Cyber risk hits the top spot in Allianz Risk Barometer, with a series of high-profile ransomware attacks, combined with problems caused by accelerating digitalization and remote working, pushing it up from third in 2021, when it finished behind the closely related risks of business interruption and the Covid-19 pandemic.
The business of ransomware
Ransomware has dominated the cyber threat landscape in recent years: it ranks as the top cyber exposure of concern in this year’s Allianz Risk Barometer (57% of responses), just ahead of data breaches (also 57%). Ransomware has become big business for cyber criminals, who have refined their business models and tactics, lowering barriers to entry and making it easier to carry out attacks. Criminals with little technical knowledge can now carry out ransomware attacks for as little as a $40 per month subscription, using cryptocurrency to help evade detection.
The commercialization of cyber crime has made it easier for criminals to exploit vulnerabilities on a massive scaleScott Sayce, Global Head of Cyber at AGCS
Recent years have seen growth in the use of ‘double extortion’ tactics, whereby cyber criminals combine the initial encryption of data with a secondary form of extortion, such as the threat to release sensitive or personal data. Hackers will also now attempt to encrypt or delete backups, making restoration and recovery more difficult or impossible. A worrying recent trend has seen attackers harass employees to gain access to systems, as well as go directly to company senior executives to demand ransoms.
Previously, hackers typically targeted specific industries that dealt with personal data, such as healthcare and retail, but ransomware attacks are indiscriminate, affecting organizations across all sectors, public and private, both large and small.
In the past, a bank robber may have hit one or two banks in a week after many months of preparation. Yet, with a cyber-attack, you can target thousands of businesses at once, anywhere in the world, and extract more valuable data than before. Just one gigabyte of data is approximately the equivalent of the information contained within around 5,000 books,” says Sayce.
Claims remain at elevated levels
Cyber insurance claims have increased significantly over the past three years, driven by the rise of losses from external manipulation of systems, as well as the increased uptake in cyber insurance. Overall, cyber-related claims seen by AGCS increased from almost 500 in 2018 to more than 1,100 in 2020. Ransomware-related claims increased 50% year‑on‑year in 2020 (to 90), while the total number of ransomware claims received in the first half of 2021 was the same as reported during the whole of 2019 (60), according to AGCS analysis, as criminals have become more organized and better resourced. Extortion demands have more than doubled while business interruption losses have escalated as larger companies and their supply chains are targeted.
There has been a slight deceleration in ransomware claims, although they remain at elevated levels. Future claims trends are difficult to predict, as perpetrators are always looking to exploit new vulnerabilities and employ new tactics. Cyber is one of those lines of business where you can cover one hole in the bucket only to find a new exposure emerges.
However, as insurers and business have taken steps to increase cyber security and resilience, and with the increased focus on ransomware by law enforcement agencies, ransomware claims are showing some tentative signs of stabilizing.
Supply chain attacks on the rise
Recent high-profile cyber-attacks have shown a worrying trend for supply chain incidents where hackers target technology or software supply chains, physical critical infrastructure or digital single points of failure. In December 2021, it was reported that hackers had launched well over a million attacks on companies globally around the world in just four days, through a previously unnoticed vulnerability in a widely-used piece of open-source software called Log4J.
This followed cyber criminals inserting ransomware into a software update issued by Kaseya, in itself an attack that had echoes of a suspected nation-state incident targeting US software firm SolarWinds in 2020. Last year also sawthe Colonial Pipeline ransomware attack, the largest ever against US energy infrastructure, which disrupted fuel supplies.
Such attacks are of growing concern with increasing digitalization of supply chains, as well as growing reliance on digital infrastructure. Increased vulnerability from remote working (34%) and disruption to digital supply chains and cloud platforms (33%) ranked third and fourth in the ranking of cyber risks of concern in this year’s Allianz Risk Barometer.
We will see more attacks against technology supply chains and critical infrastructure – they are a logical response to organizations ramping up their cyber security, protections and responses.
It is also likely that we will see hardware being subverted and injected into IT supply chains, and this is a scenario organizations should prepare for.
Cyber hygiene really does matter
As the cyber risk landscape has changed, the insurance industry has turned its focus to helping clients improve the quality of their cyber risk management. AGCS now assesses each insurance submission it receives against cyber security posture criteria. Assessments look for proactive technology controls – such as endpoint protection and multi-factor authentication – as well as regular backups, patching, training, business continuity arrangements and crisis response capabilities.
The role of insurance has always been to ensure good risk management and loss prevention. Good cyber maturity and good cyber insurance go hand-in-hand. We buy insurance for our home, but this does not mean we leave the front door unlocked, and the same should be said for cyber security.
Even when companies follow best practices and implement technical solutions, systems can still be compromised. Pre-event planning and preparation – such as incidence response planning, scenario testing, and board wargaming – are critical to minimizing the impact of a cyber-attack.
It is important that we constantly challenge and test our plans. When we look at our submissions, most companies have business continuity plans, but less than 40% test them.
Which cyber exposures concern your company most over the next year?
Building cyber resilience
Cyber insurance policies are part of an ever-growing range of technical and risk management support services that form a holistic approach to building cyber security resilience, which Allianz Risk Barometer respondents ranked as the environmental, social and governance (ESG) issue that was of most concern to their company, even ahead of climate change.
The cyber market is shifting to a service-oriented offering that combines insurance policies with technology, risk engineering and response services. Through the underwriting process, and throughout the policy period, insurers can help organizations understand the continually changing exposures and focus their investment in cyber security and resilience.
Demand for cyber insurance continues to grow, reflecting increased awareness of exposures associated with digitalization and remote working. However, a true customer-insurer partnership is needed if the insurance market is to be sustainable and meet the needs of businesses, says Williams.
AGCS is working with its clients to improve their risks and facilitate risk transfer. Blanket exclusions and sub-limits for challenging risks like ransomware can leave businesses without important cover, but AGCS is willing to explore alternative solutions to support companies as they take steps to improve their cyber security maturity, as well as address the needs of large companies in high-risk segments, explains Sayce:
We want to be that partner throughout the cyber risk improvement journey. We work with businesses to improve their cyber security, but also to continuously refine what they are doing against the changing cyber risk and regulatory landscape.