Transcription
INSIGHTS @ AGCSMANAGING THE IMPACTOF INCREASINGINTERCONNECTIVITY:TRENDS IN CYBER RISKALLIANZ GLOBAL CORPORATE & SPECIALTY
ANALYSIS: INSURANCE CLAIMS72%increase in theaverage cost of cybercrime to anorganization in fiveyears toUS 13mn*67%increase in theaverage number ofsecurity breaches infive years*NUMBER OF CYBER-RELATED CLAIMSAVERAGE NUMBER OF CLAIMS1,200300PER YEARPER 172018201924625020200202119201820192020*AGCS only started offering cyber insurance in 2013, so claimsexperience is limitedSource: Allianz Global Corporate & SpecialtyThere has been a notable rise in cyber-driven claims in recent years, driven by the growth of the cyber insurancemarket but also by the rise in incidents such as data breaches, distributed denial of service attacks, phishingcampaigns, and increasingly, ransomware events. Human error and technical failures are also major drivers.A growing “commercialization of cyber-hacks” is a contributing factor leading to a growth in ransomwareclaims in particular (see page 6). Increasingly, criminals are selling malware to other attackers who then targetbusinesses demanding ransom payments, meaning high-end hacking tools are more widely available andcheaper to come by.While the Covid-19 outbreak cannot be said to be a direct cause of cyber-related claims, exposures have beenrising during the pandemic, particularly with regards to ransomware and business email compromise incidents,given the increase in remote working and the likelihood that security safeguards may not be as robust in thehome office. Although AGCS has seen the first few cyber claims which can be indirectly attributed to the Covid-19shift in the business landscape, we do not yet witness a broader trend or surge in such claims.CAUSE OF LOSS BY VALUE OF CLAIMSCAUSE OF LOSS BY NUMBER OF CLAIMSmanipulation of systems (e.g. direct Externalattack from the internet or malicious content suchinternal cause (e.g. human error, Accidentaltechnical/systems failure or outage)manipulation of systems (e.g. direct Externalattack from the internet or malicious content such as ransomware/malware)Malicious internal action (e.g. action taken bya rogue employee)Accidental internal cause (e.g. human error,technical/systems failure or outage)85%9%6%as ransomware/malware)internal action (e.g. action taken by Maliciousa rogue employee)57%40%3%Based on the analysis of 1,879 claims worth 673mn reported from 2015 until year-end 2020. Total includes the share of other insurers involved in the claim inaddition to AGCS.Source: Allianz Global Corporate & SpecialtyLosses resulting from the external manipulation of computer systems such as distributed denial of service attacks(DDoS) or phishing and malware/ransomware campaigns account for the significant majority of the value ofclaims analyzed. Cyber-crime generates the headlines but the analysis also shows that more mundane technicalfailures, IT glitches or human error incidents are the most frequent generator of claims, although, overall, thefinancial impact of these events is, on average, limited compared with external events.*Accenture/Ponemon,The Cost of Cyber Crime2Whether it results from an external cyber-attack, human error or a technical failure, business interruption is themain cost driver behind cyber claims. It accounts for around 60% of the value of all claims analyzed, withthe costs associated with dealing with data breaches ranking second.
TRENDSCyber claims growing innumber and complexityExternal attacks causemost expensive losses.Internal accidents occurmore frequentlyBusiness interruptionmain cost driver behindclaimsRemote working andCovid-19 heighteningexposuresRansomware incidentsmore frequent andfinancially-damagingBusiness compromiseemail attacks surgeCosts of “mega” databreaches increasingRegulatory exposureincreasing around theglobeClass action litigationon the riseM&A brings cyber riskNation state-sponsoredattacks on the rise3OVERVIEWJust seven years ago cyber risk ranked as low at 15th in theAllianz Risk Barometer, an annual survey in which morethan 2,700 risk experts from 100 countries identify the topthreats for companies for the next 12 months and beyond.Today, it ranks either near or at the top of seemingly everyrisk poll conducted. In the intervening years bothknowledge of the threats posed to businesses by cyberand the number of related claims or losses have increasedsignificantly. At the same time, businesses and theirinsurers now have to deal with a fast-changing, everevolving risk landscape, which has been furtherexacerbated by the outbreak of the coronavirus pandemic.Companies are facing a number of challenges: such as theprospect of more disruptive and expensive businessinterruptions, the increase in the frequency and cost ofransomware incidents, the consequences from larger databreaches and more robust regulation – both at home andoverseas – as well as the prospect of litigation if somethingdoes go wrong. The playing out of political differences incyber space also ups the ante while even a successfulmerger and acquisition (M&A) can bring unexpectedproblems. Then, there is the fact that many employees arenow working remotely. Displaced workforces create newopportunities for increasingly better organized and fundedcyber criminals to exploit and gain access to networks andsensitive information. At the same time the potentialimpact from human error or technical failure incidents –already one of the most frequent drivers of cyber claims– may also be heightened. Employers and employeesmust work together to raise awareness and increase cyberresilience in the home office set-up.Despite the huge advances companies have made incyber risk awareness in recent years, many are still playingcatch-up and often do not realize how important theirdigital assets are until something happens. This reporthighlights some of the most significant cyber risk trendscurrently occupying the attention of insurers, risk managersand their broker partners and how companies can bebetter prepared to mitigate the impact of such incidents.
