This report highlights some of the most significant cyber risk trends currently occupying the attention of insurers, risk managers and their broker partners and how companies can be better prepared to mitigate the impact of such incidents.
Just seven years ago cyber risk ranked as low at 15th in the Allianz Risk Barometer, an annual survey in which more than 2,700 risk experts from 100 countries identify the top threats for companies for the next 12 months and beyond.
Today, it ranks either near or at the top of seemingly every risk poll conducted. In the intervening years both knowledge of the threats posed to businesses by cyber and the number of related claims or losses have increased significantly. At the same time, businesses and their insurers now have to deal with a fast-changing, ever-evolving risk landscape, which has been further exacerbated by the outbreak of the coronavirus pandemic.
Companies are facing a number of challenges: such as the prospect of more disruptive and expensive business interruptions, the increase in the frequency and cost of ransomware incidents, the consequences from larger data breaches and more robust regulation – both at home and overseas – as well as the prospect of litigation if something does go wrong. The playing out of political differences in cyber space also ups the ante while even a successful merger and acquisition (M&A) can bring unexpected problems. Then, there is the fact that many employees are now working remotely. Displaced workforces create new opportunities for increasingly better organized and funded cyber criminals to exploit and gain access to networks and sensitive information. At the same time the potential impact from human error or technical failure incidents – already one of the most frequent drivers of cyber claims – may also be heightened. Employers and employees must work together to raise awareness and increase cyber resilience in the home office set-up.
Despite the huge advances companies have made in cyber risk awareness in recent years, many are still playing catch-up and often do not realize how important their digital assets are until something happens.
1. Laxer security post Covid-19 heightens cyber risk
Rise in scammers and spammers looking to exploit vulnerabilities, as pandemic enhances existing threats and problems
The coronavirus outbreak has resulted in the largest work-from-home situation in history, presenting criminals with new opportunities to exploit any security vulnerabilities created by the pandemic. With many companies having expanded their remote working capacity through the outbreak – often at very short notice – in order to provide as many employees as possible with easy access to software and systems, IT security standards may have had to be lowered or suspended, putting cyber security under new levels of stress. According to research by cyber security firm Arceo almost all of the CISOs at 250 companies, with $250mn to $2bn in annual revenue [1], believe that security practices when working remotely are unlikely to be as stringent as those at the office.
[1] Arceo, Building Cyber Resilience, The 2020 CISO Perspective
2. Business interruption and digital supply chain vulnerability growing
Digital disruption has become a much more significant driver of cyber losses while cyber risk in supply chains is a growing exposure, given the increasing reliance on technology
Business interruption (BI) following a cyber incident has become a major concern for business. Analysis of cyber claims by AGCS shows that BI is the main cost driver in the majority of cases. Whether ransomware, human error or a technical fault, the loss of critical systems or data can bring an organization to its knees in today’s digitalized economy.
Cyber and BI now rank as the top two risks for companies respectively, according to the Allianz Risk Barometer 2020, which was conducted before the coronavirus outbreak – and are increasingly interrelated. Awareness has been growing following high profile outages across a number of sectors, including banking and airlines. At the same time, ransomware attacks, such as the NotPetya malware and the Ryuk campaign, have caused serious disruption for manufacturing and service sectors, as well as public sector organizations.
3. Ransomware now the most prominent cyber-crime threat
Incidents are becoming more frequent, sophisticated and financially damaging
Ransomware attacks are increasingly becoming one of the biggest causes of cyber loss. In fact the EU’s law enforcement agency, EUROPOL, now regards them as the most prominent cybercrime threat. Already high in frequency, incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions. The consequences of an attack can be crippling, especially for organizations that rely on data to provide products and services, but it can also create significant damage for others in the supply chain, such as critical infrastructure.
4. Business email compromise attacks surging
Economic downturn and shifting landscape resulting in more incidents
Business email compromise (BEC) – or spoofing – attacks have been increasing in frequency for some time and will likely further surge in future due to the economic downturn and shift in the business landscape driven by the coronavirus outbreak. More people working from home means new opportunities for criminal activities are generated. Prior to the pandemic, BEC incidents had already resulted in worldwide losses of at least $26bn since 2016, according to the FBI. Between May 2018 and July 2019, the number of incidents discovered worldwide doubled, with the average economic loss around $270,000.
5. Mega data breaches come with increasing costs
Many factors can now contribute to the financial fall-out from such events
The cost of dealing with a large data breach is rising as IT systems and cyber events become more complex, and with the growth in cloud and third-party services. Regulation is also a key factor driving cost, as is growing third-party liability and the prospect of class action litigation. In particular, so-called mega data breaches (involving more than one million records) are more frequent and expensive. In July 2019, Capital One was hit by one of the largest ever breaches in the banking sector with approximately 100 million customers in the US impacted – more than 30% of the population. This resulted in it being fined $80mn by the US bank regulator. Yet this breach is by no means the largest in recent years.
6. Increasing regulatory exposure - At home and overseas
Stricter enforcement around increased liability for data breaches and the collection and use of data is to be expected
Data protection and privacy regulation is increasing in both scope and geographical reach, creating more stringent requirements on organizations that collect and use personal data, as well as enhanced rights for consumers and higher penalties for breaches. In the US, data breach notification requirements have long been an important driver of cyber losses and insurance purchasing – the first such law was introduced in California in 2002, while Alabama became the 50th state to enact a breach notification law in 2018. In recent years, other countries have followed suit – Australia and Canada introduced data breach notification laws in 2018 – while others have gone even further.
