Protecting the WC Industry from Cyber Threats: No Time for Penny Pinching – Part I

Editor’s Note: This is the first of a two-part article that looks at the increasing risk of cyber threats to the workers’ compensation industry and ways organizations are dealing with it.

Sarasota, FL (WorkersCompensation.com) – Residents of Baltimore, Md., were recently told they would not receive water bills for the month of June. That’s just one of the results of a massive ransomware attack in May that shut down all the city’s computer systems with the exception of essential services.

While the hackers demanded approximately $76,000, the city has already paid an estimated $18 million to get its systems back up and running. What makes the situation particularly painful is that the city’s information security manager last year had warned of potential cyber attacks and sought money to ramp up the city’s security systems and purchase insurance. His request was denied.

“This is no time to let the bean counters pinch beans,” said Gary Anderberg, SVP of Claim Analytics Product Manager at Gallagher Bassett. As he explains it, cyber attacks have become highly sophisticated.

“Most people thought in terms of some kid in his mother’s basement messing with other people’s computer systems. That was the vision,” he said. “It’s morphed and become an alternate form of business, with brand names and groups. It’s gone from a small scale nuisance … into an organized ‘black business’ that has many state actors.”

The issue of cyber threats to the workers’ compensation industry intensified last week, as CorVel, a major player was forced to shut down its systems. The company announced today that it is bringing its systems back on "incrementally." 

The Evolution of Cyber Attacks

When retail giant Target was the victim of a cyber attack in 2013, it shocked many. The hackers had accessed the company’s gateway server through credentials stolen from a third-party vendor and stolen data from up to 40 million credit and debit cards of shoppers. Despite the $18.5 million the company agreed to pay to settle claims by 47 states and the District of Columbia, the attack itself seems like small potatoes compared to what we see today.

“When Target was hit, copies of data were made,” Anderberg said. “But it didn’t shut down the company.”

These days, it’s relatively easy to force an organization to close due to a cyber attack. According to Anderberg, anyone can go on the ‘dark web’ and buy a “nasty” bug. “And it comes with 24/7 user support! People are selling this stuff on the dark web and have turned it into a real business. They’re doing it for real money.”

Also available on the dark web are lists of stolen data. Some hackers steal data with the sole intention of profiting through resale.

Cyber-related claims have evolved into what’s being called a new type of ransomware attack. “Traditional models have incorporated delivery of malware using mass mailing spam campaigns or exploit kits,” according to a report on cyber attacks from Sedgwick. “In the latest incidents, criminal groups use targeted malware in attacks designed specifically to disrupt high turnover small to medium enterprise (SME) businesses by locking up crucial digital assets. Initially, a network is compromised and the hackers spend time researching, mapping and collecting credentials from the SME. Once the target network infrastructure is fully understood, the criminals execute their ransomware to cause maximum impact.”

The report said a ransomware attack occurs every 14 seconds, according to Cybersecurity Ventures.

The dangers of a cyber attack are multiple. Stolen data can force a company to shut down for a period of time. “It’s a tremendous business interruption hit, especially if you’re paid on a transaction basis,” Anderberg said. Reputational risk is another result of cyber attacks. Finally, there is the risk of a class action lawsuit if, for example, hackers were to steal personal health information and sell it on the dark web.

“The other issue is you have to rebuild your system,” Anderberg said. “If this gets much worse, it may start to shut down the creative uses of the internet. It may become too dangerous to use.”

What’s Being Done

Putting money and resources into protecting an organization’s data and systems is a must these days, experts say. The increased dependency on technology increases companies’ exposure to cyber risks, while the players involved are honing their efforts daily.

“Similarly to how we prepare for natural disasters and other catastrophes, we must also focus on crisis response planning for cyber threats,” the Sedgwick report said. “Businesses must not only continue to anticipate cyber attackers’ objectives and implement prevention measures; they also must shift focus toward cyber resilience and respond to protect their firms and their customers from the impact of malicious cyber attacks.”

Protecting companies from cyber attacks is admittedly complex, especially since things change so quickly. However, experts offer several pieces of advice.

“We’re all doing a lot of the same things,” Anderberg said. “There are two approaches; double down on your security, and educate the hell out of your people.”

Anderberg advises doing ‘phishing expeditions’ monthly, to see if employees are vulnerable to these types of cyber attacks, and then educate employees on how to avoid them.

Cyber risk insurance policies are also a must, experts say. According to Sedgwick, these may include such things as third party liability, technical assistance and research expenses, repair and restoration costs, loss of profit, legal defense, crisis communication and incident management.

“In addition to considering cyber risk insurance policies and response measures for their own operations, it is important for businesses to discuss cyber practices with upstream and downstream partners,” Sedgwick advised. “Reviewing contracts and building in specific language can help ensure the right protections and plans are in place throughout a connected supply chain.”

Despite a company’s best efforts, there is no way to guarantee a cyber attack will not occur. Getting a company back up and running as quickly as possible after an attack is imperative.

Tomorrow, in Part 2, we look at measures organizations can take before and after a cyber attack to mitigate the damage as much as possible.

Share This Article: