In a heightened cyber threat environment, prevention, preparedness, and protection are essential. Enhanced cyber risk management strengthens an organization’s resilience against ransomware and other financial cyberattacks. It also equips them to handle a volatile geopolitical climate that could lead to larger-scale incidents, according to Global Cyber Risk Insurance Report.
Risks associated with cyber warfare and systemic events more generally – scenarios where single attacks trigger widespread failures across multiple organisations – remain a concern but worst-case scenarios have not yet come to pass.
The risk of and uncertainty around aggregation continues to hang over the market by impeding capital inflows and tempering risk appetite, but loss data to date shows that the most pervasive threat comes from targeted cyber attacks carried out by criminal gangs rather than state actors.
Indeed, much of state-level cyber activity connected to current warzones has been integrated and contained to the kinetic campaign.
According to Howden’s 4th annual cyber report, this is indicative of shifting priorities during conflicts: cyber tactics and tools deemed most effective in supporting military goals are likely to take priority in certain phases.
Aggregation on the cyber insurance market
Hostile governments nevertheless continue to shield criminal actors in their respective countries, allowing them to operate with near impunity when attacking Western companies and critical infrastructure, according to Cyber Security Global Trends report.
Healthcare has been a prime target for a number of years now, likely reflecting the prevalence of legacy systems, large volumes of sensitive data and a relatively high willingness to pay ransoms to restore operations quickly and protect life.
Systemic cyber exposures present challenges for an insurance market built on underwriting mostly geographically contained and uncorrelated risks, and being guided in the process by historical data to help manage aggregations, estimate potential losses and price policies.
Recorded activity against government and IT entities was higher than all other sectors combined during this timeframe, and a number of countries close to Russia’s border, the eastern flank of NATO especially, were targeted heavily.
Reported ransomware attacks on U.S. critical infrastructure
Systemic cyber attacks are highly uncertain in terms of trigger, likelihood and size. On the one hand, the potential for loss is clear – the proliferation of attack surfaces from rapid digitalisation, limited understanding of where and how technologies are vulnerable and a dearth of historical data on cyber catastrophes – but it is also true that only a small number of nation state actors or highly sophisticated groups have the capabilities, expertise and resources to execute such attacks.
These actors need to balance the attendant risk of escalation and reprisals associated with a large-scale cyber attack.
Several incidents in recent years, including SolarWinds, Microsoft Exchange, Kaseya, Log4j and MOVEit, have seen threat actors target software supply chains in an attempt to maximise the fallout across multiple organisations, even if losses have ultimately been manageable for the insurance market.
Insured loss estimates for high-profile cyber events vs GWP for global cyber market
Change Healthcare is the latest event to raise questions about the extent of aggregation risk. Whilst it will take some time to know how losses will develop, Verisk’s Property Claim Services (PCS), a provider of insurance loss estimates, has designated the event a cyber catastrophe, which points to a market loss in excess of USD 250 million.
The cyber market’s capacity to handle losses will increase as it reaches the scale of other major property and casualty insurance lines and maintains risk-appropriate pricing.
Clear guidelines on war exclusions for most nation-state attacks will likely reduce claims disputes and attract more capacity to the market.
Aggregation cyber risk
Risk aggregation remains a significant concern. A major event causing a widespread cloud outage, disrupting global payment platforms, or compromising essential software would pose a severe risk to the market and economies. This risk is not unique and applies to other business sectors as well.
The MOVEit and Change Healthcare incidents help to contextualise the loss potential associated with systemic events.
Recent disclosures show that the MOVEit file transfer breach, which began in June 2023, affected approximately 2,800 organisations and 96 million people.
Change Healthcare’s platform supports 900,000 doctors, 33,000 pharmacies, and 5,500 hospitals in the U.S. UnitedHealth’s CEO reported that up to one-third of the U.S. population had sensitive data leaked. These incidents show how economic costs can escalate rapidly.
Despite these breaches, the cyber insurance market dynamics should manage the impact. UnitedHealth, which did not have standalone cyber coverage during the attack, incurred USD 870 million in costs in 1Q2024, with estimates rising to USD 1.6 bn for the year. However, UnitedHealth’s support for affected third parties has limited the fallout and claims.
Estimated economic distribution from major ransomware attacks in 2023/2024
These events illustrate the inherent risk of aggregation across organizations due to a Single Point of Failure (SPoF). Losses have concentrated in specific sectors reliant on industry-specific software and platforms.
As more information comes to light around ransomware exposures, data shows that claims from indirect attacks have been (much) lower on average relative to direct claims.
Coupled with the inconsistent provision of contingent business interruption cover for cyber attacks and the work businesses are undertaking to reduce supply chain risk, the degree of loss aggregation (or frequency of loss) would need to be multiples of what has been experienced to date to generate losses that threaten the premium base of the global market (see how Global Cyber Warfare Risks Increases Insurance Market Losses).
All of which serves to reinforce the importance of securing tailored and comprehensive cyber insurance cover with adequate limits. Access to the best broking advice can make all the difference to achieving this goal in the current marketplace.
Major cyber attacks against government agencies
An increasingly febrile geopolitical environment is adding to the sense of uncertainty. Data from the Centre for Strategic and International Studies (CSIS) provides a snapshot of state-affiliated activity by charting major cyber attacks against government agencies, defence and high-tech companies, reveals a dramatic increase over the last decade.
Russia and China are shown to be the standout perpetrators, accounting for 65% of attacks in the past year (April 2023 to March 2024).
Number of major state-affiliated cyber attacks
The breakdown of cyber incidents by type reflects nation states’ motivations, with close to 90% of incidents politically motivated (data breaches, sabotage and spying being the most frequent forms of attack).
Major state-affiliated cyber attacks by type – 2023/2024
Ongoing wars in Ukraine and the Middle East, along with efforts to undermine democratic processes in a major election year, will significantly impact global cybersecurity.
Companies that have strong cyber security hygiene are reducing the risk of being targeted by cybercriminals.
Low barriers to entry afforded by the ‘as-a-service’ model have been a key facilitator of ransomware and malware activity in recent years, and a recently discovered ‘phishing-as-a-service’ programme, where victims are directed to authentic-looking decoy login webpages, is indicative of a constantly changing threat landscape.
This highlights the crucial work of the market in addressing cyber warfare and determining the scope of coverage for potential major nation-state losses. A recent World Economic Forum survey found that 70% of CISOs noted geopolitics has influenced their firms’ cybersecurity strategies.
Nation states are enhancing their cyber capabilities for political, economic, and military gains, blurring the lines between state-led and affiliate group attacks. XCyber provides intelligence-led expertise on the expected consequences of increased geopolitical risk.
…………………….
AUTHORS: Julian Alovisi – Head of Research at Howden, Peter Evans – Research Director at Howden, Shay Simkin – Global Head of Cyber at Howden, Jean Bayon de La Tour – Head of Cyber at Howden International