Global Trends in Cyber Risk

Ransomware On The Rise

The scale and scope of ransomware attacks are increasing at an unprecedented rate. This is due to a combination of factors including the rapid rise of digitalization, growing use of cryptocurrencies, increased geo-political tensions, the extraordinary environment created by the pandemic, and improved schemes which have made ransomware even more profitable. 

Ransomware is a malware that infects computer devices and can lock down access to entire computer networks, effectively holding a business hostage until a ransom is paid. 

The malware often infiltrates a system’s servers by means of an innocuous email (‘phishing’) sent to an employee of the targeted company. The human layer is often the weakest link in cyber defense and is thus a ripe target for cyber criminals. It is estimated that anywhere between 50% and 90% of data breaches are caused or abetted by employees.[3] 

The price of ransom is growing alongside the rise in use of ransomware. The average ransom paid by companies based in Europe, the US and Canada nearly tripled from $115,123 to $312,493 in just over a year.[4] This increase is due, in part, to new tactics employed by the cyber hackers that combines data captivity with threats to leak the data on public sites, a dual threat that leaves businesses with little to no recourse but to pay the ransom.[5]

It is also due in part to the shifting of targets. Rather than targeting individual personal computers, cyber criminals are targeting public and private sector organizations of various size which enables an increase in both the ransom requested and the probability of successful payment.[6]

The financial services industry is facing a significant increase in ransomware attacks, impacting major firms and risking systemic damage. Recently, Fidelity National Financial, a leading title insurance company, shut down some systems after a breach where credentials were stolen. Similarly, a January attack on Ion disrupted derivatives trading for several days[7]. Mr. Cooper Group, a top mortgage servicer, also had to shut down systems in October due to a hacker intrusion[8].

According to a Moody’s report, the financial sector's extensive use of interconnected technology and third-party vendors heightens the risk of systemic damage[9]. The recent ransomware attacks serve as a stark reminder of the vulnerabilities in the financial sector, particularly concerning the stability of the $26 trillion Treasury market. These incidents underscore the urgent need for enhanced resilience in what is a critical component of global financial infrastructure[10].

The threat of a ransomware attack is forecasted to only get worse with the growing use of the “franchise” model adopted by cyber criminals, whereby malware is leased on the dark net to so-called affiliates in a ransomware-as-a-service scheme with the lessors earning a royalty, thus making sophisticated ransomware more widely available and profitable.[11]

Business Disruption

Whether or not a cyber incident leads to a ransom payment, the costs associated with any resulting business disruption far exceeds the amount demanded. In fact, these costs can be anywhere from five to 100 times greater than the cost of a ransom itself, often inciting businesses to pay the ransom just to avoid the costs of disruption.[12]

Business disruption is the income lost when a resource cannot be used or a service cannot be provided leading to lost sales, reduced efficiency, increased spending related to the cyber incident (recovery of IT systems, damages paid out to clients, etc.) and reputational damage. 

While larger companies are usually better positioned to sustain the losses brought on by business disruption, it is small to medium enterprises (SMEs) that suffer disproportionately when they find themselves the victims of a cyber attack. 

It is estimated that 45% of online attacks target SMEs.[13] Unlike larger companies, SMEs have limited or even non-existent cyber defenses or hygiene. For businesses of all sizes, the average cost of disruption is around $200,00o; for SMEs this cost can be insurmountable, with 60% of SMEs going out of business after being victimized.[14]

As for paying a ransom to avoid the costs of business disruption - paying doesn’t guarantee full recovery and it certainly doesn’t eliminate all the business disruption costs associated with ensuring that every machine is infection free. Moreover, the payment of ransom does not guarantee that a company’s data will be returned whole. The cybersecurity firm Sophos found that ransom-payers got back only 65% of the encrypted data on average, leaving more than a third inaccessible.[15] And even if the data is returned, there is no guarantee that it has not been copied for future use, sale and/or blackmail.

While many businesses rely on business interruption and property insurance to help offset the costs of cyber incidents, increasingly insurance companies are relying on the “act of war” clauses to shield them from payouts. The high profile NotPetya ransomware attack and the resulting lawsuit against Zurich American Insurance for its denial of coverage under it’s ‘act of war’ exclusion policy demonstrates that cyber insurance cannot be considered a replacement for cyber security.[16]

Increased Liability

In addition to the risks related to business disruptions and ransom payments, companies also are confronted with increasing potential liability if they are found to not have complied with the laws and regulations in force in the countries in which they operate or if they are found to have been negligent, not exercising due care to limit cyber risk. 

