Check Point Software Technologies Inc- Experts & Thought Leaders

In a vidcast interview for journalists, industry pioneers Kirsten Bay, CEO of Cysurance, and Enterprise Security Architect Randle Henry from Check Point, shed light on the emerging role of insurability assessments in bridging the gap between cybersecurity and insurance. The conversation put into context the Cysurance Insurability Assessment Program, Powered by Check Point – a joint initiative that is bending the risk curve in favour of businesses by assessing and managing their cyber exposure profiles. New approach to cybersecurity insurability The program was set as a key to the growing need for firms to assess their security posture The program was developed as a solution to the growing need for businesses to assess their security posture accurately and improve their insurability. Henry explained the fundamental goal of the program: "The insurability assessment is a way for insurance companies to reduce the cost of their policies by assessing their clients' security posture. We’ve broken this down into three different programs based on the size and complexity of the organisation to provide visibility and map out issues that clients may not even be aware of." By focusing on the client's cybersecurity infrastructure, the assessment helps insurers, brokers, and businesses work together to understand and address vulnerabilities that could jeopardise their organisations. Comprehensive cybersecurity review Bay emphasised the importance of this program for brokers, especially those who do not tend to focus on cyber policies and lack deep infosec expertise. "Applications for cyber insurance have become increasingly complex, and many brokers are not cybersecurity specialists," Bay noted. "This program supports brokers by simplifying the assessment process, providing clarity, and verifying the most important security controls are in place. It removes the need for attestations, replacing them with an assessment-backed insurance policy, which can lead to significant reductions in premiums." The program’s combination of insurance with a comprehensive cybersecurity review gives brokers a powerful tool to offer to clients, enabling them to provide a more accurate, streamlined package for cyber insurance. Bridging the gap between security and insurance For the broker community, the value of this program lies in its ability to help both insurers and clients For the broker community, the value of this program lies in its ability to help both insurers and clients. By streamlining the application process and providing actionable insights, brokers can offer more targeted insurance solutions. Bay explained how this benefits both sides. "The program creates transparency and aligns the broker’s offering with the customer's real-world security needs, reducing paperwork and providing verified information on their security posture." The program also helps insured organisations. By offering clear, actionable steps, companies can improve their security posture, increasing their chances of receiving favourable insurance terms. "We don't want to just give them a report and walk away," Henry emphasised. "We provide key indicators of what they have, what they need, and where there are gaps. This allows businesses to address their security challenges before they become deal breakers in securing insurance." Simplifying complex risk assessment One of the standout features of the program is its simplicity. While cybersecurity risk assessments can traditionally be a lengthy and complex process, the Cysurance Insurability Assessment has significantly reduced that burden. As Henry explained: "A full assessment can take eight-to-10 weeks. But for our smallest assessments, we can complete the process in just a few days. We've simplified the process into smaller, more manageable questions based on the level of risk." This tiered approach allows businesses of different sizes and industries to be evaluated appropriately, ensuring that they are neither overburdened with unnecessary assessments nor underinsured due to missed risks. Building an association between security and executive teams Bay highlighted that this alignment helps drive meaningful change at the board level Another significant benefit is the way the program supports communication between cybersecurity teams and executive leadership. Bay highlighted that this alignment helps drive meaningful change at the board level.  "This is less about auditing security teams than it is about helping cyber professionals better communicate with the executive staff. The assessment provides a clear independent analysis showing what they're doing right and where improvements are needed, which helps everyone get on the same page when discussing insurability." This transparency not only strengthens the relationship between the broker, the client, and the insurer but also provides critical insights that allow businesses to prioritise their cybersecurity investments more effectively. A new opportunity for brokers The collaboration between Cysurance and Check Point offers brokers a unique opportunity to expand their offerings and enhance their role as trusted advisors. The ability to bundle cybersecurity assessments with insurance policies makes it possible for brokers to provide a more comprehensive service to their clients. The package allows brokers to offer cyber insurance policies to clients they may not have come before "When this assessment, combined with the insurance policy, allows brokers to participate in both the professional service fee and the insurance commission. It’s a win-win, especially when you consider that brokers can now play a critical role in reducing premiums costs to their clients without sacrificing their own revenue generation," noted Bay. The package also allows brokers to offer cyber insurance policies to clients they may not have approached before. "Many brokers aren't quoting cyber insurance for every client, simply because they aren't sure how to speak to the needs of cybersecurity," said Bay. "With this assessment, they can now bridge that gap and confidently offer tailored solutions." A new standard for the future With the Cysurance Insurability Assessment Program, both Bay and Henry see a future where cybersecurity and insurance are better aligned, creating a more secure and financially stable environment for businesses. By offering brokers a clear path to assess and insure clients, and by empowering businesses to take proactive steps to improve their security posture, the program provides an essential service in today's risk-laden digital landscape. As businesses continue to face ever-increasing cyber risks, the integration of cybersecurity assessments and insurance is becoming not only a smart strategy but also a necessary one. "Our goal is to reduce costs for the end customer while creating additional economic opportunities for the broker community. This program does exactly that," Bay concluded.

