Ransomware Still Tops Cybersecurity Risks with Other Emerging Risks, Allianz Reports
While incidences of corporate email compromise are on the rise and are expected to expand even further in the era of deep fakes, ransomware continues to be one of the top cyber risks for organizations worldwide. According to recent research from Allianz Global Corporate & Specialty (AGCS), the crisis in Ukraine and broader geopolitical tensions are a huge concern as hostilities could flow into cyberspace and create targeted assaults against firms, infrastructure, or supply networks.
The insurer’s annual evaluation of the cyber risk landscape underscores the impact of a shortage of cybersecurity personnel as well as the new risks created by the increasing use of cloud services and changes to the third-party liability landscape that result in greater compensation and penalties. Given the prevalence of cyberattacks and the need of protecting sensitive data, many companies now list cybersecurity as their top environmental, social, and governance (ESG) risk, as noted in a recent survey.
Globally, the frequency of ransomware attacks and the associated claims costs remain high. In 2021, there were a record 623 million attacks, which is double the amount from 2020. Despite a 23% decrease in global ransomware attack frequency in the first half of 2022, the total attack frequency this year still exceeds the completion of 2017, 2018, and 2019, while attacks in Europe increased during this time. By the year 2023, it is anticipated that ransomware would have cost businesses around the world $30 billion in damages. AGCS and other insurers’ ransomware claims accounted for almost 50% of total cyber claims costs in 2020 and 2021.
“Double, Triple Extortion, a Norm”
“The cost of ransomware attacks has increased as criminals have targeted larger companies, critical infrastructure and supply chains. Criminals have honed their tactics to extort more money,” explains Sayce in the report. “Double and triple extortion attacks are now the norm – besides the encryption of systems, sensitive data is increasingly stolen and used as leverage for extortion demands to business partners, suppliers or customers.” Due to the sophistication of gangs and rising inflation, IT and cybersecurity specialists are becoming more expensive, making ransomware a grave danger to organizations.
Gangs are increasingly focusing their attention on smaller and mid-sized organizations, which frequently lack the controls and resources necessary to invest in cybersecurity. This is because larger corporations are investing more substantially in security. Moreover, gangs employ a vast array of harassing measures, customize their ransom demands to specific businesses, and employ skilled negotiators to maximize returns.
Meanwhile, attacks known as business email compromise (BEC) are on the rise. This trend is facilitated by the growing digitization and availability of data, the shift toward remote working, and, increasingly, ‘deep fake’ technologies and virtual conferencing. The FBI reported $43bn in damage caused by BEC scam schemes from 2016 to 2021, with a 65% increase between July 2019 and December 2021. Criminals are now exploiting virtual meeting platforms to deceive employees into transferring payments or disclosing critical information as attacks are getting increasingly sophisticated and targeted. These kinds of attacks are becoming increasingly possible thanks to advances in artificial intelligence, which make it possible to create “deep fake” audio or video files that imitate senior executives. For example, last year, a UAE bank employee was misled by a cloned voice of a company and transferred $35m.
Looming Cyberwar Threat
The crisis in Ukraine and broader geopolitical tensions are crucial factors redefining the cyber threat landscape, as they enhance the potential of espionage, sabotage, and destructive cyber-attacks against enterprises with relations to Russia and Ukraine, as well as their friends and neighbours. State-sponsored cyber attacks might target vital infrastructure, supply lines, or businesses. “The conflict between Russia and Ukraine has not yet resulted in a noticeable increase in cyber insurance claims,” Sayce notes. “However, it does indicate a potentially greater danger from nation-states.” Even though acts of war are usually not covered by traditional insurance, the possibility of hybrid cyber war has sped up efforts in the insurance market to address war and state-sponsored cyber attacks in policy wordings and make sure customers understand what they are covered for.
In addition, several additional cyber attack trends were identified, including:
- Hackers target supply chains vulnerable to attack: Attacks on the supply chain, whether on important infrastructure like the Colonial Pipeline or on cloud services, have become a major risk. Ransomware gangs are increasingly using the threat of disruption to coerce businesses into paying ransoms, with manufacturing industries being particularly vulnerable.
- Cloud outsourcing: Despite mounting security and risk aggregation concerns, companies continue to move their services and data storage to the cloud. By relying on a few cloud services or cybersecurity companies, society is developing huge concentrations around a few single points of failure. It’s a prevalent misperception that outsourcing or cloud vendors will take complete responsibility for incidents.
- With technology, data collection, and data privacy laws, third-party responsibility, including fines and penalties, is becoming increasingly important. Virtually every cyber incident, including double-extortion ransomware, can result in litigation and compensation claims from affected parties.
- Efforts to improve cybersecurity are hampered by a lack of qualified personnel. The number of unfilled cybersecurity jobs worldwide has surged 350% over the previous eight years to 3.5 million, making it difficult for firms to hire and improve their cybersecurity posture.
- The ESG lens is being applied more and more frequently to discussions around cybersecurity. Unlike in the past, today there are many more interested parties keeping an eye on how well a company handles cybersecurity threats. Cybersecurity issues are being incorporated into the ESG risk-analysis frameworks of data providers, who evaluate the preparedness of businesses for cybercrime based on their business operations. Therefore, risk monitoring and board understanding of a company’s cyber practices and policies are more crucial than ever.
The insurance sector is more carefully examining organizations’ cyber risk profiles to encourage them to strengthen security and risk management measures in response to a more complicated risk environment and rising cyber claims.