1LAXER SECURITY POST COVID-19 HEIGHTENS CYBER RISKRise in scammers and spammers looking to exploit vulnerabilities, as pandemicenhances existing threats and problemsThe coronavirus outbreak has resulted in thelargest work-from-home situation in history,presenting criminals with new opportunities toexploit any security vulnerabilities created bythe pandemic.With many companies having expanded theirremote working capacity through the outbreak– often at very short notice – in order to provideas many employees as possible with easy accessto software and systems, IT security standardsmay have had to be lowered or suspended,putting cyber security under new levels of stress.According to research by cyber security firmArceo almost all of the CISOs at 250 companies,with 250mn to 2bn in annual revenue1 ,believe that security practices when workingremotely are unlikely to be as stringent as thoseat the office.One consequence of potentially laxer securitymay be that cybercriminals and hackers may findit easier to penetrate previous effectivelyprotected corporate systems, causing databreaches, cyber blackmail intrusions and ITsystem failures. Those CISOs stated that cloudusage, personal device usage and unvetted appsor platforms pose the biggest threats during thiswork from home period. At the same time, it isestimated that anywhere between 50% and 90%of data breaches are caused or abetted byemployees, be it by simple error or by fallingvictim of phishing or social engineering.Through 2020, malware and ransomwareincidents have already increased by more thana third, at the same time as a 50% increase inphishing, scams, and fraud, according tointernational police body, INTERPOL. The rushto adopt new cloud systems and remote accesssolutions, has also driven up the number ofdata breaches. Over a four-month period,some 907,000 spam messages, 737 incidentsrelated to malware and 48,000 malicious URLs 2– all of them in relation to coronavirus– weredetected by one of INTERPOL’s privatesector partners.Specific sectors have also reported a rise inincidents. In the US, with millions of Americansnow working from home – including thosecharged with looking after critical infrastructure– cyber-attacks on the electric grid have surgedby 35% during the pandemic 3 . In a worst casescenario, such attacks could trigger blackouts ordamage vital equipment. In May, the UK’s griddata system was hacked, although electricitysupplies weren’t affected. And in March, anattack against Europe’s association of gridoperators, ENTSO-E, affected its internal officesystems. In the maritime and offshore energysector there have been reports of a 400%increase in attempted cyber-attacks since thepandemic began.To date, AGCS has only seen a small number ofcyber claims which are Covid-19 related,however a further increase in cyber crime islikely in the near future as criminals continue toramp up their activities and develop moresophisticated techniques.Business email compromise schemes (see page7) are likely to increase further with the shift inthe business landscape to remote working andthe economic downturn, along with damagecosts from phishing scams, ransomware attacksand insecure remote access to networks.Coronavirus-themed online scams and phishingcampaigns which aim to take advantage ofpublic concern about the pandemic are unlikelyto dissipate anytime soon.The pandemic will also have a long-termimpact as companies increasingly digitalize,work remotely and rely more on online sales inresponse, meaning cyber risks will evolve indifferent shapes and forms.1 Arceo, Building CyberResilience, The 2020CISO Perspective2 Interpol, Report ShowsAlarming Rise of CyberAttacks During Covid 19,August 20203 Bloomberg, Hackers AreTackling The RemoteWorkers Who Keep YourLights On, July 20204“MALWARE AND RANSOMWAREINCIDENTS HAVE INCREASED BY MORETHAN A THIRD”
2BUSINESS INTERRUPTION AND DIGITAL SUPPLY CHAINVULNERABILITY GROWINGDigital disruption has become a much more significant driver of cyber losseswhile cyber risk in supply chains is a growing exposure, given the increasingreliance on technologyBusiness interruption (BI) following a cyberincident has become a major concern forbusiness. Analysis of cyber claims by AGCSshows that BI is the main cost driver in themajority of cases. Whether ransomware, humanerror or a technical fault, the loss of criticalsystems or data can bring an organization to itsknees in today’s digitalized economy.Cyber and BI now rank as the top two risks forcompanies respectively, according to the AllianzRisk Barometer 2020, which was conductedbefore the coronavirus