By Scott Sayce, Global Head of Cyber and Group Head of the Cyber Centre of Competence at Allianz Global Corporate & Specialty (AGCS)
Cyber Threats Driving Insurance Claims Activity
In response to the challenging loss environment of recent years, the insurance industry is more diligently assessing clients’ cyber risk profiles and clarifying coverage areas in a bid to incentivize companies to improve cyber security and risk management controls.
Our experience shows a number of companies still need to improve their frequency of IT security training, cyber incident response plans and cyber security governance. Incident response is critical as the cost of a claim quickly escalates once business interruption kicks in.
It is clear that organizations with good cyber maturity are better equipped to deal with incidents. It is not typical for us to see companies with strong cyber maturity and security mechanisms suffer a high frequency of ‘successful’ attacks. Even where they are attacked, losses are usually less severe.
Ransomware threat continues to help drive elevated cyber claims activity
In recent years AGCS has experienced elevated levels of cyber insurance claims, driven in part by the growth of the cyber insurance market, but also by an overall rise in incidents, including notifications of ransomware attacks, which are among the biggest drivers of cyber insurance losses. During 2020 and 2021, AGCS received more than 1,000 cyber-related claims per year overall and while claims activity has stabilized, driven by a more diligent underwriting approach and better risk dialogue with companies, 2022 has the potential to be another year of high claims frequency, as cyber claims historically have occurred predominantly in the third and fourth quarters of the year.
Despite the efforts of law enforcement agencies, the frequency of ransomware attacks remains high, as does related claims activity. Ransomware attacks hit a record 623 million in 2021, double the number in 2020 and a 232% increase since 2019. Despite a 23% reduction in frequency at the start of this year, the number of ransomware attacks globally in the first half of 2022 still exceeded full-year totals of 2017, 2018 and 2019, according to SonicWall’s Cyber Threat Report, while Europe actually recorded a 63% surge in ransomware attacks in the first half of 2022. Meanwhile, ransomware is forecast to cause $30bn in damages to global organizations by 2023, remaining the top cyber threat to enterprises as well as governments, according to cyber protection industry estimates.
There is no denying that cyber extortion, and ransomware, has become big business. Ransomware-as-a-service (RaaS), which gives cyber criminals access to ransomware tools and support services, has lowered the barriers to entry and enabled criminals to scale up their efforts and ramp up their attacks. With average ransom demands in 2021 in the millions and RaaS kits costing as little as $40 per month, cyber criminals can make huge returns with little investment or technical expertise from ransomware attacks.
On a positive note, there are some signs, however, that risk management actions taken by insured companies are beginning to take effect, yet overall the frequency and severity of ransomware and cyber extortion claims for AGCS has increased significantly in recent years.
Rising severity: Double extortion is now the norm
The severity of ransomware claims continues to rise year-on-year as gangs employ increasingly sophisticated attack tools and extortion techniques. The value of ransomware claims globally has increased significantly since 2019, accounting for well over 50% of all cyber claims costs that AGCS has been involved in together with other insurers over the past two years and remains a significant cost driver through 2022 to date. Business interruption, restoration costs and expert fees are the main loss drivers in a ransomware event.
In a traditional ransomware attack, criminals infiltrate a network and use malware to encrypt files, demanding a ransom in return for its restoration. A double extortion attack, however, also involves the theft of sensitive data, which is then used as leverage for extortion. By exfiltrating data, criminals can make ransom demands of companies even if they successfully restore data from backups.
Triple extortion goes one step further, with criminals making extortion demands of business partners, customers, or suppliers that may be affected by data stolen in the initial attack. Double and triple extortion adds to the cost of a ransomware attack, as well as introducing an element of third-party liability.
Ransomware severity is likely to remain a key threat for businesses, fuelled by the growing sophistication of ransomware gangs and rising inflation, which is reflected in the increased cost of IT and cyber security specialists.
Action on ransom payments on the horizon
High profile disruptive cyber-attacks, such as the 2021 Colonial Pipeline incident, have put ransomware on the political agenda, sparking a redoubling of law enforcement efforts. Attention has also turned to the payment of ransom demands, with new rules and potential bans on the horizon.
Ransom demands continue to rise. According to the Paloalto Ransomware Threat Report, ransom demands increased by 144% in 2021, while the average payments rose 78%. Some 46% of companies paid ransoms in order to get data restored, according to Sophos.
The payment of ransom demands is a contentious topic. Critical service providers, such as hospitals or power companies, may have little option other than to pay a ransom demand in order to avoid crippling disruption. On the other hand, paying extortion demands may encourage further ransomware attacks. Sanction rules and terrorism regulations may also bar payment of ransoms to certain states, groups or individuals, including cyber groups.
Potential legal changes around ransom payments are unlikely to 100% solve the problem of ransomware, but they might help improve the maturity level of companies. Longer term, cyber criminals are likely to consolidate and change tactics as ransomware attacks become less lucrative, and as easy targets are harder to find.
Small and mid-sized companies an increasing sweet spot for hackers
All companies, across all sectors, are now exposed to ransomware attacks, although small and mid-sized companies are proving a more attractive target for cyber criminals as larger companies beef up their cyber security.
Cyber security, rather than sector focus, is now the key driver for cyber-attacks. The most attractive targets for cyber criminals traditionally have been large organizations, where they can get the most financial gain for reasonable effort. With these organizations investing heavily in security, the focus is gradually shifting to small and mid-sized firms. The current real sweet spot is a mid-sized business with weak controls, risk management and cyber security in place. That is what cyber criminals like most.”
Large companies are better positioned to mitigate the growing threat landscape than smaller companies, which often lack the resources to invest in cyber security and risk management. Small to medium sized companies see their risks increasing with digitalization, but typically would not carry out impact analysis linked to cyber security and the value of the business.
Even larger companies can have vulnerabilities and blind spots. In around 80% of AGCS cyber insurance claims, involving companies with an annual turnover in the triple digit millions, a significant flaw in the security of the insured led, or contributed, to the eventual loss.
The good news is that insurance companies are now seeing a very different conversation on the quality of cyber risk than we were a few years ago and are therefore gaining much better insights as the cyber insurance market matures. Insurers have a role that goes beyond pure risk transfer, helping clients adapt to the changing risk landscape and raising their protection levels.
About the Author
Scott Sayce is the Global Head of Cyber and Group Head of the Cyber Centre of Competence.
Scott can be reached online at scott.sayce@allianz.com.