IT security: old threats, new worries

At seven o'clock on Friday the 13th, everything suddenly came to a standstill at the German fashion label Marc O'Polo. Phones remained silent, e-mail no longer worked, and the scanners and checkout systems in the label's stores were dead. A hacker attack had encrypted the fashion chain's IT systems. A ransom was demanded. The fashion company paid the amount three years ago. Nevertheless, it took just under four weeks before normal operations were restored.

A new trend: more double and triple pressings

Marc O'Polo is one of many small and large companies that have already fallen victim to a so-called ransomware attack. Currently, these attacks with system and data encryption and ransom demands represent one of the greatest cyber risks for companies worldwide. According to the latest Allianz Global Corporate & Specialty (AGCS) Cyber Report, there were a record 623 million ransomware attacks globally in 2021, twice as many as in 2020, and although the frequency decreased by 23 % globally in the first half of 2022, the total number of ransomware attacks so far this year still exceeds that of 2017, 2018 and 2019: In Europe, attacks have actually increased sharply during this period. Ransomware is predicted to cause $30 billion in damage globally by the end of 2023. From AGCS' perspective, the value of insurance claims from ransomware, in which the company was involved with other insurers in 2020 and 2021, accounted for well over 50 % of all cyber insurance claims costs.

The cost of ransomware attacks has also increased because criminals have targeted larger companies, critical infrastructure, and supply chains. In addition, criminals have refined their tactics to extort more money. Double and triple extortion attacks are now the norm - in addition to encrypting systems, sensitive data is increasingly being stolen and used as leverage to extort money from business partners, suppliers or customers.

Increase in deep-fake tactics

The severity of ransomware attacks will remain a key threat to businesses, fueled by the increasing sophistication of the gangs and also rising inflation, which is reflected in the increased cost of IT security specialists. In addition, smaller and mid-sized companies, which often lack resources to invest in cybersecurity, will also increasingly be targeted by ransomware gangs. These employ a wide range of extortion techniques, tailor their ransomware demands to specific companies, and use experienced negotiators to maximize profits from the criminal activity.

The cyber report has revealed a number of other threats that Swiss companies should prepare for. For example, the Business E-Mail Compromise (BEC) fraud scam continues to grow. This is favored by the increasing digitization and availability of data, the shift of workplaces to home offices and the spread of deep-fake technologies. According to the FBI, BEC scams total $43 billion globally from 2016 to 2021, increasing by 65 % between July 2019 and December 2021 alone. Attacks are becoming more sophisticated and targeted, with criminals now using virtual meeting platforms to get employees to transfer funds or share confidential information. Increasingly, these attacks are enabled by artificial intelligence that uses deep-fake audio or video to deceptively imitate senior employees. Last year, a United Arab Emirates bank employee wired $35 million after being fooled by the cloned voice of a company executive.

Impact of the topic of war on insurance

The war in Ukraine and general geopolitical tensions are also a major factor changing the cyber threat landscape: There is an increased risk of espionage, sabotage, and cyberattacks against companies with ties to Russia and Ukraine, as well as allies and companies in neighboring countries. State-sponsored cyberattacks could target critical infrastructure, supply chains, or businesses. So far, the war between Russia and Ukraine has not led to a significant increase in cyber insurance claims, but it does suggest a potential increased risk from nation-states. Although acts of war are typically excluded from traditional insurance products, the risk of hybrid cyberwar has accelerated efforts in the insurance market to clarify the issue of war and state-sponsored cyberattacks in insurance contracts and provide clarity to customers about coverage.

Fewer specialists in IT security concepts

Another major concern is that the shortage of skilled workers is hampering efforts to improve cybersecurity. Although management awareness is growing, the number of unfilled cybersecurity positions worldwide has increased by 350 % to 3.5 million over the past eight years, estimates show. This is also concerning because, at the same time, cybersecurity is increasingly viewed through an ESG lens: Today, far more stakeholders are interested in the level of corporate cybersecurity than in the past. Cybersecurity considerations are increasingly being incorporated into data providers' ESG risk analysis. It has never been more important to ensure that cybersecurity policies and processes are in place and also embedded at board level.

Are companies therefore powerless at the mercy of hackers? Certainly not! We can confirm that companies with a high level of IT security and a well-functioning cyber defense also fall victim to attacks, but are much better able to fend them off and quickly return to normal operations. As cyber insurers, we are experiencing a very different discussion about cyber risks and protection concepts today than we did a few years ago. We get much better insights via questionnaires and risk dialogs, and appreciate that customers work hard to provide us with comprehensive information. This, in turn, helps us provide useful guidance and recommendations, such as which controls are most effective or where risk management can be further improved. The result should be that companies suffer fewer - or at least less severe - cyber events - and we see fewer insurance claims as a result. Such collaboration will help create a sustainable long-term insurance market that not only relies on traditional coverages, but also increasingly integrates cyber risks into captive insurance of proprietary risks and self-insurance, as well as other alternative risk transfer concepts.