Skip to main content

Cyber Insurance

Nexus Completes Acquisition of Evolve MGA

Morristown, NJ – 12 July 2023 – Nexus Underwriting (“Nexus”) announced the completion of its acquisition of Evolve Cyber Insurance Services LLC (“Evolve”), a leading California-headquartered cyber MGA.

This is the 17th acquisition for Nexus since its formation in 2008 and marks an important expansion into the fast-growing specialist cyber class of business. Evolve is a three-time Cyber MGA of the year winner and will now offer the new Evolved NexGen cyber policy, supported by Lloyd’s of London, in all 50 U.S. states. The company operates out of offices in California, New York, and Texas, and has over 3,000 broking partners nationally, serving around 6,000 policyholders.

Evolve is led by 4th generation insurance professionals and brothers Michael and Patrick Costello, together with a team of cyber experts who have built one of the largest SME cyber portfolios in the U.S. The acquisition of Evolve significantly expands Nexus’s cyber insurance capabilities and market reach. Evolve’s strong distribution network and experienced team of cyber experts will complement Nexus’s existing technology-enabled data driven underwriting and position the company as a leading provider of cyber insurance solutions.

“We are thrilled to announce the completion of this acquisition,” said Adam Kembrooke, Chief Executive Officer and President of Nexus Underwriting U.S. “Evolve is a highly respected market leader in the U.S. cyber insurance space, and their team of cyber experts is second to none. This acquisition is a strategic move that will not only expand our specialty product offerings but also position Nexus as a leading provider of solutions at the forefront of the rapidly growing cyber insurance market.”

“We are excited to join the Nexus team,” said Michael and Patrick Costello, co-founders of Evolve. “Nexus is a leading specialty MGA with a strong track record of success, and we believe that this combination will create a powerful force in the cyber insurance market. Together, we will be able to offer our customers a broader range of products, provide them with superior service with the support they need to protect themselves against cyber risk and best-in-class claims support should they need it.”


About Nexus
Founded in 2008 and with its global headquarters in London, UK, Nexus Underwriting is a leading, independent, specialty Managing General Agent (MGA) with a focus on niche insurance classes of business. Nexus is a wholly owned subsidiary of Kentro Capital Limited, a holding company with a focus on investing in MGAs and insurance brokers globally. Kentro provides institutional support
to its wholly owned businesses, employs over 350 staff in nine countries: UK, France, Germany, Italy, The Netherlands, USA, China (Hong Kong SAR), UAE (Dubai) and Malaysia (Labuan FT) and has completed 27 acquisitions.

For more information, please visit:

About Evolve Cyber Insurance Services LLC
Evolve MGA offers best-in-class cyber insurance and cyber security services across the USA. Evolve has specialized in underwriting SME cyber since 2015. Based out of Dallas, Texas & Los Angeles, California, Evolve has over 3,000 retail broking partners serving around 6,000 policyholders.

For more information, please visit: or email us at [email protected]

China Hacked 13 US Pipeline Operators from 2011-2013

Chinese Flag and Pipelines

Cyber warfare? China hacked 13 key US pipeline operators from 2011-2013, according to a harrowing advisory from the FBI and CISA.

SAN RAFAEL, CALIFORNIA – On July 20th, the FBI and CISA announced that Chinese state-sponsored attackers breached 13 US oil and gas pipeline companies between 2011 and 2013. Attackers gained access via spear-phishing campaigns targeting employees of the pipeline companies.

23 Pipeline Operators Were Targeted

“Overall, the US Government identified and tracked 23 US natural gas pipeline operators targeted from 2011 to 2013 in this spearphishing and intrusion campaign. Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 7 had an unknown depth of intrusion,” the advisory states.

The advisory also provides a list of mitigation strategies which energy companies should implement for better defense moving forward.

What was the motive?

It appears these attacks were executed for intelligence gathering, and to potentially unleash larger attacks in the future. Unlike most for-profit hacking, the end goal here was not strictly financial gain.

“CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft. This assessment was based on the content of the data that was being exfiltrated and the TTPs used to gain that access.”

Any relation to the Colonial Pipeline?

It is unclear if or how these years-old attacks may be related to the massive Colonial Pipeline ransomware attack in 2021. It should be noted, however, that after the Colonial Pipeline shutdown, the Department of Homeland Security (DHS) announced new pipeline cybersecurity requirements for pipeline owners and operators.

