatically reduce your financial loss. A detailed IC3 complaint about a fraudulent bank transfer, for example, includes details like the sending bank, receiving bank, account numbers, amounts involved, etc. Thanks to extensive relationships with financial institutions, the FBI can instigate a financial fraud kill chain that freezes accounts and may get your money back.

How the FBI Responds

Agent Neubauer says a special agent may show up to gather information, including logs, and put it into their systems. Your situation may require a full incident response from a team of agents and other professionals (the Cyber Action Team) that can be on-site anywhere in 24 hours. “We’d be looking for how the actors got in, what they took, what they’re using to communicate,” Agent Neubauer says. “It’s all the same stuff traditional IR would do, but it’s focused on a criminal prosecution and not how to fix your stuff.”

If you need help preparing your incident response plan, including how you’ll work with law enforcement, contact Pratum today.

Human hand with x-ray showing implanted microchip

In the right circumstances, a biohacker may only need to wave their hand to break into your building or attack your network. The technology at work isn’t all that new, but its location is. It’s now shockingly easy to implant a microchip in your own body and use it to access (and potentially hack) a wide variety of devices.

During a session at the 2021 Secure Iowa conference, Pratum Senior Penetration Tester Jason Moulder demonstrated what’s possible in this version of biohacking. With four chips embedded in his own hands, Jason had a lot of data resting on the podium as he spoke.

How Implanted Chips Work

When Jason asked what comes to mind when you imagine implanted chips, several people shouted, “Terminator!” And they’re not wrong. Technically speaking, putting anything inorganic into your body makes you a cyborg. In simple terms, Jason said, biohacking, “Is just a desire to go beyond what you can normally do.”

But as edgy as they sound, implanted microchips are actually a simple matter of putting technology you already use under your skin instead of in your pocket. The chips use the same RFID (radio frequency ID) technology you’re familiar with in proximity cards such as your office ID or hotel room keys. RFID also pops up throughout your life in credit cards, toll booth tags, key fobs, luggage tracking in airports and more. Millions of pets carry implanted chips in case they get lost. And the medical community already leverages implantable chips with devices such as glucose-monitoring systems for people with diabetes.

The chips, which are typically not powered, communicate over short distances with the reader, and an implanted chip can carry anything a card can. That means you could use a chip to open locked doors at the office, give your boarding pass to an airport agent, buy items from a vending machine, log into a cash machine, tell your smartphone to call up a favorite website and much more.

Your own personal tastes will determine whether handling transactions with your hand sounds wildly convenient or mostly creepy. In some other countries (most famously Sweden), thousands of people have had chips implanted. A couple of years ago, Sweden’s largest chipping company couldn’t keep up with the demand.

How Chips are Implanted

The first person known to receive a microchip implant was a British scientist named Kevin “Captain Cyborg” Warwick in 1998. Today, you can join Captain Cyborg’s super friends simply by ordering your own implant kit online. Jason buys his at Dangerous Things, which offers bundles including the Ultimate Implant Bundle with three chips for $260.

If you get even remotely squeamish around needles, chip implants won’t be your jam. Kits come with plungers and large needles so you can inject the chip, which typically comes in a glass tube about the size of a grain of rice. (It’s worth noting that Dangerous Things’ web store includes several pain-management products.) Most users place the chips on the back of their hand beside the thumb for easy access to chip readers.

You can watch the implant process here, along with watching a journalist starting to realize that he may want to keep his new chip even after his experiment is over.

Jason says the chips he’s carrying around are guaranteed to last 50 years. What if you change your mind about the chip or technology makes your implant obsolete? Well, take a deep breath. Dangerous Things offers a scalpel set.

How Hackers Can Use Implanted Chips

Back in 2015, a security expert was already hacking into smartphones using an implanted chip originally designed for cattle. So without a doubt, a hacker could leverage a chip to breach a building or computer system. Again, they leverage familiar RFID technology. And Jason notes that most RFID access systems are vulnerable because most companies buy the cheapest unit that meets their compliance requirements. “Most businesses have a mentality that they’re just checking the box,” rather than truly looking for a secure solution, Jason says.

To make his point during his presentation, Jason quickly broke into a virtual hotel room by transferring the code from a proximity card onto the chip in his hand. In under five minutes, his chip produced a green light on the card reader he brought along. Then he demonstrated how he can transfer malware from his implanted chip to a phone, creating a foothold to start pivoting through the larger system connected to the phone.

You can also load scripts onto a chip, “which is where it starts becoming dangerous from my perspective,” Jason says. You can use a chip to log into a computer, open the browser and navigate to a certain site.

How Risky Are Chips Today—Really?

It’s fairly obvious that implanted chips are a bit of a novelty act at this point. You could accomplish the same things with a card or even a chip tucked into the seam of your shirt cuff, etc. But in an extremely security-conscious facility, you could envision scenarios involving extensive searches of visitors, metal detectors, etc. It’s not often that an implanted chip would represent the only way to circumvent security, but it’s not hard to imagine such a situation.

Realistically, you’re already giving away far more information than you need to worry about with chips. “If anybody really wants to find you,” Jason says, “they can just track you on social media. We use that all the time in our jobs as penetration testers because people are always tagging people, checking in at places, etc. We can build a profile of you with all that.” And, of course, nearly everyone already voluntarily carries a powerful tracking device in the shape of their smartphone.

Implanted microchips may grab attention by scratching a sci-fi itch. But whether someone is attempting to breach your system with a chip or a card, the core principles of good security still apply.

You can download a copy of Jason’s full presentation here.

If you need help reviewing the implications of chip implants and other threats for your security, contact Pratum for a free consultation.

Jason Moulder, Senior Penetration Tester, Pratum

Jason Moulder, Senior Penetration Tester, Pratum

Jason is an Offensive Security Certified Professional (OSCP) with over 10 years of technology and security experience. He has extensive experience with network and web application penetration testing, social engineering, secure security architecture, forensics, incident response, governance and compliance. Jason has worked as a consultant for many types of industries to include government (federal/state/local), financial, oil and gas, education and private sectors. Jason currently works as a penetration tester with the Managed Security Services division at Pratum, which includes managed SIEM, vulnerability scanning, and penetration testing services. Jason also holds the following certifications: CASP (CompTIA Advanced Security Practitioner), OSCP (Offensive Security Certified Professional), GREM (GIAC Reverse Engineering Malware), CPTE (Certified Penetration Testing Engineer), CDFE (Certified Digital Forensics Examiner), CDRE (Certified Disaster Recovery Engineer), ITILv3 Certified (Information Technology Infrastructure Library), P2P Marshall, and MAC Marshall.
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.