7. Class action litigation a developing situation
Consumers, investors and other stakeholders are increasingly looking to the courts as well if things go wrong
Many large data breaches today spark regulatory actions, but they can also trigger litigation from affected consumers, business partners and investors. When they do, legal expenses can add substantially to the cost. Data breach litigation in the US is a developing situation. A number of large breaches have triggered class actions by consumers or investors – in July 2019, Equifax reached a $700mn settlement for its 2017 mega breach. US courts have been battling the questions of “legal standing” – whether claimants have the right to sue – but the trend appears to be favoring plaintiffs. Statutory and regulatory changes could also facilitate compensation for data breaches. The California Consumer Privacy Act, for example, provides a mechanism for consumers to sue businesses and – in a first for the US – sets statutory damages for data breaches.
8. Buying a company can bring cyber risk
The acquiring firm could still be liable for any damage from incidents which predate an M&A
Cyber exposures have emerged as a hot topic in mergers and acquisitions (M&A) following some large data breaches. For example, the 2018 Marriott breach, which has resulted in the international hotel group facing a fine of almost £100mn ($130mn) from regulators, was traced to an intrusion in 2014 at Starwood, a hotel group it acquired in 2016. Even the best protected companies can be exposed if they acquire a company with weak cyber security or existing vulnerabilities. Subsequently, the acquiring firm could be liable for any damage from incidents which pre-date the merger.
9. Nation states increase risks
More sponsored attacks causing damage and disruption
The involvement of nation states in cyberattacks is an increasing risk for companies, which are being targeted for intellectual property or by groups intent on causing disruption or physical damage. Major events like elections and Covid-19 present significant opportunities. During 2020 Google said it has had to block over 11,000 government-sponsored potential cyber-attacks per quarter [2] , ranging from phishing campaigns to less common distributed denial of service attacks. Recent years have seen critical infrastructure such as ports and terminals and oil and gas installations hit by cyber-attacks and ransomware campaigns. Sophisticated attack techniques and malware may also be filtering down to cyber criminals while nation state involvement is providing increased funding to hackers. Even where companies are not directly targeted, state-backed cyber-attacks can cause collateral damage, as seen with the NotPetya malware attack.
[2] Google Threat Analysis Group, How We’re Tackling Evolving Online Threats, October 2020
Risk mitigation: Prepare, practice, prevent
Preparation and training are the most effective forms of mitigation and can significantly reduce the likelihood or consequences of a cyber event. Many incidents are the result of human error, which can be mitigated by training, especially in areas like phishing and business email compromise, which are among the most common forms of cyber-attack.
Training could also help mitigate ransomware attacks, although maintaining secure backups can also limit the damage from such incidents. Business resilience and business continuity planning are also key to reducing the impact of a cyber incident, although response plans need to be tested, practiced and regularly reviewed.
Businesses should consider taking the opportunity to carry out a desktop exercise with their insurer and broker, and include key internal and external stakeholders. This builds trust and can take the sting out of any crisis.
Success in mitigating the impact of a cyber event also requires good oversight and knowledge of IT systems and processes across an organization. If there is no overall control or oversight it will take much longer to get on top of a situation. Clear lines of responsibility and communication, and having all departments aligned with an established relationship and master plan, will lead to a more effective response.
The post Covid-19 landscape brings new challenges for businesses. With home-working widespread, security around access points and potential ransomware attacks is critical but organizations should also regularly monitor and ensure there is sufficient network capacity as this can have a significant impact on business income loss if there is an outage. There can also be bandwidth challenges when many employees are video conferencing and companies should ensure they do not compromise availability.
Purchasing cyber insurance should be one of the final points in a company’s plan to enhance its cyber resilience. Insurance has a vital role to play in helping companies recover if all other measures are insufficient but it should not replace strategic risk management. Investing in employee awareness, together with updating and continuous monitoring of systems should definitely be at the top of any company’s cyber to-do list.
What do you want to know about the Cyber Risk Trends?
Assessing an organization's cyber risk posture and creating a comprehensive risk management strategy involves identifying assets, evaluating threats, assessing vulnerabilities, prioritizing risks, and developing tailored mitigation approaches. It includes employee training, third-party risk management, incident response planning, and continuous monitoring. Regular updates, compliance considerations, communication plans, and continuous improvement are integral to maintaining a robust cybersecurity framework. This process ensures proactive identification and mitigation of cyber threats, safeguarding the organization's operations, data, and reputation.
Employee training and awareness are essential components in mitigating cyber risks. By educating employees about various threats, security best practices, and appropriate responses, organizations can cultivate a culture of cybersecurity. Well-trained employees are more capable of identifying and avoiding phishing attacks, practicing secure password management, protecting sensitive data, and following safe remote work practices. This increased awareness contributes to reducing the organization's vulnerability to cyber threats, enhancing data protection, and fostering a proactive approach to cybersecurity.
Third-party vendors and supply chain vulnerabilities significantly impact cyber risk trends by introducing additional entry points for cyber attackers, potential data breaches, and disruptions to critical services. Organizations often lack direct control over vendors' cybersecurity measures and must navigate the challenges of shared infrastructure, complex supply chains, and compliance issues. The interconnected nature of modern business operations requires organizations to diligently assess and manage third-party cybersecurity practices, monitor vulnerabilities, and collaborate effectively to minimize the overall cyber risk landscape.
All the latest news, case studies and hot topics
Newsletter
Keep up to date on all news and insights from Allianz Commercial