In Europe, the General Data Protection Regulation (GDPR) implements fines for businesses if they do not follow data protection guidelines or data breach reporting requirements. Businesses risk being fined, the greater of, up to 4% of their annual global revenue or 20 million Euros if they violate the regulation.[17]

The implementation of the GDPR has already led to an increase in claims notifications. According to the law firm Pinsent Manson, between March 2019 and May 2020, a total of 190 GDPR fines were issued by European data protection authorities, with a value of almost $500 million.[18] Notable large fines for violations include $57 million for Google in France and $41 million for H&M Germany.[19]

From Europe, to the US, and to the world over, data privacy regulations and mandatory breach disclosure laws vary widely, making legal due diligence across markets essential for businesses, and in particular, multinationals. The hotel group Marriott and credit score agency Equifax suffered highly publicized data breaches in 2018 and 2017 respectively, and were subject to numerous lawsuits and regulatory actions in multiple jurisdictions with Marriott facing a $130 million fine in the UK alone for the breach.[20] 

Intellectual Property Theft 

Given the pervasiveness of data breaches, companies are treating them more and more as another cost of doing business. This, however, is not at all the case with data theft concerning intellectual property (IP), which is seen as one of the greatest threats companies yet face. 

While the theft of IP has been around as long as IP itself, the latest developments in cyber espionage and theft should have companies worried.

Cyber hackers are increasingly relying on Advanced Persistent Threats (APTs), where access to a system can remain undetected for an extended period of time with the goal of stealing data or penetrating a network. APT attacks are often intended to steal sensitive intellectual property or data for political or economic gains.[21]

In the early months of the pandemic, hackers targeted the World Health Organization by infiltrating its networks with the APT known as ‘Dark Hotel’; an effort to steal sensitive information relating to Covid-19.[22] The health care industry and more recently, vaccine research, are highly targeted because ultimately their Intellectual Property is highly valued.

Yet, in some cases the theft of IP is meant to steal a competitive advantage, hijack new technology and trade secrets and cause hundreds of millions of dollars in R&D investments to be lost. This was the case for chip-maker AMD, where attackers stole and leaked the Xbox Series X graphics source code.

In all cases, the impact on revenue streams from IP theft by cyber intrusions may lead to reduced R&D efforts and an increase in the cost of capital if the IP is seen by investors as not sufficiently protected.[23]

Risks to Mergers & Acquisitions

Mergers and Acquisitions (M&A) are fertile ground for cyber criminals providing them with both short and long term opportunities.

In the short term, with business operations in transition, data is more vulnerable and at higher risk of being targeted. In the long term, M&A transactions serve as a prime opportunity to infiltrate the merging or acquired company’s networks, often by the employ of APTs, in an effort to ultimately gain access to the targeted company’s environment and information over an extended period of time.

Since 2021, M&A activity peaked, the focus of cyberattacks has expanded beyond the primary companies involved in transactions to include intermediaries such as investment banks and funds. These attacks pose a new risk for such entities.

One significant incident in June 2023 involved a cyberattack by the Russian group Clop on Datasite, a major M&A service provider. This platform facilitates the exchange of confidential documents between buyers and sellers, with clients like Blackstone, Goldman Sachs, JP Morgan, UBS, and EY. The attack resulted in the leakage of data from approximately 800 users across more than 10,000 transactions in 180 countries[24].

The scale and nature of hacker offensives have evolved to target not just the companies undergoing mergers but also their boards, intermediaries, and service providers, including IT firms. Other notable targets include the M&A departments of prominent law firms like Kirkland & Ellis, K&L Gates, Proskauer Rose, and Allen & Overy—possibly searching for intelligence[26].

