In an increasingly digital era, heightened connectivity among organizations and the consolidation of management solutions have created the perfect storm for supply chain cyberattacks.
These security events occur when cybercriminals infiltrate a company by targeting less secure elements within its supply chain, often exploiting vulnerabilities in third-party vendors, suppliers, or service providers that have access to the company’s network or data. These attacks are not only increasing in frequency but also in cost.
By 2025, it’s predicted that 45% of organizations will have experienced attacks on their software supply chains. Additionally, a report from Cybersecurity Ventures states that the global cost of software supply chain attacks could reach nearly $138 billion, with damage expenses anticipated to increase by 15% annually.
Last month, CDK Global, an American company that provides software to manage sales and service, experienced back-to-back cyberattacks, disrupting a number of car dealerships that used its platform. Despite the incidents, there are no confirmed reports of CDK paying any ransom demands, although the cybercriminal group BlackSuit allegedly demanded millions of dollars from CDK to return its data.
According to Kirsten Mickelson (pictured left), cyber group practice leader at Gallagher Bassett, dealerships are an attractive target because of the vast amounts of sensitive customer data they hold such as financial history, credit applications and social security numbers.
Given that CDK’s services are utilized by approximately 15,000 dealerships across the US and Canada, the widespread adoption of this centralized management solution means that breaches of this nature tend to have a cascading effect. “Supply chain attacks are how hackers get the most bang for their buck,” Mickelson said. “You attack the vendor, but then there’s that trickle-down effect that, in the case of CDK, is going to affect thousands of customers.”
“Cyber insurance is an investment, not an expense,” said Mickelson, who noted that spikes in supply chain attacks may be due to a lack of cyber insurance among SMEs.
“We’re handling, I’d say, almost 200 of these claims from the downstream dealerships that have been affected by the CDK attacks,” she added.
“From clients that aren’t in the tech space, and especially SMEs, they tend to think, ‘oh, we’re small, we’re not a target, why would a threat actor want to go after us?’” shared Mickelson.
Sophos’s 2024 Cyber Insurance and Cyber Defenses survey found that ‘awareness of business impact’ was the most common reason behind purchasing cyber protection policies. However, with research indicating that a staggering 90% of cyber risks remain uninsured, it is clear that many businesses are unaware of the true costs involved.
Chester Wisniewski (pictured right), director and global field CTO at Sophos, agrees. “Clients may estimate, ‘If our office has to close for a day, it might cost us $250,000’. So, a $500,000 policy might sound reasonable to them. But they often don’t realize how quickly costs can escalate into the millions of dollars once you need to involve outside experts and potential ransom negotiators.”
With average ransom payments hitting $2 million, brokers can add significant value to clients by helping them understand the realistic costs of data breaches.
Aside from providing accurate estimates on policy limits, brokers can encourage clients to practice safe cybersecurity measures through the following strategies:
In addition to underinsurance, Sophos’s survey highlights that in there is a significant lack of understanding among clients regarding cyber policies. In fact, 40% of respondents whose organizations have a cyber insurance policy were unsure whether or not it covered ransom payments.
Mickelson emphasized that brokers can also play an important role in helping clients understand the nuances of their cyber policies - what they are covered for and what they are not - in the event of an attack.
“There’s an interesting distinction that we’ve seen in the market. And that is, does the cyber policy pay a ransom on behalf of the policyholder, or will the cyber policy reimburse the policyholder for a ransom payment. And while a fine point, in practice, it makes a world of difference. If a ransom is millions of dollars, and you’re a relatively smaller, middle-market organization, you might not have that cash flow on hand to afford that,” said Mickelson.