Worldwide, ransomware damage costs are predicted to reach U$20bn in 2021, up from $5bn in 2017, testimony to the growth and severity of this issue. Cyber thieves also took advantage of already existing gaps, when the COVID-19 pandemic drove many companies to move to a remote working environment. Businesses, world governments, healthcare facilities and schools have all been targeted.
A refining of methodology and technology, along with the anonymity of the digitised world, and sources such as difficult-to-track cryptocurrency, have all contributed to an increase in the severity and frequency of ransomware threats, with real-world consequence sometimes far outweighing the cost of ransom payments alone.
What, precisely, is ransomware? In brief terms, it is a form of malware used to encrypt files on a computer that renders files and the systems that rely on them, unusable. This effectively ‘freezes’ that digital information until the targeted organisation pays the ransom amount to malicious actors for that data to be released back into their control.
In some instances, data has been extracted or destroyed entirely. Malware can spread through file-sharing services, removable media, and external hard drives. Infected emails, however, are the predominant spreader of malware. Cisco reports over 90% of malware infections start with malicious emails, many of which are phishing emails that deceive employees into opening them and activating the malware.
Increasing frequency of ransomware attacks is one reason for concern; the other is increasingly higher ‘ransom payout’ amounts. For example, in February 2020, a ransomware attack cost a Denmark-based company upwards of $50m.
Asia Pacific cyber incidents and impact on the 2021 cyber insurance market
The APAC region accounted for 7% of the total reported ransomware incidents in 2020. The development of attacks in APAC are also visible on a global level, and this higher encounter rate, compared to the rest of the world, has put a spotlight on the region as an emerging driver to this global trend. A survey showed that 27% of victims chose to pay the requested ransom, with average amounts being $1.18m in APAC, $1.06m in EMEA and $0.99m in the US (See Graph 1).
Ransomware – and the role of insurance
Ransomware attacks’ impact on businesses can have a variety of negative, even crippling, consequences such as regulatory fines and reputational damage. From business interruption, loss of data, breach of personal data and/or confidential information, the costs of data restoration, incident response costs and ransom payments, to a loss of trust among customers, an attack can deal a devastating blow to businesses of all sizes. In the worst-case scenarios, it can force even a corporation to shut down operations/organisations entirely.
In response, demand for cyber insurance continues to grow significantly. This is due to increasing risk awareness, accelerated digitisation within the COVID-19 environment, change in data privacy legislation and with ransomware as a typical trigger in most cyber insurance products, such as any malicious act, including theft of data, or malware having an impact on the insured’s computer systems.
Cyber insurance has played a critical role in helping businesses prevent as well as survive an attack. Insurers have shown that they can be part of a solution and help build resiliency and preparedness across all industries. Implementing respective measures and controls can act as a ‘digital vaccine’ of sorts, but these tactics may not always help avoid successful attacks.
Insurers can help provide coverage for remaining risks that cannot always be prevented, including direct financial consequences of ransomware attacks such as financial losses resulting from business interruption, data recovery and restoration and IT forensic services (threat identification and investigation to prioritise response and contain threats), incident reporting, legal consulting, and remediation. The cost of business interruption and restoration of data and systems currently dominates the insured loss. There is currently an open discussion in the market as to what extent the insurance industry should remain to reimburse any ransom money, where legally permissible.
Ongoing challenges of ransomware
With an increase in the volume and complexity of ransomware attacks, come challenges that span government risk, increased regulation, insurers’ exposure, and digitalisation challenges in the private sector. At a government level, the US Treasury Department has warned individuals or businesses that help facilitate ransomware payments that they may be violating anti-money laundering and sanctions regulations.
Persons/companies involved in ransomware payments need to be aware of the Office of Foreign Assets Control (OFAC)-related obligations related to that activity; OFAC has said it has, and will, impose sanctions on those who “materially assist, sponsor, or provide financial, material, or technological support” for activities related to ransomware.
Regulation will remain a critical focus for cyber insurance; data protection law enforcement made headlines in 2020 with record fines against offenders. Law enforcement is expected to tighten around the world, particularly given that 128 out of 194 countries have put data protection and privacy laws in place as of 2020. In the private sector, businesses who wish to increase digitalisation must be proactive and well-informed about the steps they can and should take to mitigate growing cyber crime activity.
Managing cyber risk and increasing resilience
For insurers, ransomware is more a profitability and sustainability issue of this still young line of business than a risk management problem. Profitability can be managed through implementing insurance features already utilised in other lines of business, including rate increases, sub-limitation, or coinsurance. For all involved parties like the insurance and reinsurance industry, insureds, and all relevant stakeholders such as regulators and government bodies, cyber resilience should be the main focus and can be achieved by taking social responsibility, using risk minimisation strategies and increasing cyber security. Pre-incident services offered as part of an insurance solution can and should include employee awareness trainings, network vulnerability monitoring, gap analyses, and other measures that can help limit cyber criminal activities.
An ongoing exchange of information and collaboration among risk owners, cyber security service providers, associations, research and development, and with supranational authorities is critical to establishing suitable services, preventive measures, cyber resilience and a sustainable market environment going forward.
For insurers, maintaining profitability and sustainability will be a focal point, particularly given that the cyber insurance market has been very underpriced for many years. Premium increases and more strict underwriting guidelines are already underway. Navigating reputational risks will only be more challenging when covering ransom attacks, given the increase in criminal activities, sanctioning, and more. Regulators will continue to grapple with expanding data breach regulation.
One thing is certain: Cyber crime, particularly ransomware, will be a critical topic for everyone involved in regulating and insuring organisations and companies, for the foreseeable future. The insurance industry, for its part, should contribute to hindering cyber criminal opportunities through insisting on minimum requirements for cover to be granted, encouraging insureds to treat the cover as confidential, encouraging reporting of attacks, and investing in learning strategies that will improve preparedness and resilience.
Munich Re will continue to be supportive of governmental agencies and national authorities, as well as active in lobbying, with the ultimate goal of minimising cyber criminal activity and limiting its effects. From cyber threat management awareness, to helping companies protect their investment in digitalisation capabilities, our focus is to help clients in the Asia market increase success. A
Mr Andreas Schmitt is head of cyber Asia with Munich Re.