Cyber criminals were busy this year as they targeted public and private entities around the world, with the hacks of HSBC and Facebook most recently coming to light. As organisations rushed to patch the gaps in their security infrastructure and became more attuned to the risks that cyber incidents posed, hackers’ behaviours changed as well over the course of 2018 as they moved from using mass mailing, indiscriminate malware as their weapon of choice to relying on more targeted extortion efforts.
“The actual amount of funds that cyber criminals have been able to raise has been a lot lower than the early days of things like CryptoLocker,” said Graeme Newman, chief innovation officer at CFC Underwriting. Crypto operators netted upwards of seven to eight digit sums from the ransomware that had thousands of victims, according to some estimates. “What’s happened in more recent months is that those numbers have come down significantly, maybe because of the volume of ransomware and the increasing sophistication of endpoint protection systems to block ransomware, and also growing employee awareness of malicious links.”
Cyber criminals are more frequently handpicking their targets and seeking larger individual ransom demands today, added Newman, which are higher than the $500 or $1000 demands that were popular even 12 months ago. Much of the cybercrime that’s committed is also coming out of the major nation-state actors, such as North Korea and Iran, which have had economic sanctions imposed against them and have turned to ransomware as a way to generate income, though that’s not the only bad behaviour seen from these kinds of criminals.
“What we’ve seen in last 12 months and going forward is a lot of reconnaissance activity. The old spying game has moved from the physical world into the virtual world, and it is far easier and more lucrative to conduct that electronically,” said Newman.
As for the types of organisations falling prey to cyber criminals, the hacking of the public sector may have made headlines this year, but the cyber expert believes that it’s not more or less targeted than it was before 2018. Chronic underinvestment in IT security and more transparency on the part of public entities are to blame for this widespread coverage.
“A lot of the indiscriminate attacks that we saw in 2017 and early 2018 disproportionately affected public entities because they were easy victims, and they were victims that would openly put their hand up in the media. I think that’s why we read a lot about breaches with public entities, rather than necessarily them being targeted,” said Newman.
To guard against the heavy losses that can come as a result of a cyber incident, companies are turning to cyber insurance, though take-up rates vary across regions, sectors, and size of organisations. Depending on the analysis, the penetration of cyber insurance in the US – globally the most mature market when it comes to cyber insurance – is around 30%, and if you examine Fortune 500 companies, that number goes up to around 70% or higher, explained Newman. Privacy-exposed entities, including financial institutions, and companies in the retail, healthcare and education sectors, are meanwhile continuing to do most of the buying, though that’s also evolving.
“The events that really drove changes in buying behaviour in the US were really WannaCry and NotPetya – NotPetya probably being the single biggest driver of change,” Newman told Insurance Business. “As a result of those events, what we’re seeing is much bigger interest and adoption in cyber insurance by non-privacy industries, such as manufacturing, transportation, logistics. Businesses which don’t traditionally hold large volumes of very sensitive data suddenly realised that actually their whole business operations depend upon technology and availability of technology and the data that underpins that.”
The international arena meanwhile looks very different. Take-up rates of cyber insurance across entities of all sizes outside the US have been lower, with roughly 85% of the world’s cyber insurance being sold to US-headquartered entities, said the CIO, though he added that that’s changing dramatically.
“Our own international portfolio grew by over 140% last year and we saw significant increase in adoption in Canada, the UK, and Australia,” he explained. The cybercrime component of cyber insurance internationally seems to particularly resonate with SMEs, like theft of funds from business email compromises, which is one of the day-to-day risks faced by small and medium-sized businesses. On the other hand, the US market has developed in a different direction, whereby coverage didn’t include basic cybercrime cover, though – you guessed it – that’s changed in 2018 as well.” Newman expects that this evolution will open doors for many more SMEs adopting the cyber product.
Yet, if there’s one thing that brokers who sell cyber insurance should be aware of about the offering going into 2019, it’s business interruption.
“If you look back to 2014-2015 when the cyber market was beset with a whole load of retail breaches [and] payment card information (PCI) data breaches, all the wordings in 2015-2016 started to focus heavily on PCI,” said Newman. “We’re seeing something very similar in 2018-2019, that the major events that define the market are business interruption-related events. That’s caused insurers and brokers to really focus on the clarity within business interruption language and what we’re seeing is material differences in coverages.
“Business interruption, in many ways, is the forgotten cover or the unloved cover of a cyber form, and the wording has been relatively unsophisticated. We’re seeing that change a lot and we’re seeing cyber insurers actually adapt a lot of their business interruption language so it reads much more akin to the business interruption language that you would see in a property form.”
What triggers the coverage, which used to just be malicious cyberattacks, is also broadening.
“We’re seeing coverage extend out to all manner of technology failures, not just those caused by malicious electronic attacks, [but] operator error or user error, administrative error, software bugs, failure upgrades,” said Newman. “We’re moving towards a kind of All-Risk, non-physical peril.”