Check Point® Software Technologies Ltd., a pioneering AI-powered, cloud-delivered cyber security platform provider, has published its Global Threat Index for July 2024. Despite a significant drop in June, LockBit re-emerged last month to become the second most prevalent ransomware group, while RansomHub retained the top spot. Meanwhile, researchers identified both a campaign distributing Remcos malware following a CrowdStrike update issue, and a series of new FakeUpdates tactics, which once again ranked first on the top malware list for July. An issue in the CrowdStrike Falcon sensor for Windows led to cybercriminals distributing a malicious ZIP file named crowdstrike-hotfix.zip. This file contained HijackLoader, which subsequently activated Remcos malware, which was ranked as the seventh most wanted malware in July. The campaign targeted businesses using Spanish-language instructions and involved the creation of fake domains for phishing attacks. Check Point’s index Researchers found a series of new tactics using FakeUpdates, ended malware ranking for month Meanwhile, researchers uncovered a series of new tactics employing FakeUpdates, which topped the malware ranking for another month. Users visiting compromised websites encountered fake browser update prompts, leading to the installation of Remote Access Trojans (RATs) like AsyncRAT, currently ranked ninth on Check Point’s index. Alarmingly, cybercriminals have now started exploiting BOINC, a platform meant for volunteer computing, to gain remote control over infected systems. Maya Horowitz, VP of Research at Check Point Software, said: “The continued persistence and resurgence of ransomware groups like Lockbit and RansomHub underscores cybercriminals’ continued focus on ransomware, a significant ongoing challenge for organisations with far-reaching implications for their operational continuity and data security."  Security software update "The recent exploitation of a security software update to distribute Remcos malware further highlights the opportunistic nature of cybercriminals to deploy malware, thereby further compromising organisations’ defences." "To counter these threats, organisations will need to adopt a multi-layered security strategy that includes robust endpoint protection, vigilant monitoring and user education to reduce the onslaught of these growingly massive cyberattacks,” said Maya Horowitz, VP of Research at Check Point Software. Top malware families The arrows relate to the change in rank compared to the previous month. FakeUpdates was the most prevalent malware last month with an impact of 7% worldwide organisations, followed by Androxgh0st with a global impact of 5%, and AgentTesla with a global impact of 3%. ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult. ↔ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting-the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information. ↔ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client). ↑ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C. ↓ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user’s credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in 2022, it emerged as one of the most prevalent Trojans. ↔ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges. ↔ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fuelling large-scale Sextortion campaigns. ↑ Vidar – Vidar is an infostealer malware operating as malware-as-a-service that was first discovered in the wild in late 2018. The malware runs on Windows and can collect a wide range of sensitive data from browsers and digital wallets. Additionally, malware is used as a downloader for ransomware. ↓ AsyncRat – Asyncrat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system. ↓ NJRat – NJRat is a remote access Trojan, targeting mainly government agencies and organisations in the Middle East. The Trojan has first emerged on 2012 and has multiple capabilities: capturing keystrokes, accessing the victim's camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim's desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software. Top exploited vulnerabilities  ↑ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.  ↑ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the effected system. ↔ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-1375) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.  ↔ Apache HTTP Server Directory Traversal (CVE-2021-41773) – A directory traversal vulnerability exists in Apache HTTP Server. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system. ↓ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) – There exists a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitise the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server. ↓ TP-Link Archer AX21 Command Injection (CVE-2023-1389) – A command injection vulnerability exists in TP-Link Archer AX21. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system. ↑ MVPower CCTV DVR Remote Code Execution (CVE-2016-20016) – A remote code execution vulnerability exists in MVPower CCTV DVR. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system. ↓ Dasan GPON Router Authentication Bypass (CVE-2024-3273) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system. ↔ PHP Easter Egg Information Disclosure (CVE-2015-2051) – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page. ↑ NETGEAR DGN Command Injection – A command injection vulnerability exists in NETGEAR DGN. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system. Top mobile malware Last month Joker was in first place in the most prevalent mobile malware, followed by Anubis and AhMyth. ↔ Joker – An android Spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware signs the victim silently for premium services in advertisement websites. ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store. ↔ AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information. Top-attacked industries Last month Education/Research remained in first place in the attacked industries globally, followed by Government/Military and Communications. Education/Research Government/Military Communications Top ransomware groups  The data is based on insights from ransomware "shame sites" run by double-extortion ransomware groups that posted victim information. RansomHub is the most prevalent ransomware group this month, responsible for 11% of the published attacks, followed by Lockbit3 with 8% and Akira with 6%. RansomHub – RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cybercrime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments. This malware is known for employing sophisticated encryption methods. Lockbit3 – LockBit is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States. Akira – Akira Ransomware, first reported in the beginning of 2023, targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom() and Chacha 2008 for file encryption and is similar to the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a ".akira" extension to file names, then presents a ransom note demanding payment for decryption.

