Business Interruption, Recovery Costs Drive Financial Losses From Cyber Attacks: Report
During the COVID-19 crisis, global cyber attacks skyrocketed in a digital pandemic driven by ransomware, according to a report published by Allianz Global Corporate & Specialty (AGCS).
Further, the report noted, business interruption and restoration costs are the main causes of financial loss for companies.
An AGCS analysis of its overall cyber-related claims, seen over the past six years, reveal that business interruption and post-attack recovery costs account for over 50% of the value of close to 3,000 insurance industry cyber claims worth around €750 million ($885 million). (AGCS started writing cyber insurance in 2013).
“The average total cost of recovery and downtime – on average 23 days – from a ransomware attack more than doubled over the past year, increasing from $761,106 to $1.85 million in 2021,” said the AGCS cyber insights report, titled “Ransomware trends: Risks and Resilience,” published last month.
“When it comes to cyber business interruption, timing is everything. If you pay a ransom demand after a week, the loss has already crystalized, and the cost of restoration is already set in motion. For example, the cost of hiring forensic experts and response consultants can run to $2,500 per day and easily reach a sevendigit figure,” commented Rishi Baviskar, global cyber experts leader, Risk Consulting, AGCS, who is quoted in the report.
“Malware attacks that encrypt company data and systems and demand a ransom payment for release are surging globally,” said a press release accompanying the report.
As an indicator of this surge, AGCS cited a report from Accenture that revealed that cyber intrusion activity globally jumped 125% in the first half of 2021, compared with the same period in 2020, with ransomware and extortion operations top two contributors behind this tripledigit increase.
Further, there was a 62% increase in ransomware incidents through the first six months of 2021 in the U.S., which followed a 20% increase in the number of incidents for the whole of 2020 and a 225% increase in ransom demands, said the AGCS report, citing statistics from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
AGCS said these cyber risk trends are mirrored in its own claims experience. AGCS saw more than 1,000 cyber claims overall in 2020, up from around 80 in 2016. Further, it received 90 ransomware claims in 2020, an increase of 50% from 2019 (when it received 60 claims).
This trend has continued in 2021 with more than 500 overall cyber claims received by AGCS in the first half of the year, while the number of ransomware claims in the first half are already equal to the number reported (60) during the whole of 2019.
“Losses resulting from external incidents, such as distributed denial of service (DDoS) attacks and ransomware campaigns, account for the majority of the value of cyber claims (81%) analyzed by AGCS over the past six years,” said the report.
The increasing reliance on digitalization, the surge in remote working during COVID19, and IT budget constraints are just some of the reasons IT vulnerabilities have intensified, said the report, explaining that there are now countless numbers of access points for criminals to exploit.
Further, the wider adoption of cryptocurrencies, such as Bitcoin, which enable anonymous payments, is another key factor in the rise of ransomware incidents, said AGCS in the press release.
Bitcoin, which is estimated to account for approximately 98% of ransomware payments, is relatively easy to acquire and use, while payments are verifiable, said the report. “Transactions can also be carried out with anonymity, enabling perpetrators to keep their identities hidden.”
Cryptocurrencies are “the weak link that enables criminals to bypass traditional institutions and hide behind the anonymity built into the technology,” said Thomas Kang, head of Cyber, Tech and Media, North America at AGCS, who was quoted in the report. “More stringent enforcement and compliance with ‘knowyourcustomer’ and antimoney laundering laws could, however, help disrupt the ransomware business model.”
The report identifies key trends in the current ransomware space:
• Development of Ransomware as a Service (RaaS). RaaS has made it easier for criminals to carry out attacks. Run like a commercial business, hacker groups such as REvil and Darkside sell or rent their hacking tools to others. They also provide a range of support services. As a result, many more malicious threat actors are operating. “From as little as a $40 per month subscription, successful attacks can yield many thousands of dollars from ransomware payments.”
• Increase of Double and Triple Extortion Tactics. “Double extortion” tactics are on the rise. Criminals combine the initial encryption of data or systems, or increasingly even their back-ups, with a secondary form of extortion, such as the threat to release sensitive or personal data. In such a scenario, affected companies have to manage the possibility of both a major business interruption and a data breach event, which can significantly increase the final cost of the incident.
“Triple extortion” incidents can combine distributed denial-of-service (DDoS) attacks, file encryption and data theft – and don’t just target one company, but potentially also its customers and business partners. A notable case cited by the report was a psychotherapy clinic in Finland which received a ransom demand, while smaller sums were also demanded from the patients who received individual ransom demands by email. “The attackers threatened to publish therapist session notes unless ransoms were paid.”
• Rising Supply Chain Attacks. “There are two main types [of supply chain attacks] – ones that target software/IT service providers and use them to spread the malware and ones that target physical supply chains, such as critical infrastructure. Examples of attack that targeted software/IT services providers was the Kaseya and Solarwinds attacks, while an example of a physical supply chain attack was the one that hit Colonial Pipeline, which was the largest cyber attack on U.S. oil infrastructure to date. The report noted that service providers are likely to become prime targets as they often supply hundreds or thousands of businesses with software solutions and therefore offer criminals the chance of a higher payout.
• Skyrocketing Ransom Demands. Ransom demands have rocketed over the past 18 months, the report said, noting that the average extortion demand in the U.S. was $5.3 million in the first half of 2021, a 518% increase on the 2020 average. The report quoted cyber security firm Palo Alto Networks, which said the highest demand was $50 million, up from $30 million last year.
To Pay or Not to Pay Ransom Demands
The AGCS report highlighted the fact that paying cyber ransoms is controversial. “Law enforcement agencies typically advise against paying extortion demands, which is thought to fuel the problem and potentially incentivize further attacks in the future,” it said.
“Paying a ransom is also not a guarantee that a business will be able to quickly retrieve its files and restore its systems. In many cases, by the time the ransom is paid, the damage is already done, and most organizations will have already suffered loss of income and incurred the expense of restoring files and systems,” the report continued.
“Even when a company pays a ransom, it takes a huge effort to restore files and get systems back up and running. This is a huge undertaking, even when you have a decryption key,” said Marek Stanislawski, global cyber underwriting lead at AGCS, in the report.
Cyber Insurance
The report said the ransomware pandemic of recent years has sparked a major shift in the cyber insurance market, “as carriers and insureds endeavor to mitigate the rising frequency and severity of attacks and resulting cyber insurance claims.”
As a result of these loss trends, cyber insurance rates have been rising and capacity has tightened. U.S. rates rose by more than 50% in the second quarter of 2021 alone, said AGCS, quoting a Marsh report.
“Underwriters are placing increasing scrutiny on the cyber security controls that are employed by organizations and pricing risks accordingly,” said the AGCS report, noting that three out of four companies do not meet AGCS’ requirements for cyber security.
“As insurers, we have to continue to work with our clients using a combination of policy and service improvements to help businesses understand the need to strengthen their controls,” said Scott Sayce, global head of Cyber at AGCS and the global head of the Cyber Center of Competence for AGCS and the Allianz Group, in the report.
“Not all ransomware attacks are targeted. Criminals also deploy wild scattergun approaches to exploit those businesses that aren’t addressing or understanding the vulnerabilities they may have,” he added.
Those companies that take steps to prevent attacks and mitigate the impact will be far less likely to fall victim to ransomware, the report affirmed.