Library: Insurance Thought Leadership – Cyber risk and insurance in 2022

Executive summary:

The pandemic has created new cyber vulnerabilities, heightened existing risk factors and accelerated the pace at which cybercriminals wreaked havoc on even the most secure systems. Undoubtedly, 2022 will see more of the same.

Cyber risk: be prepared

Many large organisations responded to heightened cyber threats by ramping up their security budgets and deploying state-of-the art security technology. Small and mid-size businesses with less sophistication and smaller budgets are not defenceless, however. By staying aware of the changing risk landscape and implementing basic countermeasures, business owners and their IT professionals can deter cyber attacks and be better prepared to respond if they nonetheless happen.

Organisations with a strong focus on cybersecurity also can make a case for more favourable terms from the cyber insurance market, which has seen rates increase and coverage shrink as claims accelerated over the past several years.

A quick tour of the cyber risk and insurance landscape in 2021

Cybercriminals had a banner year in 2021. According to Check Point Research, cyberattacks increased 50% in 2021 as compared with 2020, with each organisation facing an average of 925 attacks per week.

With large numbers of employees working from home and using their personal devices for business purposes, corporate networks were left vulnerable to the often-inadequate security practices of individual employees. According to security company CrowdStrike in their 2021 Global Treat Report, this created a “feeding frenzy for cyber predators spurred on by the windfall of easy access to sensitive data and networks.”

Phishing and ransomware were far and away the primary attack vectors, affecting both large and small businesses. Phishing attacks increased in number and sophistication as “fear, concern and curiosity surrounding COVID-19 provided the perfect cover for a record-setting increase in social engineering attacks,” according to CrowdStrike. The Human Hacking report published by SlashNext Threat Labs data shows phishing attacks rose 51% in 2021 as compared with 2020.

Successful phishing campaigns often resulted in ransomware attacks. Ransomware is not a new cybersecurity threat, but it is one that cybercriminals have learned to use with far more devastating effect in recent years. Since the beginning of the pandemic, ransomware claims have increased four-fold. The average ransom demand increased about 900% as cybercriminals employed increasingly sophisticated and damaging tactics, techniques and procedures. One notable 2021 ransomware attack targeting pipeline operator Colonial Pipeline resulted in $4.4 million being paid to a Russian cyber gang.

Denial of service can hit any size business

In addition to the cost of paying the criminals, ransomware attacks also can cause downtime and business interruption losses. A 2020 attack on the University of Vermont Medical Center, for example, cost the hospital an estimated $50 million, mostly from lost revenue.

Many ransomware attacks are directed at supply chains. A single supply chain attack can hit numerous organisations, providing cybercriminals the ability to use a single intrusion to attack multiple targets. Cybercriminals often use smaller, more vulnerable companies in a supply chain to gain access to larger, better-defended companies.

One of the most widespread and sophisticated supply chain attacks targeted SolarWinds, a major information technology firm. SolarWinds unknowingly sent software updates to its customers including U.S. government agencies such as the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration and the Treasury that was tainted with code that left them vulnerable to hackers. More than 18,000 organizations—both public and private—were affected.

Bigger losses, greater demand

Increased losses sparked higher prices and more restrictive underwriting criteria in the cyber insurance market. Prior to 2020, rates were held in check by competition as the cyber insurance market grew and matured. Additionally, underwriting results were generally favourable, which attracted capacity to the line of business.

Loss ratios began to deteriorate in 2018 and 2019. In 2020, according to S&P Global, they shot up 25 points, or more than 72%, due substantially to a surge in ransomware events. In response, insurance premiums began to creep up in 2019 and increased more sharply in 2020 and 2021. “Market pricing” disappeared, with quotes for the same piece of business varying wildly from underwriter to underwriter, all of whom are underwriting from the same submission.

In addition to raising premiums, underwriters tightened criteria and increased their scrutiny of network security protocols. Carriers also reduced capacity on individual risks and on their aggregate portfolio exposures.

See the full report for more…

Link to Full Article:: click here

Link to Source:: click here