Making sure employees follow protocols and investments to update and continuously monitor systems should be top of mind for insurers' cyber to-do list. (Credit: wk1003mike/Shutterstock.com)
Just seven years ago, cyber risk ranked as low at 15th in the Allianz Risk Barometer, an annual survey of more than 2,700 risk experts from 100 countries that identifies the top threats for companies for the next 12 months and beyond.
Today, it ranks either near or at the top of seemingly every risk poll conducted. In the intervening years, both knowledge of the threats posed to businesses by cyber and the number of related claims or losses have increased significantly. At the same time, businesses and their insurers now have to deal with a fast-changing, ever-evolving risk landscape, which has been further exacerbated by the outbreak of the coronavirus pandemic.
Companies are facing a number of challenges, such as the prospect of more disruptive and expensive business interruptions, the increase in the frequency and cost of ransomware incidents, the consequences from larger data breaches and more robust regulation and the prospect of litigation if something does go wrong.
The playing out of political differences in cyberspace also ups the ante while even a successful merger and acquisition (M&A) can bring unexpected problems. With many employees still working remotely, displaced workforces create new opportunities for increasingly better organized and funded cybercriminals to exploit and gain access to networks and sensitive information. At the same time, the potential impact from human error or technical failure incidents — already one of the most frequent drivers of cyber claims — may also be heightened.
Allianz's latest risk report Managing The Impact Of Increasing Interconnectivity – Trends In Cyber Risk analyzes 1,736 cyber-related insurance claims worth EUR 660 million (US$ 770 million) involving by Allianz Global Corporate & Specialty (AGCS) and other insurers from 2015 to 2020. Here are some of the key findings of our research:
Laxer security post-COVID-19 heightens cyber risk
The coronavirus outbreak has resulted in the largest work-from-home situation in history, presenting criminals with new opportunities to exploit any security vulnerabilities created by the pandemic.
With many companies having expanded their remote working capacity through the outbreak in order to provide as many employees as possible with easy access to software and systems, IT security standards may have had to be lowered or suspended, putting cybersecurity under new levels of stress. According to research by cybersecurity firm Arceo almost all of chief information security officers at 250 companies, with $250 million to $2 billion in annual revenue, believe that security practices when working remotely are unlikely to be as stringent as those at the office, according to the Arceo survey.
One consequence of potentially laxer security may be that cybercriminals and hackers might find it easier to penetrate previously effectively-protected corporate systems, causing data breaches, cyber-blackmail intrusions and IT system failures. Those CISOs stated that cloud usage, personal device usage and unvetted apps or platforms pose the biggest threats during this work from home period. At the same time, it is estimated that anywhere between 50% and 90% of data breaches are caused or abetted by employees, be it by simple error or by falling victim to phishing or social engineering.
Through 2020, malware and ransomware incidents have already increased by more than a third, at the same time as a more than 50% increase in phishing, scams and fraud, according to international police body, INTERPOL. The rush to adopt new cloud systems and remote access solutions has also driven up the number of data breaches.
BI, digital supply chain vulnerability growing
Business interruption (BI) following a cyber-incident has become a major concern for businesses. Analysis of cyber claims by AGCS shows that BI is the main cost driver in the majority of cases. Whether ransomware, human error or a technical fault, the loss of critical systems or data can bring an organization to its knees in today's digitalized economy.
Cyber and BI now rank as the top two risks for companies respectively, according to the Allianz Risk Barometer 2020, which was conducted before the coronavirus outbreak. Awareness has been growing following high-profile outages across several sectors, including banking and airlines. At the same time, ransomware attacks, such as the 2017 NotPetya malware and the Ryuk campaign, have caused serious disruption for manufacturing and service sectors as well as public sector organizations.
Loss of data, or "business intelligence," is emerging as a major cause of loss. The inability to access data for an extended period of time can have a significant impact on revenues — for example, if a company is unable to take orders. One notable large BI claim in 2019 involved a fire at a European media company. A significant proportion of the claim was related to the unavailability of data and the cost of restoration.
