What Cyber Insurance Claims Reveal About Real Cyber Risk

In this week’s episode of the Future of Threat Intelligence podcast, Eli Woodward is joined by Daniel Woods, Principal Security Researcher at Coalition and cybersecurity lecturer at the University of Edinburgh. During the podcast, the two discuss the effectiveness of cybersecurity controls based on Woods’ research using cyber insurance datasets. 

Together, Woodward and Woods discuss what cyber insurance claims reveal about real-world attacks, patterns seen across claims, and how you can use claim intelligence to reduce overall cyber risk. 

How Cyber Insurance Claims Data Reflect Real-World Attacks

Cybersecurity attacks are difficult to explore objectively. Unlike medicine, which can have control trials to determine efficacy of treatments, there are no corresponding trials we can do in cybersecurity, Woods notes. 

“No one wants to be in the control group without the intervention,” Woods says. “And I think even if we got past that stage, we get to what is a common theme in this area, which is take a given security control. It's not like an injection where everyone receives the same dosage with a reliable instrument. With cybersecurity controls, it depends who manages it, the environment it's put into, how it's configured, monitored, gets really tricky.”

Even so, Woods realized that data from Coalition can serve as a good benchmark for determining information about cyberattacks and the efficacy of different control mechanisms. Looking at Coalition’s data, he determined that of 100,000 customers, about 1,500 suffer an incident each year—an annualized frequency of about 1.5%. 

Even then, Woods cautions the data is not fully complete. For example, Coalition likely does not receive claims from customers who click on a phishing link but contain a malware infection without filing a claim. In that case, Coalition’s data may underreport what is determined as a “cybersecurity incident.” 

Still, Woods was able to use the Coalition data as a benchmark to determine trends. For instance, the most common type of claim was for fund transfer fraud, in which someone is tricked to transfer funds to an attacker. These attacks across the customer base typically cost about $200 to $300,000 on average. Woods estimates that fund transfer fraud makes up about 60% of all incidents, with business email compromise (BEC) making up about 20%, and then ransomware makes up the final 20% of threats. 

Ransomware, Email, and Edge Devices: Patterns Seen in Claims

Based on Coalition’s data, Woods noted that the majority of incidents are related to email-based threats—almost 80% of incidents, based on the claims coming in for fund transfer fraud and BEC. 

“They pretty much always come from email based threats,” Woods says. “So it's kind of to me very interesting that if you go through [security conferences], because I know we chatted at Black Hat, there's a huge amount of vendors and just a tiny slice are actually working on email security.” 

While the majority of incidents are email-based, Woods noted that ransomware incidents are the “most severe incidents and especially they have the longest tail.” 

Significant ransomware incidents can cause knock-on effects for months, disrupting operations and causing ripple effects across the entire organization’s supply chain. And for these severe incidents, Woods found that one of the highest risks was due to externally exposed perimeter security appliances. 

For example, Woods found organizations with exposed Cisco ASA devices were five times more likely to file a claim. But this was not just a Cisco issue, but also applies to equivalent Fortinet, Citrix, and SonicWall products. And based on reading forensic reports for complimentary causal evidence, Woods found that about 50% of incidents were due to exploited VPNs or firewalls, while another 20% involved remote access devices. 

Initial access to these devices was largely due to the use of stolen credentials and the lack of enforced multi-factor authentication (MFA). This was the root cause for around 40-60% of incidents, while the majority of other incidents were caused by unpatched vulnerabilities that were exploited within weeks or a month after a vulnerability publication, as opposed to the presence of zero-day vulnerabilities. 

Using Claims Intelligence to Reduce Cyber Risk

By identifying the root causes of the majority of incidents through claims intelligence, security practitioners can ultimately focus on controls and measures that reliably reduce cyber risk. These are tried and true methods that, while not necessarily a silver bullet, still work to harden a network and organization. 

At an individual level, multi-factor authentication (MFA) works to secure accounts over 90% of the time. However, as Woods notes, MFA runs into issues at an organizational level. There may be specific accounts that cannot use MFAs or other gaps in deployment within an organization, even if the organization says it requires MFA enforcement. 

Cloud-hosted email was also found to be correlated with significantly less risk than on-premises solutions. This is due to cloud-hosted providers automation patching and centralized monitoring for phishing and fraud. In particular, Google Workspace was found to be better than Microsoft Office 365, potentially due to different business models. Workspace offers email filtering features for free, while Office 365 has tiers and charges for features which not all organizations may purchase. 

Security awareness training (SAT) is found to have mixed results when focusing solely on educating end-users about phishing attacks. However, SATs value appears to come from educating users about more advanced social engineering techniques. Advanced training, such as educating users about risks of installing remote management software, appears to have led to a reduction in claims. However, there is not a clear idea of what constitutes “advanced” SAT. 

Listen to the full episode of the Future of Threat Intelligence Podcast with Daniel Woods, Principal Security Researcher at Coalition HERE.