The new directive empowers DHS to identify and respond to cyber threats which target US infrastructure.

Related: Fuel to the Fire: Takeaways from the Colonial Pipeline Attack

Mercedes-Benz Breach Update: 1.6 Million Records Exposed

Mercedes Benz Logo

1.6 million individuals have been exposed. 1,000 individuals have highly sensitive information leaked.

SAN RAFAEL, CALIFORNIA – On June 11th, one of Mercedes‘ vendors informed the German-based auto manufacturer that a cloud storage security vulnerability had exposed personal information of 1.6 million individuals. Last week, Mercedes revealed the results of their internal investigation into the breach. Of the 1.6 million records exposed, around 1,000 contained extremely revealing information.

How did this happen?

This is a textbook example of a third party data breach. One of Mercedes’ vendors (who has remained unnamed to this point) was responsible for storing customer information on behalf of the organization. According to the company, the breach affects individuals who had entered sensitive information on Mercedez-Benz and dealer websites between 2014 and 2017.

From Mercedes… “No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.” But just because Mercedes was not directly responsible for the hack, they are still liable, and will offer two years of credit monitoring to individuals who were exposed. The company says it is also notifying the government agencies.

For a smaller number of people – which Mercedes-Benz says is less than 1,000 – more sensitive data was exposed, including:

  • self-reported credit scores
  • driver’s license numbers
  • Social Security numbers
  • credit card numbers

Why target Mercedes?

When cyber criminals successfully execute breaches, their goal is to re-sell the stolen data on the Dark Web. Hacking a luxury company like Mercedes is especially lucrative, because its customer have more to lose financially.

Armed with a wealthy individual’s SSN and other crucial information, fraudsters can execute a plethora of scams, including opening new lines of credit, accessing that individual’s bank accounts, and even extortion.

Any relation to the Volkswagen hack?

This breach is eerily similar to the Audi/Volkswagen breach which was revealed in mid-June. That was also a third party breach, attributed to one of the company’s marketing vendors who has also remained unnamed.

Around 90,000 people had their data leaked in that attack, but it is unclear if it was executed by the same cyber criminals behind the Mercedes attack.

How does Evolve defend policyholders?

Prevention is always the best defense, so it is crucial to monitor for data exfiltration. Data exfiltration is when the bad guys steal information from your servers or machines. Evolve partner BlackFog is the only on-device data exfiltration solution on the market, and we cannot stress its importance highly enough. All Evolve policyholders receive a free 7-day trial, and a meeting with BlackFog’s VP of Threat Intelligence to review threats to your organization.

Another key is to monitor the Dark Web for stolen information. Services like Skurio scan the Dark Web 24/7, looking for stolen credentials tied to your organization. If someone in your organization has their credentials leaked, you will be notified.

Related: Audi/Volkswagen Breach Exposes 3.3 Million People

Evolve Voted Top MGA at Advisen Cyber Risk Awards

Team Evolve celebrating

We’re honored to have won two categories at Advisen’s industry-leading cyber risk awards.

LAGUNA NIGUEL, CALIFORNIA – “When adversity strikes, that’s when you have to be the most calm. Take a step back, stay strong, stay grounded, and press on.” -LL Cool J

The cyber risk industry faced all kinds of challenges this year, from rapid marketing hardening to gasoline shortages to attacks on the world’s food supply.

But after the dust settled on a wild 12 months, Evolve came out on top in both categories in which they were nominated:

  • Cyber MGA of the Year (2nd consecutive win)
  • Cyber Risk Industry Person of the Year (Pat Costello… 2nd consecutive win)

Thank you to all of our incredible employees, and to all the brokers out there who support the mission of Evolve MGA. We couldn’t do any of this without you. Cheers.

Special Advisory: Password Hygiene Tips

Computer log-in image.

Follow these 5 password hygiene tips to protect your business from password-related hack attacks.

Evolve's Password Hygiene White Paper

SAN RAFAEL, CALIFORNIA – As the use of online services, personal computers, smartphones and tablets has risen over the years, so has the number of passwords that users must remember. Research conducted in early 2020 has shown that the average person now has 70-80 passwords. Implementing password hygiene tips are now more crucial than ever.

