PHLY, FICOH and TMA recover from 22-day system outage following a cyberattack

By Isha Marathe

July 2 - (The Insurer) - Tokio Marine-owned Philadelphia Insurance Companies (PHLY), First Insurance Company of Hawaii and Tokio Marine North America have fully restored their core insurance systems after an unauthorized actor infiltrated their networks on June 9.

Tokio Marine Group said that all company systems were affected by the system shutdown, but that "contrary to media reports, no systems were encrypted, and this was not a ransomware event," in a statement issued at 4 p.m. EST on Tuesday.

"Our investigation remains ongoing and if we determine that customer data was accessed, we will advise those whose information was involved."

The company has transitioned from containment of the threat to recovery of business operations, but a full return to normal operations will take time.

"Late on (June 9), our information security team received an alert regarding suspicious activity on our network. In response, we chose to disconnect the network to contain the threat," the statement said.

"The network shutdown caused a disruption to our operations, which we are in the process of resolving. We have reported the incident to law enforcement and have engaged third-party forensic experts to assist us."

Cyber Risk Insurer reported on June 17 that PHLY was offering flat renewal rates applied against exposure change on policies renewing through June 20 due to the then ongoing disruption caused by its IT systems outage.

The publication also reported that the entity responsible for the attack on PHLY was Scattered Spider, a term used to identify activities linked to a set of hacking tactics, techniques and procedures, particularly sophisticated social engineering.

Tokio Marine has not disclosed the particular actor responsible for its outage.

"We are still conducting a comprehensive forensic investigation... Most of our core business systems have been restored. A full return to normal internal operations will take time, but we are working around the clock to get things back to normal for our agents and policyholders," the company statement said.

"While this incident did not involve our email system or any form of malware transmission, it is always good to exercise caution when receiving any unsolicited emails or phone calls asking for personal information."

Tokio Marine companies were not alone in experiencing cyberattacks in June.

Erie Insurance and Aflac also faced system outages as a result of unauthorized access to their networks. The two companies are now facing litigation from employees and customers who allege that they failed to secure their personal information during the breach.

John Hultquist, chief analyst within the threat intelligence group at Alphabet's Google, said on June 16 that "at least two" insurers were targeted by Scattered Spider, which the group said is “a financially motivated threat actor characterised by its persistent use of social engineering and brazen communications with victims."

Hultquist did not disclose who those two insurers were, but cautioned that the insurance industry should be on the lookout for more attacks, as Scattered Spider is liable to attack entities within a single vertical in one go.