Following two years of high but stable loss activity, 2023 saw a worrying resurgence in ransomware and extortion losses, as the cyber threat landscape continues to evolve. Hackers are increasingly targeting IT and physical supply chains, launching mass cyber-attacks, and finding new ways to extort money from businesses, large and small. It’s little wonder that companies rank cyber risk as their top concern (36% of responses – 5% points ahead of the second top risk) and, for the first time, across all company sizes, large (>US$500mn annual revenue), mid-size ($100mn+ to $500mn), and smaller (<$100mn), as well.
It is the cause of business interruption that companies fear most, while cyber security resilience ranks as firms’ most concerning environmental, social, and governance (ESG) challenge. It is also the top company concern across a wide range of industries, including consumer goods, financial services, healthcare, and telecommunications, to name just a few.
By the start of the next decade, ransomware activity alone is projected to cost its victims $265bn annually [1]. Activity surged by 50% year-on-year during the first half of 2023 with so-called Ransomware-as-a-Service (RaaS) kits, where prices start from as little as $40, a key driver. Gangs are also carrying out more attacks faster, with the average number of days taken to execute one falling from around 60 days in 2019 to four [2]. Ransomware claims activity was up by more than 50% year-on-year in 2023.
Most ransomware attacks now involve the theft of personal or sensitive commercial data for the purpose of extortion, increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage. Allianz Commercial’s analysis of large cyber losses (€1mn+) in recent years shows that the number of cases in which data is exfiltrated is increasing – doubling from 40% in 2019 to almost 80% in 2022, with 2023 activity tracking even higher.
“Protecting an organization against intrusion is a cat and mouse game, in which the cyber criminals have the advantage,” says Rishi Baviskar, Global Head of Cyber Risk Consulting, Allianz Commercial. “Threat actors are now exploring ways to use artificial intelligence (AI) to automate and accelerate attacks, creating more effective malware and phishing. Combined with the explosion in connected mobile devices and 5G-enabled Internet of Things (IoT), the avenues for cyber-attacks look only likely to increase in future.”
AI adoption brings numerous opportunities and benefits, but also risk. Threat actors are already using AI-powered language models like ChatGPT to write code. Generative AI can help less proficient threat actors create new strains and variations of existing ransomware, potentially increasing the number of attacks they can execute. An increased utilization of AI by malicious actors in the future is to be expected, necessitating even stronger cyber security measures.
Voice simulation software has already become a powerful addition to the cyber criminal’s arsenal. Meanwhile, deepfake video technology designed and sold for phishing frauds can also now be found online, for prices as low as $20 per minute.
Lax security and the mixing of personal and corporate data on mobile devices, including smartphones, tablets, and laptops, is an attractive combination for cyber criminals. Allianz Commercial has seen a growing number of incidents caused by poor cyber security around mobile devices. During the pandemic many organizations enabled new ways of accessing their corporate network via private devices, without the need for multi-factor authentication (MFA). This also resulted in a number of successful cyber-attacks and large insurance claims.
“Criminals are now targeting mobile devices with specific malware to gain remote access, steal login credentials, or to deploy ransomware,” says Baviskar. “Personal devices tend to have less stringent security measures. Utilizing public wi-fi on such devices can increase their vulnerability, including exposure to phishing attacks via social media.”
The roll-out of 5G technology is also an area of potential concern if not managed appropriately, given it will power even more connected devices. However, many IoT devices do not have a good record when it comes to cyber security, are easily discoverable, and will not have MFA mechanisms, which, together with the addition of AI, presents a serious cyber threat.
The current global cyber security workforce gap stands at more than four million people [3], with demand growing twice as fast as supply. Gartner [4] predicts that a lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025. Shortage of skilled workforce ranks joint #5 in the top concerns of the media sector and is a top 10 risk in technology in the Allianz Risk Barometer.
It is difficult to hire good cyber security engineers, and without skilled personnel, it is more difficult to predict and prevent incidents, which could mean more losses in the future. It also impacts the cost of an incident. Organizations with a high level of security skills shortage had a $5.36mn average data breach cost, around 20% higher than the actual average cost, according to the IBM Cost of a Data Breach Report 2023 [5].
Preventing a cyber-attack is therefore becoming harder, and the stakes are higher. As a result, early detection and response capabilities and tools are becoming ever more important. Investment in detection backed by AI should also help to catch more incidents earlier. If companies do not have effective early detection tools this can lead to longer unplanned downtime, increased costs and have a greater impact on customers, revenue and reputation.
