Cyber Risk: Are We Increasingly Being Held to Ransom?

This article was originally published in The Insurer, click here to access the original article.

Examples of data theft continue to stream through; no one brand seems immune from having to announce major losses of customer data records. Uber paid US$148 million to settle a legal action over a cyberattack in 2016 that exposed data from 57 million customers and drivers. Forbes reported that Yahoo agreed to pay a US$50 million settlement to roughly 200 million people affected by the email service’s 2013 data breach.

It is still the case that data theft is the leading source of loss for both insurers and reinsurers that cover cyber. The cyber insurance market is still in an early growth stage as the overall economic impact on the global economy from cyberattacks in 2017 was estimated at US$600 billion. Insured loss for standalone cyber policies was a fraction of this, at around US$1 billion to US$1.5 billion. But with cyber risk continually evolving, insurers may have to contend with a new, growing source of loss as cyber attackers are turning to ransomware, as it offers a potentially easier and more lucrative attack method.

Ransomware sees malware infiltrated into the networks of a company and disables servers or locks up data until a ransom is paid. This contagious malware, of which WannaCry and NotPetya are probably the most renowned examples, can even plague companies with high standards of security, and has the ability to scale and to cause systemic loss to thousands of companies. Attackers have also stolen data from a company, and then attempt to extort a ransom from the victim company in return for the data.

Overall, the number of ransomware attacks are increasing each year, and for cyber attackers there is the easy availability of ransomware to buy on the dark web. As outlined in our recent RMS Cyber Risk Outlook Report, estimates of ransomware extorted in 2017 exceed five billion dollars, a 15-fold increase over the previous two years.

The size of their intended targets is also growing. Attempts to extort major companies using cyberattacks have grown in frequency, scope and ambition. Ransomware has historically afflicted personal computers and small and medium sized enterprises, but recent developments have seen large multinational corporations affected, with security companies seeing some 42 percent of all ransomware infections in the first half of 2017 targeting organizations in an interconnected and networked environment.

The attack mode is certainly evolving. More attackers are changing their ransomware deployment from a “spray and pay” approach across thousands of accounts to a more targeted approach – with the aim to demand more money from a single victim, and especially larger companies. The attackers’ rationale is rather than having to handle the administration of thousands of smaller payments from smaller companies, attackers are looking for hundreds of thousands of dollars from a few companies that they believe to be more likely to pay.

Ransomware attacks place companies in an ethical dilemma — is it ethical to pay a ransom and fuel this crime, or should the company (and thereby the shareholders) take the hit? It is often quicker and cheaper to pay the ransom than rebuild whole IT systems, so should companies take the moral high ground or focus on the interests of the company’s shareholders? What’s clear is that many companies are developing contingencies for ransomware attacks in the future, with some commentators suggesting that companies stockpiling BitCoin in case of extortion attacks may have fueled the recent surges in BitCoin demand.

So, with the increasing number of ransomware type events, the rising dollar amount of the ransom being asked for, coupled with the growing sophistication of the ransomware increases, there is potential that looking forward, ransomware may overtake data theft as the main source of loss.

As ransomware rises, there are encouraging signs that data breaches at the smaller end of the scale are decreasing. The implementation of sound security processes has helped to reduce accidental data loss, such as when a laptop is lost or stolen, and defenses will have an effect on low-sophistication attacks or accidental events. But if a cyber attacker wants to attack you, they will, with increasing armory of tools and techniques.

Cyber modeling that can accommodate the ever-changing threat landscape presented by cyber is becoming more and more necessary for insurers and reinsurers, and without the ability to anticipate trends and spot patterns it will become harder for an insurance business to stay credible and profitable in this fast-growing and fast-evolving market.

This article was originally published in The Insurer, click here to access the original article.

Tom Harvey

Head of Cyber Product Management, RMS
Tom is the Head of Cyber Product Management for RMS, and since early 2015 has worked together with the Cambridge Centre for Risk Studies and RMS’ development partners to bring the RMS Cyber Accumulation Management System and subsequent RMS Cyber Solutions to the market. Tom joined RMS in 2013 as a technical sales expert assisting a number of leading (re)insurers further their catastrophe management practices.

Prior to joining RMS, Tom spent 4 years at Hewlett Packard Software within the European presales team working closely with a number of HPS’ IT security products.

Leave a Reply

Your email address will not be published.