Bad password hygiene can be exploited by an attacker in a variety of different ways:

  • By tricking someone into revealing their password (e.g. phishing).
  • Password spraying or brute-force attacks. Password spraying is where a small group of common passwords are used against many accounts, and brute-forcing is where many passwords are used on a single account or a small group of accounts.
  • Using stolen passwords. These can be found from leaked data breaches, by stealing a password hash file, discovering insecurely stored passwords or by using a keylogger or other means to intercept passwords as they are transmitted or typed.
  • Shoulder surfing, where an attacker observes someone typing in their password.
  • Manual password guessing. This is easier for an attacked if you are using passwords that include personal information (e.g. your pet’s name of an important date).

Evolve’s Top 5 Password Hygiene Tips

1. Reduce Your Reliance on Passwords All Together!

• Utilize Single Sign-On (SSO), hardware tokens, and biometric authentication whenever possible.

• Enable Multi-Factor Authentication (MFA) on all accounts. Period.

2. Next, Implement Technical Solutions

• Use account lockout or throttling to defend against brute force attacks.

• Consider security monitoring for brute force attempts.

• Blacklist certain commonly guessed passwords.

3. Protect All Passwords

• Ensure all web apps use HTTPS to protect passwords in transit.

• Protect any access management systems and user databases.

• Always change default passwords.

4. Don’t Succumb to Password Overload

• Use a password manager to securely store and manage passwords.

• Only ask users to change passwords on indication or suspicion of compromise rather than enforcing regular password expiry.

5. Help Users Generate Better Passwords

• If a password manager is used, encourage the use of a built-in password generator.

• Prevent users from setting short passwords; do not limit length.


In review, Evolve hopes this advice can assist you in securing your organizational approach to passwords and authentication by placing a greater reliance on technical defenses and in-house processes. At the end of the day, passwords should form just one part of your access control and identity management approach.

Related: Ransomware Attack Forces Hospital Back to Pen and Paper

Cyberattack Forces Scripps Health to Use Pen and Paper

Scripps Hospital

The San Diego-based hospital system has reverted to manual paperwork as suspected ransomware attack continues.

SAN DIEGO, CALIFORNIA – Scripps Health, a top healthcare system in California, was hit by a cyberattack this past weekend. As a result, the network has been forced to revert to manual data entry with pen and paper, and has been forced to turn away emergency patients.

Scripps Health acknowledged that they fell victim to an attack, but did not go in depth on the type of attack, or if there are known suspects. It is also unknown whether patient records were compromised, which will have a massive impact on the total costs associated with the attack. HIPAA violations can run over $50,000/record, leading to unfathomable losses when thousands of records are breached.

Other Healthcare Attacks

Hospitals and healthcare systems are a top target for hackers, especially in ransomware attacks. Because downtime is so catastrophic in the healthcare industry, hackers believe these types of victims will be faster to pay their ransom demands. Additionally, criminals tend to target organizations with dated cybersecurity practices and network architecture, which fits the description of many hospital networks.

Last September, ransomware shut down Fortune 500 healthcare network Universal Health Services. Similarly, they were forced to use paper forms and divert emergency patients.

That same month, ransomware struck

Cybersecurity Takeaway: Vulnerability Assessments are Key

The Scripps attack is believed to have hit both email and backup servers, but how the criminals got into Scripps’ system remains unknown. At Evolve, we believe employee training is the #1 step you can implement today to better protect your organization, as human error remains the top cause of cyberattacks. But what about threats beyond human error?

It is a best practice to routinely conduct vulnerability and/or penetration testing on your network to find areas of potential weakness. All Evolve policyholders receive a free vulnerability assessment from industry leader BitSight, one of Evolve’s 6 Free Risk Management Providers.

Related: Homicide Charges Filed in German Ransomware Attack

Ransomware Gang Actively Threatening Washington D.C. Police Department

Police cars at night.

Babuk Locker, a Russian ransomware group, is threatening to expose criminal informants to local gangs.

WASHINGTON, D.C. – A Russia-based ransomware gang has executed a ransomware attack on the Washington D.C. Police Department, and is threatening to leak department data unless the Department meets it’s ransom demand. In a sinister turn of events, the hackers have said they will send the names and identities of informants to gangs in the DC area.

The Department has been relatively quiet in its response, but Sean Hickman of the D.C. Police did say “We are aware of unauthorized access on our server.” In an update, hackers released screenshots of the files it stole, and made those screenshots public on its website (see below).