The lion’s share of IT security budgets is currently spent on prevention with around 35% directed to detection and response.
“However, if undetected, an intrusion can quickly escalate, and once data is encrypted and / or stolen, the costs snowball – as much as 1,000 times higher than if an incident is detected and contained early. The difference between a €20,000 loss turning into a €20mn one,” explains Michael Daum, Global Head of Cyber Claims at Allianz Commercial.
“Looking forward, detection tools will be the next logical step for most companies to invest in. Ultimately, early detection and effective response capabilities will be key to mitigating the impact of cyber-attacks, as well as ensuring a sustainable cyber insurance market going forward.”
For smaller and mid-size companies (SMEs), the cyber risk threat has intensified because of their growing reliance on outsourcing for services, including managed IT and cyber security providers, given these firms lack the financial resources and in-house expertise of larger organizations.
As larger companies have ramped up their cyber protection, criminals have targeted smaller firms. SMEs are less able to withstand the business interruption consequences of a cyber-attack. If a small company with poor controls or inadequate risk management suffers a significant incident, there is a chance it might not survive.
“SMEs should remain vigilant and have a clear understanding of the risks involved and allocate ample resources in terms of personnel, IT infrastructure, and budget to implement the required security measures,” says Rishi Baviskar, Global Head of Cyber Risk Consulting, Allianz Commercial.
“Initiating a conversation with an MSSP [Managed Security Service Provider] can serve as an excellent initial move, allowing for the creation of an IT budget and strategy tailored to the business’s specific priorities.”
Businesses can take a proactive approach to tackling cyber threats by ensuring their cyber security strategy identifies their most crucial information system assets. Then, they should deploy appropriate detection and monitoring software, both at the network perimeter and on end-points, often involving collaboration with cyber-security service partners, to uncover and nullify threats attempting to gain network access.
[1] Cybersecurity Ventures, Global ransomware damage costs to exceed $265 Billion by 2031, June 4, 2021
[2] IBM Security X-Force Threat Intelligence Index 2023
[3] ISC2 reveals growth in global cybersecurity workforce, but record-breaking gap of 4 million cybersecurity professionals looms, October 31, 2023
[4] Gartner, Gartner predicts nearly half of cybersecurity leaders will change jobs by 2025, February 22, 2023
[5] IBM Security, Cost Of A Data Breach Report 2023
Picture: Adobe Stock
Report
The most important corporate concerns for the year ahead, ranked by 3,069 risk management experts from 92 countries and territories.
Allianz Risk Barometer 2024 | Expert risk article
Climate change (18%) may be a non-mover year-on year at #7, but this risk’s importance is clearly also reflected in natural catastrophes’ rise in the rankings.
Global I Press release
Allianz Commercial publishes the 13th annual survey of key business risks around the world, according to 3000+ respondents.
Allianz Risk Barometer 2024 | Expert risk article
Business interruption (31%) retains its position as the second biggest threat in the 2024 survey.
Allianz Risk Barometer 2024 | Expert risk article
Protectionism is one of three paradigm shifts identified as being behind market developments (13%) rising to #9.
Allianz Risk Barometer 2024 | Expert risk article
Despite the ongoing uncertain global economic outlook, macroeconomic developments (19%), which ranked #3 last year, falls to #5 in 2024.
Allianz Risk Barometer 2024 | Expert risk article
Whether cyber-attack or flood, loss events tend to hit smaller and mid-size companies much harder, with longer periods of disruption.
Report
Our Allianz Commercial experts discuss the top risk trends boards of management need to guard against in 2024.
UK | Press release
Allianz Commercial announced the appointment of Sharanjit Chaggar as Head of Financial Lines for Large-Corp and Specialty in the UK.
Global I Press release
Petros Papanikolaou will succeed Joachim Müller as CEO of Allianz Global Corporate & Specialty SE and Allianz Commercial.
Magazine
We’re discussing the burning issues and emerging exposures in global risk management, designed to help you navigate through eventful times.
Expert risk article
SMEs are more vulnerable to economic shocks and the impacts of business interruption than larger companies, with cyber-crime rising.
Expert risk article
Allianz risk and technology experts share insights about the company’s own plans to explore its potential responsibly and creatively.
Report
This report highlights the latest cyber threats and risk mitigation best practice – before, during and after a hack.
Global | Press release
New Allianz Commercial cyber report: Detection and response tools increasingly important as cyber claims surge.
