Insurer warns businesses still playing cat and mouse with cyber threats

There are new warnings that two years of high but stable loss activity, 2023 has seen a worrying resurgence in ransomware and extortion claims as the cyber threat landscape continues to evolve.

Insurer Allianz Commercial has issued a new report which found hackers are increasingly targeting IT and physical supply chains, launching mass cyber-attacks, and finding new ways to extort money from companies, large and small.

It added most ransomware attacks now involve the theft of personal or sensitive commercial data for the purpose of extortion, increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage.

The insurer’s analysis of large cyber losses shows the number of cases in which data is exfiltrated is increasing every year – has doubled from 40% in 2019 to almost 80% in 2022, with 2023 significantly higher.

“Cyber claims frequency has picked up again this year as ransomware groups continue to evolve their tactics,” says Scott Sayce, global head of Cyber, Allianz Commercial. “Based on claims activity during the first half of 2023, we expect to see around a 25% increase in the number of claims annually by year-end. The attackers are back, and focused again on Western economies, with more powerful tools, enhanced processes, and attack mechanisms. Given this dynamic, a well-protected company is necessary to stand up to the threat and, increasingly, the most important element of this is developing strong detection and fast response capabilities.”

According to the report, Cyber security trends 2023: The latest threats and risk mitigation best practice – before, during and after a hack, the frequency of cyber claims stabilized in 2022, reflecting improved cyber security and risk management actions among insured companies. Law enforcement agencies targeting gangs, together with the Ukraine Russia conflict, also helped curtail ransomware activity.  However, ransomware activity alone was up 50% year-on-year during the first half of 2023. So-called Ransomware-as-a-Service (RaaS) kits, where prices start from as little as US$40, remain a key driver in the frequency of attacks. Ransomware gangs are also carrying out more attacks faster, with the average number of days taken to execute one falling from around 60 days in 2019 to four.

“Double and triple extortion incidents – using a combination of encryption, data exfiltration and Distributed Denial of Service attacks – to obtain money are not new but they are now more prevalent,“ explained Michael Daum, global head of Cyber Claims, Allianz Commercial. “Several factors are combining to make data exfiltration more attractive for threat actors. The scope and amount of personal information being collected is increasing, while privacy and data breach regulations are tightening globally. At the same time, the trends towards outsourcing and remote access leads to more interfaces for threat actors to exploit.”

This year has also seen several large mass ransomware attacks as threat actors used exploits in software and weaknesses in IT supply chains to target multiple companies. For example, the MOVEit mass cyber-attack, which exploited a data transfer software product, impacting millions of individuals and thousands of companies, contributed to the increase in the frequency of claims in 2023 to date, affecting multiple policyholders simultaneously.

“More mass cyber-attacks can be expected in the future,” says Daum. “Companies and their insurers need to better understand the interconnectivity and dependencies that exist between organizations and within digital supply chains.”

The report added protecting an organisation against intrusion remains a “cat and mouse game, in which cyber criminals have the advantage”. Allianz’s analysis of more than 3,000 cyber claims over the past five years shows that external manipulation of systems is the cause of more than 80% of all incidents. Threat actors are now exploring ways to use artificial intelligence (AI) to automate and accelerate attacks, creating more effective AI-powered malware, phishing, and voice simulation. Combined with the explosion in connected mobile devices – Allianz Commercial has seen a growing number of incidents caused by poor cyber security in this area – attack avenues only look likely to increase.

Preventing a cyber-attack is therefore becoming harder and the stakes higher. As a result, early detection and response capabilities and tools are becoming ever more important. Around 90% of incidents are contained early. However, if an attack is not stopped in the early stages the chances of preventing it becoming something much more serious and costly greatly reduce.

“Traditional cyber security has focused on prevention with the goal of keeping attackers out of a network,” explained Rishi Baviskar, global head of Cyber Risk Consulting, Allianz Commercial. “While investment in prevention reduces the number of successful cyber-attacks there will always be a ‘gap’ remaining that will enable attacks to get through. For example, it is not possible to stop all employees from clicking on increasingly sophisticated phishing emails.”

“Prevention drives frequency of attacks and response is responsible for how significant the loss will be – whether it is a minor IT incident or a corporate crisis,” says Daum. “We believe companies can meaningfully prepare and there is room for improvement in how they respond to these attacker threats. Ultimately, early detection and response capabilities will be key to mitigating the impact of cyber-attacks and ensuring a sustainable cyber insurance market going forward.”