outbreak – and areincreasingly interrelated. Awareness has beengrowing following high profile outages across anumber of sectors, including banking andairlines. At the same time, ransomware attacks,such as the 2017 NotPetya malware and theRyuk campaign, have caused serious disruptionfor manufacturing and service sectors, as well aspublic sector organizations.ALLIANZ RISK BAROMETER: WHICH CAUSES OF BUSINESSINTERRUPTION ARE FEARED MOST BY %13%Source: Allianz Global Corporate & Specialty. Figures represent the percentage of answers of allparticipants who responded (1,018). Figures don’t add up to 100% as up to three risks could be selected.5Loss of data, or “business intelligence”, isemerging as a major cause of loss. The inability toaccess data for an extended period of time canhave a significant impact on revenues – forexample, if a company is unable to take orders.One notable large BI claim in 2019 involved a fireat a European media company. A significantproportion of the claim was related to theunavailability of data and the cost of restoration.Dependency on digital supply chains – both forthe delivery of services and the supply of goods– brings numerous benefits. Shared technologybased platforms enable data to be exchangedbetween parties, automates administrative tasksand orders and transports products on demand.However, such platforms can potentially create achain reaction ensuring a BI cascades through awhole sector. If a platform is unavailable due to atechnical glitch or cyber event, it could bring largeBI losses for multiple companies that all rely andshare the same system. In June 2019, an outagecaused a catastrophic failure at some Googlecloud services, causing several hours of disruptionto a number of large online service providers,including You Tube, Uber and Snapchat. In 2017,a four-hour outage at Amazon Web Services inNorth America was estimated to have cost S&P500 companies 150mn.As recently as five years ago, the cyber claimsteams at insurers such as AGCS focused primarilyon data breaches and resulting first party damageand liability. But with the growing reliance ontechnology, interest in first party and BI covers hasincreased, meaning the claims functionincreasingly represents an interdisciplinary team,with expertise in business continuity and forensicaccounting.
3RANSOMWARE NOW THE MOST PROMINENTCYBER-CRIME THREATIncidents are becoming more frequent, sophisticated and financially damagingRansomware attacks are increasingly becomingone of the biggest causes of cyber loss. In factthe EU’s law enforcement agency, EUROPOL,now regards them as the most prominent cybercrime threat.Already high in frequency, incidents arebecoming more damaging, increasingly targetinglarge companies with sophisticated attacks andhefty extortion demands. Five years ago, atypical ransomware demand would have been inthe tens of thousands of dollars. Now they can bein the millions.The consequences of an attack can becrippling, especially for organizations that relyon data to provide products and services, but itcan also create significant damage for others inthe supply chain, such as critical infrastructure.There were nearly half a million ransomwareinfections reported globally last year, costingorganizations at least 6.3bn in ransomdemands alone, according to estimates fromsecurity vendor Emsisoft 4 . Total costs associatedwith dealing with these incidents are estimatedto be well in excess of 100bn. Extortiondemands are just one part of the picture.Business interruption (BI) can bring the mostsevere losses from ransomware attacks – withdowntimes becoming longer – and the costsassociated with systems and data restorationcan be huge. A breakdown of a recentinsurance industry cyber loss in Europe showsthat the restoration and expenses costs weresimilar to the ransom demanded. Meanwhile,the BI proportion of the loss was four to fivetimes greater.In some cases, ransomware is a smoke screen forthe real target, such as the theft of personal data.Between January and June, 2020, IDRansomware5 received 100,001 submissionsrelating to attacks by ransomware groups that4 Emsisoft, InfosecurityMagazine, RansomwareCosts May Have Hit 170bn in 2019, February13, 20205 ID Ransomware6target companies and public sectororganizations. Of these 11,642 related to attacksby the groups that overtly steal data – around11% – the real figure is probably higher.Attacks have also evolved beyond the scattergunhigh-volume phishing attacks seen in previousyears with well-funded organized gangs of cybercriminals launching more complex and targetedattacks against large