Who Is the Babuk Locker Gang?

Babuk Locker Gang is a relatively new arrival to the ransomware scene, having only begun operations in January 2021.  They have already hit some very high profile targets, including the NBA’s Houston Rockets.

The group separates itself from other ransomware gangs because its strain has the ability to encrypt files on virtual hard drives. Darkside and RansomExx are the only other known strains with this capability.

Ongoing Federal Response

Last week, the Biden administration named John Carlin to head a ransomware task force of F.B.I. agents and prosecutors.

Carlin notes that “Ransomware can have devastating human and financial consequences. When criminals target critical infrastructure such as hospitals, utilities and municipal networks, their activity jeopardizes the safety and health of Americans.”

In a similar attack on the police department of Stuart, Florida in April 2019, prosecutors had to drop 11 narcotics cases against six drug-dealing suspects after evidence was destroyed by hackers.

Related: Apple Hit with $50M Ransom Demand

Ransomware with a Twist: Apple & Quanta Hit in $50M Attack

Macbook on a desk.

REvil Group’s newest tactic? If you try to extort a business and they won’t pay you, start extorting their customers.

SAN RAFAEL, CALIFORNIA – On Tuesday, Apple revealed its sparkling new iPads and iMacs. Unfortunately for the tech giant, the good vibes didn’t last long. Russian hacking group REvil executed a successful ransomware attack on one of Apple’s top Macbook manufacturers, and is now holding both Apple and the Taiwanese manufacturer, Quanta, hostage to the tune of a $50M ransom demand. Hackers got into Quanta’s system via the Microsoft Exchange Server Vulnerabilities which Evolve warned of last month.

As proof of the attack, REvil posted 15 screenshots of proprietary MacBook blueprints on the dark web, and has threatened to leak new data every day until either Apple or Quanta pays the record-tying ransom demand of $50M. That is the same amount REvil demanded in their attack of Acer in March.

A New Twist to Ransomware

Ransomware criminals have historically only extorted the primary attack victim, not their customers. REvil’s extortion of Apple after failing to get Quanta to pay is a new tactic.

Per Dmitry Smilyanets, Recorded Future‘s threat intelligence analyst… “This is a new approach in the double extortion name-and-shame technique, where the threat actor engages with the affected third parties after the unsuccessful attempt to negotiate ransom with the primary victim.”

Other potential victims?

REvil appears to be targeting Apple because of their recent product release, but it should be noted that the Quanta attack may impact many companies beyond the creators of the Macbook and iPhone.

The criminals released a list of other Quanta customers, including Dell, Hewlett-Packard Inc., Alienware Inc., Inc., Cisco Systems Inc., Fujitsu Ltd., Gericom, Lenovo Group Ltd., LG Electronics Inc., Maxdata, Microsoft Corp., MPC, Blackberry Ltd., Sharp Corp., Siemens AG, Sony Group Corp., Sun Microsystems Inc., Toshiba Corp., Verizon Wireless and Vizio Inc.

How does Evolve help policyholders prevent these attacks?

Traditional anti-virus and threat-detection platforms scan your computer and/or network for files that may contain malware. And they do a good job of that.

The issue is that in these types of attacks, victims care just as much (or more) about stealing files rather than simply encrypting them. The answer? Data exfiltration detection, like that offered by Evolve’s newest risk management provider, BlackFog.

BlackFog detects data leaving your network, which enables them to spot ransomware threats before competitors. All Evolve policyholders receive access to BlackFog as part of our complimentary policyholder risk management suite (valued at $6,500+).

Related: Computer giant Acer hit with $50M ransom demand.

Accellion Higher Ed Breach Continues to Worsen

University Library

Stanford Medical School, University of California system, University of Miami, and Colorado University all hacked.

SAN RAFAEL, CALIFORNIA – Hackers connected to two cyber crime groups, FIN11 and Clop, went on a hacking spree that has impacted multiple American universities, including Stanford, the UC system, University of Miami, and Colorado University. Leaked data includes social security numbers, medical information, transcripts, and sensitive financial documents.

Accellion’s File Transfer Appliance is a service used by many companies, government entities, and universities to transfer sensitive files. The breach stems from four vulnerabilities in the service, which created a perfect storm for hackers.