The threats facing M&A highlights the importance of conducting cyber due diligence at the pre-acquisition phase. Indeed, more than 50 percent of companies surveyed by IBM wait until due diligence is completed before they perform cybersecurity assessments of M&A transactions.[26]

While a company may have state of the art cyber security, if it acquires a company with weak security or existing vulnerabilities it could be liable for any damage from incidents that occurred prior to the merger, as seen in the data breach of the hotel group Marriott. Although the data breach was discovered in 2018, it was traced to a cyber intrusion that occurred in 2014 at Starwood, a hotel group that it acquired in 2016.[27] Had Marriot conducted cyber due diligence during pre-acquisition, this vulnerability could have been discovered and/or measures could have been taken together with a revised valuation. Further, acquiring a company that may have vulnerabilities may amount to integrating a trojan horse.

The Escalation of AI-Powered Cyber Threats

The technological landscape has been profoundly transformed by the rapid advancements in artificial intelligence (AI), which have permeated various sectors, including cybersecurity. This integration, however, presents a paradox where AI is a tool for both safeguarding digital realms and facilitating sophisticated cyberattacks. The escalation of AI-powered cyber threats is a significant consequence of these advancements, as cybercriminals exploit AI to conduct attacks that are more effective, scalable, and difficult to detect.

AI technologies enhance cybercriminal capabilities by enabling the automation and personalization of attacks. For example, AI-driven phishing campaigns utilize generative AI to create emails that mimic legitimate messages from trusted sources, thus increasing their deceptive potential. These emails are tailored to the recipient’s characteristics, making them less likely to be recognized as threats . Similarly, AI can automate social engineering attacks by crafting believable personas and scenarios to manipulate targets .

Deepfake technology, another byproduct of AI, is used maliciously to create audio and video clips that are disturbingly realistic. Notably, cybercriminals have employed deepfake audio to impersonate corporate executives, coaxing unsuspecting employees into transferring funds or divulging sensitive information. This form of AI manipulation plays on human trust and the authenticity typically attributed to visual and auditory communication, showcasing the complex challenges AI poses in security contexts .

Adversarial AI attacks represent a more direct assault on AI systems themselves, where attackers feed manipulated data to AI models to induce errors or malfunctions. This could involve deceiving AI-powered surveillance systems or bypassing automated security protocols. The sophistication of these attacks lies in their exploitation of specific vulnerabilities inherent in AI algorithms, which may not be readily apparent or easily defensible .

The rise of AI-powered cyber threats underscores the urgent need for equally sophisticated cybersecurity measures. Traditional defense mechanisms, such as signature-based antivirus software and rule-based intrusion detection systems, are often inadequate against these AI-enhanced threats. The cybersecurity industry is thus compelled to develop AI-driven security solutions capable of adapting to and countering the dynamic and evolving strategies used by cyber adversaries.

As AI continues to evolve, so too does the nature of cyber threats, necessitating a paradigm shift in cybersecurity strategies. The development of advanced AI-powered cybersecurity tools is critical in staying ahead of cybercriminals who are equally equipped with AI capabilities. This ongoing arms race in cybersecurity not only highlights the capabilities of AI but also its potential perils, making the role of AI in security a double-edged sword that must be wielded with utmost caution and responsibility.

Building Cyber Resilience

Despite these challenges and the fact that being a victim of cyber crime is becoming more a question of when rather than if, most organizations do not have a plan in place to both prevent and respond to cyber security breaches.[28] 

Figure 1. Proportion of organizations that have a plan to prevent and respond to IT security incidents. Source: McAfee, “The Hidden Costs of Cyber crime”

The importance of having a solid cyber risk management program cannot be underestimated. Every day new technical and security breaches are discovered. Every business change can create unintended vulnerabilities. Every new employee, consultant or contractor is a new risk that needs to be managed. A hacker only needs to be successful once, while a company’s security measures must be successful 100% of the time - in an ever-changing threat landscape. The regular undertaking of cyber security audits, evaluating their results and researching and implementing improvements is thus an essential, and never-ending, process that should be adopted by all organizations that take cyber risk seriously. 

Vaultinum, a Swiss based digital solutions company, has developed an intelligent auditing tool that enables companies to conduct their own due diligence in cybersecurity, examining an organization’s security risk management program, data protection procedures, security certifications, and office, equipment and infrastructure protections. Our solution is a self-assessment questionnaire developed by leading experts in cyber security with the aim of helping companies improve their cybersecurity awareness, mitigate risks and put in place recommended policies and procedures based on industry standards in order to help prevent cyber incidents from occurring and building resilience in the face of one.