Over the last several years, cyber security, a crucial component in any servicer's operation, has taken on an increasingly visible role due to numerous high-profile data breaches impacting various industries. According to the cyber security research firm Check Point Research, the average number of cyber attacks per organisation per week rose 38% in 2022 from 2021, and increased by 28% in the six-month period ending March 31, 2024.  The average number of weekly events has also grown year over year. They look at the importance of cyber security for U.S. and Canadian servicers and discuss how they assess a servicer's program in the evaluation review process.  High cost of corporate inaction  Inaction against preventing cyber attacks can come with a high cost and remediation actions. For example, International Business Machines Corp. (IBM) noted in its Cost of a Data Breach Report 2024 that the average cost of a corporate data breach in 2024 was $4.88 million, a 10% increase from the prior year and the largest yearly increase since the start of the COVID-19 pandemic. Additionally, it was noted that 70% of organisations experiencing a breach indicated it was a significant or very significant disruption. Moreover, IBM said that 63% of organisations are planning to increase their security investments as compared to last year when the figure was 51%, focused mainly on employee training as the top investment area. Remediation actions Servicers have had to enforce corrective actions, including certain customer-facing activities As a result of cyber attacks and breaches, servicers have had to implement various corrective actions, including suspending certain customer-facing activities (website access, payment processing, etc.) and halting internal operations until an investigation determines the method of attack, the impact on systems, and how to stop the attack.  Remediation actions, in addition to addressing the source of the breach, generally include notifying affected customers and offering credit monitoring services for a predetermined period of time. It is also not uncommon for litigation to be initiated on behalf of the affected parties, alleging inadequate cyber security procedures as the cause of the breach. Assessing a servicer's cyber security program While servicers have implemented various cyber security tools and programs, hackers continue to design increasingly sophisticated malware with the potential to penetrate companies' defence systems. Though not all companies have been impacted by cyber breaches, hackers are increasingly using AI and other tools to develop malware that can infiltrate even the most cutting-edge applications, so a servicer's cyber security program becomes even more important as hackers evolve. S&P Global Ratings' servicer evaluation group recognises that a sound cyber security program is a significant factor in the overall analysis of a servicer's operations. When conducting an operational assessment of a servicer, they ask the company to describe its overall cyber security program. The general topics they discuss include the following: Its information security program and management team (e.g., the CEO, chief information officer, and chief information security officer);  Staff resources dedicated to monitoring company systems to triage and address potential cyber security threats;  Frequency of phishing and/or smishing testing programs, overall click rates, and remediation actions;  Timing of vulnerability scans and what internal and external tools are employed to assist in monitoring and identifying potential threats;  The incorporation of AI into the servicer's preventive tools and systems used to combat attacks and secure systems;  Frequency of external penetration tests and the vendor's rotation schedule, along with a discussion of the latest results;  Frequency of internal penetration testing and the results of the last test;  The servicer's data storage backup routines, including how data is backed up (i.e., the cloud, tapes, or both) and whether data is stored on air-gapped mediums;  Recovery time and recovery point objectives for the servicer's data and business units;  Frequency of a servicer's recovery exercises, including data backups to validate their restoration ability;  Data encryption practices at rest and in transit;  Plans to address potential ransomware attacks and the frequency of tabletop exercises;  Employee training on cyber and information security, including social engineering;  System and organisation controls (SOC) 2 certification or other evaluations or tools used to assess the company's cyber security posture; and  The process to evaluate third-party vendors' cyber security posture. Staying ahead of the curve  Sustained investments in cyber security will be crucial for any business entity, especially servicers, as they will continue to experience ever-evolving threats requiring additional expertise, capital, and technology to stay ahead of the curve. Despite servicers' significant expenditure on cyber security staff and systems to support their programs, these preventative measures are only effective if the program is successfully implemented and maintained. Notwithstanding, even the best preventative measures will be continuously challenged by the ever-increasing sophistication of attacks.  Event-reporting regulations New privacy and event-reporting regulations and compliance needs from California and New York A key focus for servicers will be whether they can keep up with the malicious actors who try to penetrate their systems and obtain non-public information, thereby disrupting operations, affecting customers, and posing significant financial harm to the company.  New privacy and event-reporting regulations and compliance requirements from the states of California and New York impacted various industries including servicers, among others. Although not directly affecting servicing, the Securities and Exchange Commission has also stated that cyber security is one of its 2024 priorities when conducting examinations of broker-dealers and investment advisors.  New government regulations As servicers navigate ever-increasing cyber threats and the rollout of new government regulations, their dependence on the digitisation of information and processes should be balanced with comprehensive and preventative cyber security controls in order to effectively combat the risks that lie ahead. While this article focuses on the impacts of cyber security for the Servicer Evaluation ranking process, S&P Global Ratings has written additional articles that relate to cyber security across other industries and the potential credit impacts that they may have (see "Cyber Risk Insights: Navigating Digital Disruption Booklet Published," published July 9, 2024, and "Digital Booklet Published: Cyber Risk Insights," published Feb. 22, 2023). The analysts would like to thank Marilyn Cline for her contribution to this report.