Dependency on digital supply chains — both for the delivery of services and the supply of goods — brings numerous benefits. However, such platforms can potentially create a chain reaction ensuring BI cascades through a whole sector. If a platform is unavailable due to a technical glitch or cyber event, it could bring large BI losses for multiple companies that all rely on and share the same system. In June 2019, an outage caused a catastrophic failure at some Google cloud services, causing several hours of disruption to a number of large online service providers, including YouTube, Uber and Snapchat. In 2017, a four-hour outage at Amazon Web Services in North America was estimated to have cost S&P 500 companies $150 million.
As recently as five years ago, the cyber claims teams at insurers such as AGCS focused primarily on data breaches and resulting first-party damage and liability. But with the growing reliance on technology, interest in first-party and BI covers has increased, meaning the claims function increasingly represents an interdisciplinary team with expertise in business continuity and forensic accounting.
Ransomware now the most prominent cybercrime threat
Ransomware attacks are increasingly becoming one of the biggest causes of cyber loss. In fact the EU's law enforcement agency, Europol, now regards them as the most prominent cyber threat.
Already high in frequency, incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions.
The consequences of an attack can be crippling, especially for organizations that rely on data to provide products and services, but it can also create significant damage for others in the supply chain, such as critical infrastructure.
There were nearly half a million ransomware infections reported globally last year, costing organizations at least $6.3 billion in ransom demands alone, according to estimates from security vendor Emsisoft. Total costs associated with dealing with these incidents are estimated to be well in excess of $100 billion. Extortion demands are just one part of the picture. BI can bring the most severe losses from ransomware attacks — with downtimes becoming longer — and the costs associated with systems and data restoration can be huge. A breakdown of a recent insurance industry cyber loss in Europe shows that the restoration and expenses costs were similar to the ransom demanded. Meanwhile, the BI proportion of the loss was four to five times greater.
In some cases, ransomware is a smokescreen for the real target, such as the theft of personal data. Between January and June 2020, ID Ransomware received 100,001 submissions relating to attacks by ransomware groups that target companies and public sector organizations. Of these, 11,642 are related to attacks by the groups that overtly steal data — around 11% — the real figure is probably higher.
Attacks have also evolved beyond the scattergun high-volume phishing attacks seen in previous years with well-funded organized gangs of cybercriminals launching more complex and targeted attacks against large companies, which can command high ransom demands.
More ransomware and extortion attacks can be expected in the future with the post-COVID-19 landscape exacerbating this threat, given the increasing number of people working at home and the fact that safeguards may not be as good at home as in the workplace. Reported malware and ransomware incidents have already believed to have increased by more than a third since the start of 2020.
Risk mitigation: Prepare, practice, prevent
Preparation and training are the most effective forms of mitigation and can significantly reduce the likelihood or consequences of a cyberattack. Many incidents are the result of human error, which can be mitigated by training, especially in areas like phishing and business email compromise, which are among the most common forms of cyberattack.
Training could also help mitigate ransomware attacks, although maintaining secure backups can also limit the damage from such incidents. Business resilience and business continuity planning are also key to reducing the impact of a cyber incident, although response plans need to be tested, practiced and regularly reviewed.
Businesses should consider taking the opportunity to carry out a desktop exercise with their insurer and broker, and include key internal and external stakeholders. This builds trust and can take the sting out of any crisis.
Success in mitigating the impact of a cyber-event also requires good oversight and knowledge of IT systems and processes across an organization. If there is no overall control or oversight it will take much longer to get on top of a situation. Clear lines of responsibility and communication, and having all departments aligned with an established relationship and master plan, will lead to a more effective response.
The post-COVID-19 landscape brings new challenges for businesses. With work-from-home becoming widespread, security around access points and potential ransomware attacks is critical but organizations should also regularly monitor and ensure there is sufficient network capacity as this can have a significant impact on business income loss if there is an outage. There can also be bandwidth challenges when many employees are video conferencing and companies should ensure they do not compromise availability.
Purchasing cyber insurance should be one of the final points in a company's plan to enhance its cyber resilience. Insurance has a vital role to play in helping companies recover if all other measures are insufficient, but it should not replace strategic risk management. Investing in employee awareness, together with updating and continuous monitoring of systems should definitely be at the top of any company's cyber to-do list.
Thomas Kang is head of cyber at Allianz Global Corporate & Specialty. These opinions are the author's own.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.