Change Healthcare Hack: Everything You Need To Know
Change Healthcare experienced a ransomware attack with unprecedented fallout. What happened, and what have we learned?
![[LOGO] Corvus Insurance](https://www.corvusinsurance.com/hubfs/Corvus_Logo_Horizontal(R)%20(4).svg "[LOGO] Corvus Insurance"){kind=logo}
The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives — safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year.
Of course, there’s expected variation between sectors. Some industries face unique challenges versus others, and that’s why we’d like to take the time to highlight the amplified risks that technology companies face.
Tech Companies + Cyber Attack = Litigation?
No hyperbole needed: tech companies have a litany of risks that are unique to their industry (more on those momentarily). Technology errors and omissions (Tech E&O) is a line of specialty insurance designed to cover those risks, such as legal liability and resulting financial losses that providers of software, IT or professional services face if their products or services fail or are breached, resulting in harm to their customers.
A crucial component of Tech E&O insurance is coverage for cyber risks, like ransomware and other cyberattacks. Modern policies include a more or less complete Cyber Liability insurance policy, with first and third-party coverage.
While we’ve seen a lower frequency in ransomware attacks for tech companies compared to other sectors, the aftermath of these incidents — when they do occur — can be notoriously costly due to the downstream impact on software users, who face their own losses and reputational damages.
To determine the true cost to tech companies, the Corvus Data Science team had to solve a new problem: how can we account for potential legal challenges, and are there patterns we can trace in litigation?
How did we figure out Tech E&O risk?
The (burning) question: Can we effectively analyze any company’s litigiousness, and therefore estimate the risk they present to a company that has them as a customer?
Not to kill the suspense but the answer, ultimately, is yes. There were just some challenges to solve along the way.
First, we had to determine there was a correlation in the likelihood of a company’s rate of litigation year over year. Using information from thousands of legal filings led to a promising result (for us, anyway): a company that initiated a certain number of lawsuits one year is incredibly likely to do the same the next.
Challenge #1: The Name Game
In legal documents, there was a huge variety in the naming practices of the same businesses. Think: Johnson&Johnson, J&J, j&j, etc. Then, the obstacle of parent companies with different names than their familial counterparts. Solution: Natural Language Processing (NLP). We trained a machine to perform web searches for company names and return the resulting domain names. Having a common website domain allowed us to group related companies under one unique identifier.
![[BLOG] 5 High-Impact Cybersecurity Practices for Tech Companies](https://www.corvusinsurance.com/hubfs/Blog%20CTAs/5%20High-Impact%20Cybersecurity%20Practices%20for%20Tech%20Companies/%5BBLOG%5D%205%20High-Impact%20Cybersecurity%20Practices%20for%20Tech%20Companies.svg)
Challenge #2: Proper Classification
It’s tricky to put a label on all of these tech companies. We needed to classify both plaintiff and defendant companies by industry to enrich our database, but tech companies are often misclassified. For example, a provider of EMR software for hospitals may be called a healthcare company — which, while not wrong — was too vague for our needs. We needed to be as specific in our differentiation as possible. The solution? NLP, again, this time using the BERT technique. It can ingest large amounts of text and interpret it like a human could. This allowed us to reclassify thousands of companies into preferred buckets, based on how they described their services.
With our solutions working, we were able to move forward and create scoring mechanisms that feed into our proprietary underwriting model. We can score risk from both the “defendant” side (how risky is tech company “X”, regardless of who their customers are) and from the “plaintiff” side (how litigious is customer "Y," and does that impact X's risk). Litigation is now one of many rating factors included in our Tech E&O underwriting.
For a more detailed look at how we used AI to better understand Tech E&O risk, you can check out our two-part series.
-
How We Use AI to Better Understand Tech E&O Risk (Part I of II)
-
How We Use AI to Better Understand Tech E&O Risk (Part II of II)
Risk Factors for Litigation
Across the board, we’re seeing both increasing awareness and concern over the threat of ransomware. But for tech companies, that comes double-fold. A cyberattack linked to their products can end up costing them more due to the significant costs of lawsuits from customers who dealt with outages or lost data because of an incident on the provider’s end.
Unfortunately, attackers realize the potential leverage attached to the downstream risk with technology companies. We can see a recent example of that with the Kaseya attack, where the REvil ransomware group was able to gain access to managed service providers (MSP) — impacting a larger audience — through Kaseya’s zero-day vulnerabilities (weaknesses that had not yet publicly been known or patched). Around 1500 customers of more than 50 MSPs were impacted, and unsurprisingly, the ransom demand to Kaseya was rumored to be in the tens of millions.
Tech companies may deal with the worst-case scenario where a ransomware attack can shut down their business, as well as their customer’s. But what’s more common is the threat of data lost, inaccessible, or published — costing both the tech company, and those who rely on them. Customers who experience losses, or reputational harm can litigate. We wanted to see how customer size and industry come into play in determining the likelihood of legal action.
Customer Size
The larger the organization, the more likely it is that they have general counsel or an entire legal department on board. In line with that, the larger the company of the customer, the more likely they are to sue their technology provider.
A company with 250 or more employees is 216% more likely to sue their tech vendor than a company with 10 or fewer employees. They are twice as likely to sue as a company with 11-50.
Customer Industry
We found some substantial differences between sectors on their average rate of litigiousness. Across the entire database, industries like Transportation and Public Administration sit around the average (+0.1 and +0.2, respectively). Health Care companies are the least likely to sue, but remain only 16% less than average. However, we see more differentiation on the more litigious side. Both the Information (media) sector and Manufacturing (metals) are 50% more likely to sue than average. Insurers are around 20% more likely.
The Defendants (the Tech Companies)
We see similar trends here based on industry and size, for the technology providers' side. For example, larger companies still present a larger risk. However, some classes break the mold:
-
Video game makers show similar risk regardless of company size (often lower than it’s assumed by underwriters).
-
Hardware/semiconductor are considered a high-hazard risk class, which doesn’t account for smaller businesses within this space that appear less risky.
For more on the unique litigation risks tech companies face, and other cyber and Tech E&O trends, you can find our full inaugural Risk Insights Index here.