An Allianz Global Corporate & Specialty (AGCS) report has identified a number of key trends in the ransomware space re/insurers should be aware of in order to protect itself from cyber criminals, including the recent development of ‘ransomware as a service’.
AGCS’ report explains how ransomware as a service has made it easier for criminals to carry out attacks by purchasing or renting hacking tools from other criminal groups. As a result, many more malicious threat actors are said to be operating.
‘Double extortion’ tactics are also said to be on the rise, with criminals combining the initial encryption of data or systems, or increasingly even their back-ups, with a secondary form of extortion, such as the threat to release sensitive or personal data.
In such a scenario, affected companies have to manage the possibility of both a major business interruption and a data breach event, which can significantly increase the final cost of the incident.
Analysts say ‘triple extortion’ incidents can combine DDoS attacks, file encryption and data theft – and don’t just target one company, but potentially also its customers and business partners.
Elsewhere, AGCS describes supply chain attacks as the next big thing. Attacks which target physical supply chains or critical infrastructure, such as the one which impacted Colonial Pipeline, are likely to become prime targets as they often supply hundreds or thousands of businesses with software solutions and therefore offer criminals the chance of a higher payout.
Ransom demands are yet another key issue after having rocketed over the past 18 months.
The average extortion demand in the US was $5.3 million in the first half of 2021, a 518% increase on the 2020 average; the highest demand was $50 million, up from $30 million the previous year.
Additionally, the average amount paid to hackers is around 10 times lower than the average demand, but this general upward trend is alarming
Business interruption and restoration costs are considered the biggest drivers of cyber losses by AGCS. They account for over 50% of the value of close to 3,000 insurance industry cyber claims worth around €750 million it has been involved in over six years.
“Three out of four companies do not meet AGCS’ requirements for cyber security,” explains Marek Stanislawski, Global Cyber Underwriting Lead at AGCS.
“Companies need to invest in cyber security. Losses can be avoided if organizations follow best practices. A house with an open door is much more likely to be burgled than a locked house.”