Per Jake Williams, founder of cybersecurity firm Rendition Infosec, “These vulnerabilities are particularly damaging, because in a normal case, an attacker has to hunt to find your sensitive files, and it’s a bit of a guessing game, but in this case the work is already done. By definition, everything sent through Accellion FTA was pre-identified as sensitive by the user.”

The motive? Financial gain.

One of the crime groups behind the breach, Clop, is known primarily as a ransomware group, but this is not a case of ransomware, just simple extortion. In ransomware attacks, hackers install malware onto a network, and encrypt files in order to demand a ransom payment.

In this case, hackers gained access to the universities’ sensitive data directly from Accellion, exfiltrated it, and sent threatening emails to impacted parties demanding a ransom in exchange for hackers agreeing not to leak all of the stolen data.

From the the University of California’s s official statement:

We believe the person(s) behind this attack are sending threatening mass emails to members of the UC community in an attempt to scare people into giving them money. Anyone receiving this message should either forward it to your local information security office or simply delete it.”

A Note on Legacy Systems

Accellion has consistently preached that FTA (which has been around for more than 20 years) is at the end of its life cycle. They planned to end support for FTA on April 30th, and had discontinued support for its operating system, Centos 6, on November 30th of 2020. The company has been working to transition customers away from FTA and onto its new platform, Kiteworks.

Legacy systems are old, out-dated systems or pieces of software that can still be used, but no longer receive security updates or patches for vulnerabilities. Hackers love to target legacy systems because of the lack of security, and also because organizations who use them are often behind the curve in other areas of IT and cyber security.

3rd party breaches… here to stay.

The Accellion breach highlight the dangers of 3rd party breaches. No matter how strong your organization’s cyber security, you cannot control the risk associated with external partners and their security.

It’s a strong argument for choosing a cyber insurance program that offers substantial 3rd party coverage.

Related: Texas School District Falls Victim to $2.3M Email Scam

Personal Data of 500M+ Facebook Users Leaked Online

Facebook Logo Reflection

Over 500 million Facebook users had their personal information leaked on the dark web. Here’s how Evolve can help.

SAN RAFAEL, CA – First reported by Business Insider, personal information of more than 500 million Facebook users has been discovered in a forum on the dark web. The information, which spans users from at least 106 countries, includes phone numbers, Facebook log-in IDs, full names, locations, birthdays, and email addresses.

The bulk of the leaked data stems from a 2019 vulnerability which Facebook fixed immediately. This is significant, because it proves that once information is leaked, it can be nearly impossible to expunge from the web, even for a giant like Facebook.

Evolve’s Dark Web Scanner + Skurio & Cyber Risk Aware

The Dark Web Scanner

No matter how strong your company’s cyber defense, you are vulnerable to third party breaches. For example, if one of your employees has used their business email address when signing up for Facebook, it may have been leaked in this data set. Similar leaks have impacted LinkedIn, Canva, and countless other companies used extensively by American businesses.

Evolve offers a free tool called the Dark Web Scanner, which scrapes the dark web for any compromised credentials connected to your business. Furthermore, you will find out how and when that data was breached.

The Dark Web Scanner is available for use by all, but it should be noted that all active Evolve policyholders receive an entire suite of services designed to protect your business data leaks and the attacks which typically follow. For the purpose of this writing, let’s focus on Skurio and Cyber Risk Aware, as these are two of our top partners when it comes to data breaches specifically.

Skurio – Dark Web Monitoring

Skurio scans the dark web 24/7 for information tied to your organization. It is similar in practice to our Dark Web Scanner, but runs around the clock.

Knowing that your business has been compromised right away gives you a leg up on hackers, and allows you to notify your internal IT team and Evolve’s forensic team of a potential breach.

Cyber Risk Aware – Live Phishing Training

You may be wondering… if hackers only get your email address, name, and phone number, can they really execute successful cyber attacks? Unfortunately, the answer is yes.

The most common attack stemming from data leaks is email or phone-based social engineering. Armed with thousands (or in this case, millions) of real email addresses, hackers send out phishing emails in bulk, hoping that you or your employees click on the malicious links in their messages. Once clicked, these links can lead to malware being embedded in your network.

As usual, the best solution is prevention. Cyber Risk Aware sends fake phishing emails that look real. If an employee opens of the the emails, they will be directed to an online course on phishing awareness, and management will be notified of who clicked on the message.

Related: Dark Web Scanner FAQs