companies, which cancommand high ransom demands.Incidents such as those featuring the Ryukmalware, and the attack on global aluminumproducer Norsk Hydro in 2019 which meant itsworkforce had to resort to pen and paper, haveemerged as a key driver for cyber insuranceclaims in recent years. Ryuk was first reportedin August 2018 and has been responsible formultiple attacks against large companies,hospitals and local governments globally. Suchattacks are well planned, with hackers takingthe time to identify and target critical networksystems, therefore maximizing the impact ofthe attack and the value of demands.More ransomware and extortion attacks canbe expected in future with the post-Covid-19landscape exacerbating this threat, given theincreasing number of people working at homeand the fact that safeguards may not be asgood at home as in the workplace. Reportedmalware and ransomware incidents havealready believed to have increased by morethan a third since the start of 2020.The “commercialization of cyber-hacks” isalso leading to more incidents. Increasingly,cyber criminals are adopting “franchise”models and are selling malware to otherattackers who then target businessesdemanding ransom payments. This is makinghigh-end hacking tools more widely availableto exploit online vulnerabilities.“BUSINESS INTERRUPTION CAN BRING THE MOSTSEVERE LOSSES FROM RANSOMWARE ATTACKSAND THE COSTS ASSOCIATED WITH SYSTEMS ANDDATA RESTORATION CAN BE HUGE”
4BUSINESS EMAIL COMPROMISE ATTACKS SURGINGEconomic downturn and shifting landscape resulting in more incidentsBusiness email compromise (BEC) – or spoofing– attacks have been increasing in frequency forsome time and will likely further surge in futuredue to the economic downturn and shift in thebusiness landscape driven by the coronavirusoutbreak. More people working from homemeans new opportunities for criminal activitiesare generated. Prior to the pandemic, BECincidents had already resulted in worldwidelosses of at least 26bn since 2016, according tothe FBI. Between May 2018 and July 2019, thenumber of incidents discovered worldwidedoubled, with the average economic lossaround 270,000.A BEC attack typically involves socialengineering and phishing emails to dupeemployees or senior management atcompanies into revealing login credentials orto make fraudulent transactions. Over time,BEC attacks have grown in sophistication,with criminals now using compromised emailand spoofed accounts to imitate seniorexecutives, vendors or customers in order togain access to corporate IT systems.Historically, BEC attacks focused on thefraudulent transfer of funds, but today theyare also used to steal valuable data or tocarry out account takeover attacks.“BEC ATTACKS HAVE GROWNIN SOPHISTICATION”REMOTE WORKING: CYBER SECURITYCONSIDERATIONSWith many employees around the globe still workingremotely, suggested measures to consider for bolstering ITsecurity in the home office include: keeping software up-to-dateactivating virus protection and firewallsbeing increasingly cautious about sharing personal datamaking sure web browsers are up-to-datekeeping passwords safe and changing them regularlyprotecting confidential emails with encryptiononly downloading data from trusted sourcesmaking regular backupsturning off voice-activated smart devices and coveringwebcams when not in usemaking clear distinctions between devices andinformation for business and personal use and nottransferring work between the twoidentifying all participants in online sessionslogging out when devices are no longer in use andkeeping them securefollowing security practices for printing and handlingconfidential documentsbeing careful with suspicious e-mails or attachmentsFor a full overview of IT security measures, downloadCoronavirus: Staying Cyber-Secure Through The Pandemic7
5MEGA DATA BREACHES COME WITH INCREASING COSTSMany factors can now contribute to the financial fall-out from such eventsThe cost of dealing with a large data breach isrising as IT systems and cyber events becomemore complex, and with the growth in cloud andthird-party services. Regulation is also a keyfactor driving cost, as is growing third-partyliability and the prospect of class action litigation.In particular, so-called mega data breaches(involving more than one million records) aremore frequent and expensive. In July 2019,Capital One was hit by on
Allianz Risk Barometer, an annual survey in which more than 2,700 risk experts from 100 countries identify the top . to adopt new cloud systems and remote access solutions, has also driven up the number of data breaches. Over a fou
