The Allianz Global Corporate & Specialty (AGCS) reveals in its annual survey that cyber risk as the top business risk around the world. AGCS has been involved with cyber-related claims over the past five years around the globe and has compiled this report highlighting some of the main cyber risk trends from an underwriting, risk consulting and claims perspective. It has seen growing cost of ransomware attacks, the targeting of more small-sized companies by hackers, the increasing frequency and sophistication of business email compromise attacks in the “deep fake” era, as well as the impact of wider geopolitical tensions. This report is also a wake-up call for shipping companies and members that integrating financial trade, logistics and transport. In the changing landscape where internet communication and digital offices are the dominant in corporate management, early measures to prevent cybercrime incidents have to be taken.

I. Threats

• According to the Global Head of Cyber Claims at AGCS, digitalization is driving deeper into companies. IT-outsourcing and cloud-usage is more widely and more extensively used. While these trends also change the threat landscape, creating vulnerabilities as well as increasing interconnectivity and aggregations of risk.
• According to SonicWall’s Cyber Threat Report, despite the efforts of law enforcement agencies, the frequency of ransomware attacks remains high. Experts confirmed that it is not possible to stop every cyber-attack and there are still a large number of companies that need to improve their defenses. In fact, more than half of submissions from prospective clients still do not meet the AGCS checklist of required controls entirely.
• The severity of ransomware claims continues to rise year-on-year as gangs employ increasingly sophisticated attack tools and extortion techniques, and the cost of ransomware attacks has increased as criminals have targeted larger companies, critical infrastructure and supply chains. In a traditional ransomware attack, criminals infiltrate a network and use malware to encrypt files, demanding a ransom in return for its restoration. A double extortion attack, however, also involves the theft of sensitive data, which is then used as leverage for extortion. Triple extortion goes one step further, with criminals making extortion demands of business partners, customers, or suppliers that may be affected by data stolen in the initial attack. Double or triple extortion, which can dramatically increase the cost of an attack, is now the norm.
• All companies, across all sectors, are now exposed to ransomware attacks, although small and mid-sized companies, which often lack the resources to invest in cyber security and risk management, are proving a more attractive target for cyber criminals as larger companies beef up their cyber security.
• Across industries, there are continued high-profile attacks targeting organizations with weak or exposed infrastructure, which has become exacerbated by today’s remote working culture and companies’ dependence on third-party vendors.
• Business email compromise (BEC) attacks continue to grow more sophisticated and targeted, leading to financial loss or more damaging cyber-attacks.
• Cyber war or conflicts are hard to define and difficult to attribute. A cyber conflict between nations could cause unimaginable damage and disruption to thousands of companies, and potentially whole populations, if attacks target critical infrastructure like utilities, communications or payments systems.
• Another worrying development is the deliberate targeting of supply chains. Such attacks are a particular concern for the insurance market, as a single cyber-attack can trigger losses at potentially thousands of companies around the globe.
• A shortage of cyber security professionals may be hindering efforts to improve cyber security.

 II. Data

• Cybercrime incidents are now estimated to cost the world economy in excess of $1 trillion a year –around 1% of global GDP.
• According to SonicWall’s Cyber Threat Report, ransomware attacks hit a record 623 million in 2021 and is forecast to cause $30 billion damages to global organizations by 2023.
• With average ransom demands in 2021 in the millions and RaaS kits costing as little as $40 per month, cyber criminals can make huge returns with little investment or technical expertise from ransomware attacks.
• With average ransom demands in 2021 in the millions and RaaS kits costing as little as $40 per month, cyber criminals can make huge returns with little investment or technical expertise from ransomware attacks.
• According to the Paloalto Ransomware Threat Report, ransom demands increased by 144% in 2021, while the average payments rose 78%. Some 46% of companies paid ransoms in order to get data restored, according to Sophos. Manufacturing and utilities, which are particularly vulnerable to extortion, faced the highest ransom payments at an average of $2 million.
• According to research by CipherTrace, double extortion ransomware attacks increased by almost 500% in 2021, while payments to ransomware gangs increased 42% in the first six months to $590 million.
• The average cost of cyber claims for small-business owners rose by more than 50% during the first half of 2022 alone. According to a survey of 1,400 small and mid-sized businesses by a non-profit institute, 55% of firms around the world have yet to set up multifactor authentication, which constitutes basic cyber hygiene. Instead, they rely on usernames and passwords alone to secure their systems, leaving them vulnerable to preventable cyber-attacks.
• Between June 2016 and December 2021, BEC scams globally totaled $43 billion, according to the FBI.
• According to the 2022 Thales Cloud Security Report, two thirds (66%) of organizations store 21%-60% of their sensitive data in the cloud. However, 45% say they have experienced a data breach or failed an audit involving data and applications in the cloud.
• According to Cybersecurity Ventures, the number of unfilled cybersecurity jobs worldwide grew 350% between 2013 and 2021 to 3.5 million.

 III. Ransom

• High profile disruptive cyber-attacks have put ransomware on the political agenda, sparking a redoubling of law enforcement efforts. The US Treasury stated in 2020 that facilitating ransomware payments to sanctioned hackers may be illegal. EU member states can impose fines for paying ransoms under the Security of Network and Information Systems Directive (NIS Directive). Gartner predicted that by 2025, 30% of nation states will pass legislation that regulates ransomware payments, fines and negotiations.
• The payment of ransom demands is a contentious topic. Critical service providers, such as hospitals or power companies, may have little option other than to pay a ransom demand in order to avoid crippling disruption. On the other hand, paying extortion demands may encourage further ransomware attacks. Sanction rules and terrorism regulations may also bar payment of ransoms to certain states, groups or individuals, including cyber groups.
• According to the Global Cyber Experts Leader of AGCS, potential legal changes around ransom payments are unlikely to 100% solve the problem of ransomware, but they might help improve the maturity level of companies. Tighter regulation on ransom payments could see cyber criminals shift their focus to other forms of attack, such as data theft or supply chain attacks, as well as more targeted attacks.
• Any impacted company should always inform and cooperate with the police or national investigation authorities.

IV. Defence

AGCS also provided a checklist of ransomware protection – good IT security should:

• effectively and timely identify ransomware threats
• have ransomware-specific incident response processes in place
• have anti-phishing exercises and user awareness training
• perform encrypted and regular backups including frequent backups for critical systems
• utilize endpoint protection (EPP) products and endpoint detection and response (EDR) solutions across the organization on mobile devices
• manage email, web, office document security
• maintain physical, logical segregations within the network including the cloud environment
• monitor patching and vulnerability management policies
• conduct due diligence and regular security audits on newly integrated entities.

 V. Conclusions

Cybersecurity has long been seen as an IT issue, but today’s booming digital economy suggests more than that. Whether it is the working from home dynamic, the acceleration of digitisation or the far-reaching impact of geopolitics events, the potential and actual vulnerabilities exposed by cyber incidents have become all too apparent. Cybersecurity has come to involve environmental, social and governance concerns. Company management, global investors and stakeholders should actively focus on the matter by strengthening cyber protection while considering alternative risk solutions to improve cybersecurity maturity.

The article is based on the AGCS Report Cyber: The changing threat landscape. For more information, please contact Managers of the Association.