References:

[1] ”2023 Official Cybercrime Report”. Esentire https://www.esentire.com/resources/library/2023-official-cybercrime-report

[2] Idem

[3] Dobie, G., Whitehead, J. (2020). Managing the impact of increasing interconnectivity: Trends in Cyber Risk. Allianz Global Corporate & Specialty.

[4] Sroxton, Alex. “Average ransomware cost triples, says report”. Computer Weekly.com, 17 Mar. 2021, https://www.computerweekly.com/news/252498029/Average-ransomware-cost-triples-says-report

[5] Singleton, C. (2021). X Force Threat Intelligence Index 2021. IBM Corporation.

[6] (2020). Internet Organized Crime Threat Assessment 2020. Europol. https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2020

[7] Jones, D. “For financial services firms, a pattern of malicious cyber activity is emerging.” Cybersecurity Dive, 29 Nov. 2023, https://www.cybersecuritydive.com/news/financial-services-malicious-cyber/700978/

[8] Idem

[9] Idem

[10] Bansal, P. “Inside Wall Street's scramble after ICBC hack.” Reuters, 17 Nov 2023, https://www.reuters.com/technology/cybersecurity/market-inside-wall-streets-scramble-after-icbc-hack-2023-11-13/

[11] Morgan, Steve. “Cybercrime To Cost The World $10.5 Trillion Annually By 2025”. Cybercrime Magazine, 13 Nov. 2020, https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

[12] Riley, Tonya. “The Cybersecurity 202: Global losses from cybercrime skyrocketed to nearly $1 trillion in 2020, new report finds”. Washington Post, 7 Dec. 2020, https://www.washingtonpost.com/politics/2020/12/07/cybersecurity-202-global-losses-cybercrime-skyrocketed-nearly-1-trillion-2020/

[13] Steinberg, Scott. “Cyberattacks now cost companies $200,000 on average, putting many out of business”. CNBC, 13 Oct. 2019, https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html

[14] Steinberg, Scott. “Cyberattacks now cost companies $200,000 on average, putting many out of business”. CNBC, 13 Oct. 2019, https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html

[15] Bajak, Frank. “Ransomware gets paid off as officials struggle for fix”. Associated Press, 22 June 2021, https://apnews.com/article/joe-biden-europe-government-and-politics-technology-business-3b81e8116c42439566040a052617ad55

[16] Garrie, Daniel; Rosen, Peter. “'Act Of War' Questions In Cyberattack Insurance Case”. Law 360, 23 April 2019, https://www.law360.com/articles/1152572

[17] EU General Data Protection Regulation (GDPR): Article 83, Section 6.

[18] Dobie, G., Whitehead, J. (2020). Managing the impact of increasing interconnectivity: Trends in Cyber Risk. Allianz Global Corporate & Specialty.

[19] Idem

[20] Dobie, G., Whitehead, J. (2020). Managing the impact of increasing interconnectivity: Trends in Cyber Risk. Allianz Global Corporate & Specialty.

[21] Adam, M. “Cyber Risk in a new era: insurers can be part of the solution”. S&P Global Ratings, 2 Sep 2020, https://www.spglobal.com/ratings/en/research/articles/200902-cyber-risk-in-a-new-era-insurers-can-be-part-of-the-solution-11590046

[22] Seals, T. “Hackers amp up Covid-19 IP Theft Attacks”. Threat Post, 28 Dec 2020, https://threatpost.com/hackers-amp-up-covid-19-ip-theft-attacks/162634/

[23] Smith, Z.M., Lostra, E., Lewis, J.A. (2020). The Hidden Costs of Cybercrime. Center for Strategic and International Studies.

[24] Drif, A. “Hackers increasingly aggressive against investment banks”. Les Echos, 2 Jan. 2024.

[25] Idem

[26] Idem.

[27] Brewster, T. “Revealed: Marriott's 500 Million Hack Came After A String Of Security Breaches”. Forbes, 3 Dec. 2018, https://www.forbes.com/sites/thomasbrewster/2018/12/03/revealed-marriotts-500-million-hack-came-after-a-string-of-security-breaches/

[28] Smith, Z.M., Lostra, E., Lewis, J.A. (2020). The Hidden Costs of Cybercrime. McAfee.