Ransomware-as-a-service tops evolving global cyber risks
Also on the rise: Triple extortion schemes in which cyber criminals exploit multiple ransoms from a single target.
When Russia invaded Ukraine in February 2022, the West braced for a slew of state-sponsored cyberattacks, with critical infrastructure seen as high risk.
So far, those fears have not come to pass. Some data suggests the war has in fact caused a lull in ransomware activity, as Ukrainian and Russian hackers take up arms instead. Whether this will remain the case is unknown, but what’s clear is that attackers are becoming increasingly sophisticated, pursuing new targets and taking a rapidly mounting toll on the global economy.
Cyberattacks have come a long way since Cornell University graduate student Robert Tappan Morris created the first ‘computer worm’ in 1988, which was programmed to exploit several digital vulnerabilities. Digitalization, cloud services and the rise of crypto have facilitated this crime. Meanwhile, testy geopolitics, huge rewards for seasoned criminals and the scope to reap untold damage provide ample incentive. Attackers’ armory includes ransomware, malware, social engineering, phishing and distributed denial of service, where Internet users — with or without their knowledge — work en masse to overload a target.
Total economic losses due to cybercrime were estimated at $6 trillion in 2021, with cyber intelligence specialist Cybersecurity Ventures forecasting this will rise to $10.5 trillion by 2025. Meanwhile, Munich Re recently noted that cyber criminals are on track to earn more than the global drug trade.
Changing threats
Data breaches and liability to third parties for the loss, amplified by the proliferation of privacy laws worldwide, still keep many organizations awake at night. Indeed, the long-tail nature of the risk, including litigation from those whose data has been compromised, remains a mammoth headache for insurers.
However, Munich Re found that first-party cyberattacks have become the main cause of concern, with ransomware the chief worry. Recent incidents include a 2021 attack on Health Service Executive Ireland that caused $600 million of damage. Among ransomware’s many evolutionary developments is ransomware-as-a-service, opening up a way in for bad actors without an iota of tech expertise. Another is so-called triple extortion, whereby attackers seek two ransoms from the initial target and then a third from anyone who might be impacted by disclosure of its data. Multiple extortion looks set to be the inevitable next step.
Vulnerably by sector
In terms of sector, cyber attackers are increasingly targeting small and midsize enterprises (SMEs) because of their generally weaker controls. Healthcare, professional and financial services companies particularly vulnerable, according to Swiss Re.
In 2021, the majority of the 847,376 complaints received by the FBI’s Internet Crime Complaint Center related to small businesses. (The center recorded overall losses up 64% from a year earlier at $6.9 billion).
However, in recent years, attacks on industrial targets have become a major cause for concern, as criminals spread their wings from information technology to the operational technology that controls industrial activity. These attacks may be low probability but when they happen they can have an extremely high impact, and ripple effects could cause catastrophic losses. One such incident was the 2021 ransomware attack on the Texas-to-New Jersey Colonial Pipeline in May, which triggered fuel shortages and panic buying along the East Coast. Although not an attack to its operations technology, cyber criminals generated a near-$4.5 million ransom from that event.
Two phenomena that have ascended almost hand-in-hand — digitalization and the cloud — have increased the cyber threat. Digitalization has made whole supply chains vulnerable, while the hosting of all-inclusive computing platforms via the cloud allows attackers to hit many parties through one entry point. The watershed supply-chain loss facilitated by digital connectivity was the 2017 NotPetya attack. Malware embedded in Ukrainian accounting software hit companies as far removed as Chicago food giant Mondelez, triggering legal battles with insurers and forcing a rethink of cyber policy terms and conditions. “Downstream” companies not directly hit in the initial attack are estimated to have suffered $7.3 billion of a $10 billion loss tally.
Deep fake attacks, AI, 5G networks are among the many technologies that will enable the cyber threat to expand and morph. We are clearly at the beginning of a long cybersecurity journey but what is equally clear is that the risk must be borne throughout the risk-transfer chain. A major injection of new capacity is needed for the private sector to fulfil its role. The Insurance-Linked Securities (ILS) market, for example, could feasibly provide capacity equivalent to its participation in the property cat market by 2040.
Fear and lack of visibility has deterred many potential insurance new entrants and first-generation cyber modelling, being reliant on limited and historic data such as the traditional annual questionnaire, has not convinced. By contrast, second-generation cyber modelling for industrial and critical infrastructure companies and risk carriers uses real-time, inside-sourced evidence-based and outside-sourced data that allows for dynamic responses to fast-changing cyber threats and provides visibility not only of the exposure but of any cyber event as it happens. Companies themselves can now make well-informed choices about risk mitigation and the associated return on investment.
The cyber protection gap remains massive. Munich Re’s prediction of a cyber insurance market worth $22.1 billion by 2025, up from $9.2 billion, would still only go a tiny fraction of the way to closing it. However, as we continue to make strides in understanding and mitigating the cyber threat, the opportunity for the insurance industry is enormous.
Jose Seara (jms@denexus.io) is a founder and CEO with over 25 years of experience building companies in the critical infrastructure space. He launched DeNexus in 2019, and is now building the global standard for Industrial Cyber Risk quantification, and bridging the chasm between cyber threats and business impact. DeNexus’ cyber platform gives the industrial enterprise and risk underwriters the ability to quantify and manage cyber risk exposure on a continuous basis.
See also: