Ransomware remains a top cyber risk for organisations globally, while business email compromise (BEC) incidents are on the rise and will increase further in the ‘deep fake’ era.
These are among the findings of a new report released by Allianz Global Corporate & Specialty (AGCS) on Wednesday.
The insurer’s annual review of the cyber-risk landscape also highlights the emerging threats posed by the growing reliance on cloud services, an evolving third-party liability landscape that means higher compensation and penalties, as well as the impact of a shortage of cybersecurity professionals. A company’s cybersecurity resilience was now scrutinised by more parties than ever before, including global investors, meaning many now ranked it as their major environmental, social, and governance (ESG) risk concern, the report noted.
According to the report, globally, the frequency of ransomware attacks and related claim costs remains high. There were a record 623 million attacks in 2021, double that of 2020. Although frequency dropped by 23% during the first half of 2022, the year-to-date total still exceeds that of the full years of 2017, 2018 and 2019. Attacks in Europe surged during the first six months of 2022.
Ransomware was forecast to cause $30 billion in damages to organisations globally by 2023, the report found. From an AGCS perspective, the value of ransomware claims the company was involved in, together with other insurers, accounted for well over 50% of all cyber claims costs during 2020 and 2021.
“The cyber risk landscape doesn’t allow for any resting on laurels. Ransomware and phishing scams are as active as ever - and on top of that there is the prospect of a hybrid cyberwar,” Scott Sayce, global head of cyber at AGCS and group head of the Cyber Centre of Competence said.
“The cost of ransomware attacks has increased as criminals have targeted larger companies, critical infrastructure and supply chains. Criminals have honed their tactics to extort more money. Double and triple extortion attacks are now the norm – besides the encryption of systems, sensitive data is increasingly stolen and used as leverage for extortion demands to business partners, suppliers or customers,” he said
Ransomware severity is likely to remain a key threat for businesses, fuelled by the growing sophistication of gangs and rising inflation, reflected in the increased cost of IT and cybersecurity specialists.
“Most companies will not be able to evade a cyber threat. However, it is clear that organisations with good cyber maturity are better equipped to deal with incidents. Even when they are attacked, losses are typically less severe due to established identification and response mechanisms,” Sayce said.
“Although we see good progress, our experience also shows that many companies still need to strengthen their cyber controls, particularly around IT security training, better network segmentation for critical environments and cyber incident response plans, and security governance,” he added.
Increasingly, smaller and mid-sized companies, which often lack the controls and resources to invest in cybersecurity, are being targeted by gangs as larger businesses invest more heavily in security. Gangs are also using a range of harassment techniques, tailoring ransom demands to specific companies, and using expert negotiators to maximise returns.
BEC attacks are also rising, facilitated by growing digitalisation and availability of data, the shift to remote working and, increasingly, ‘deep fake’ technology and virtual conferencing. BEC scams totalled $43 billion globally from 2016 to 2021, according to the Federal Bureau of Investigation, with a 65% spike in scams between July 2019 and December 2021 alone. Attacks are becoming more sophisticated and targeted, with criminals now using virtual meeting platforms to trick employees to transfer funds or share sensitive information. Increasingly, these attacks are enabled by artificial intelligence enabling ‘deep fake ‘audio or videos that mimic senior executives. Last year, a bank employee from the United Arab Emirates made a $35-illion transfer after being misled by the cloned voice of a company director.
