Evolution of Cyber Threats Requires Ongoing Cyber-Security Investment

Organizations' investments in cyber security are paying off, but the continued evolution of the cyber threat highlights the need for organizations to devote further attention to early detection and response capabilities, a new report from Allianz Commercial suggests.

In its Cyber Security Trends 2023 report, Allianz Commercial notes that after 2 years of high but stable loss activity, 2023 has seen a resurgence in ransomware and extortion claims. "Improvements in cyber security and business continuity are helping to combat encryption-based ransomware attacks, yet the cyber-threat landscape is continually evolving," the report says.

According to the October 25, 2023, report, the number of ransomware victims increased as much as 143 percent worldwide during this year's first quarter, while January and February saw the highest number of hack and leak cases in 3 years.

Allianz Commercial notes that ransomware alone is projected to cost victims approximately $265 billion annually by 2031.

The report says that hackers are increasingly targeting information technology (IT) and physical supply chains, launching mass cyber attacks and finding new ways to extort money from companies of all sizes. "Most ransomware attacks now involve the theft of personal or sensitive commercial data for the purpose of extortion, adding further cost and complexity, as well as the increased potential for reputational damage and third-party liability," the report says.

The Allianz Commercial report also notes the continuing impact of Ransomware as a Service (RaaS) on cyber-attack frequency and losses. RaaS kits can be had for as little as $40 per month, according to the report. In addition, ransomware gangs are also carrying out more attacks more quickly, with the average number of days needed to execute an attack falling from around 60 days in 2019 to 4.

This year has also seen several large mass ransomware attacks, Allianz Commercial says, with threat actors using software exploits and weaknesses in IT supply chains to target multiple companies.

"More mass cyber-attacks can be expected in the future," Michael Daum, global head of cyber claims at Allianz Commercial, said in a statement. "Companies and their insurers need to better understand the interconnectivity and dependencies that exist between organizations and within digital supply chains."

Allianz Commercial says that its analysis of a number of large insurance industry cyber losses showed that the proportion of cases in which data is exfiltrated is increasing every year. Such data exfiltration cases increased from 40 percent of all cyber-loss cases in 2019 to about 77 percent of cases in 2022, the report says, adding that 2023 is on pace to surpass last year's total.

Data exfiltration can significantly add to the cost of a loss from a cyber attack or a cyber claim, Allianz Commercial says. Such incidents can take longer to resolve, and legal and IT forensics can be extremely expensive.

In addition, in cases where data has been stolen, companies must determine exactly what data has been exfiltrated and will likely have to notify customers, who could seek compensation or threaten litigation, the report says.

"Double and triple extortion incidents—using a combination of encryption, data exfiltration, and Distributed Denial of Service attacks—to obtain money are not new but they are now more prevalent," Mr. Daum said. "Several factors are combining to make data exfiltration more attractive for threat actors. The scope and amount of personal information being collected is increasing, while privacy and data breach regulations are tightening globally. At the same time, the trend towards outsourcing and remote access leads to more interfaces for threat actors to exploit."

The Allianz Commercial report notes that given the potential financial and reputational consequences, companies might feel greater pressure to pay ransoms in cases where data has been stolen. The insurer's analysis of insurance industry cyber losses exceeding 1 million euros between 2019 and the end of the first half of 2023 showed that the proportion of companies paying a ransom had increased from as little as 10 percent in 2019 to 54 percent in 2022.

Companies are 2.5 times more likely to pay a ransom in cases in which data has been exfiltrated, the insurer's analysis found, with 56 percent of companies paying a ransom when data was exfiltrated versus 21 percent paying a ransom in cases not involving data exfiltration. Allianz Commercial notes, however, that recent mass hacks have also seen some instances in which companies simply refused to pay a ransom.

With growing interconnectivity of digital supply chains and the increase in mass ransomware attacks, the threat of risk accumulation becomes a growing concern for insurers, the report suggests.

With the possibility of multiple claims being triggered simultaneously, mass ransomware attacks are a potential "gamechanger" for the insurance industry, Jens Krickhahn, a regional practice leader, cyber insurance, at Allianz Commercial, said in the report.

"This year we had our first event case, with 40 policies triggered at the same time," Mr. Krickhahn said. "From a claims management side that creates a completely new scenario, as you are in contact with multiple insureds at the same time, on the same topic, with different service providers and vendors. The once theoretical risk of an accumulation exposure is now reality."

That threat of risk accumulation will likely lead insurers to look more closely at different industries and sectors as they consider coverage and capacity management, the report says.

The future cyber-security landscape is clouded further by a cyber-security skills shortage, the Allianz Commercial report says. The current global cyber-security skills gap stands at 3.4 million people, the report says.

The growing shortage of cyber-security professionals complicates both cyber-security efforts and the response to cyber attacks when they occur, Allianz Commercial says.

Ultimately, the key to avoiding damaging cyber attacks and mitigating losses when attacks occur is to detect an attack in its earliest stages, the report says. "Companies should direct additional cyber security spend on detection and response," the report says. "Only one third of companies discover a breach through their own security teams."

"Companies cannot prevent. They can only reduce the number of attacks that surpass the first line of defense," Mr. Daum said. "There needs to be detection and response because it's no longer possible to prevent every attack, no matter how much you invest in IT security. Companies need to catch these attacks before the next stage and prevent the most severe incidents that might bring their business to a halt and damage their reputation."