Following two years of high but stable loss activity, 2023 saw a worrying resurgence in ransomware and extortion losses as the cyber threat landscape continues to evolve. Hackers are increasingly targeting IT and physical supply chains, launching mass cyber-attacks, and finding new ways to extort money from businesses, large and small. It’s little wonder that companies rank cyber risk as their top concern (36% of responses – 5% points ahead of the second top risk) and, for the first time, across all company sizes, large (>US$500mn annual revenue), mid-size ($100mn+ to $500mn), and smaller (<$100mn), as well.
It is the cause of business interruption that companies fear most, while cyber security resilience ranks as firms’ most concerning environmental, social, and governance (ESG) challenge. It is also the top company concern across a wide range of industries, including consumer goods, financial services, healthcare, and telecommunications, to name just a few.
Allianz Risk Barometer 2024
Cyber incidents: → Rank 1 (36%)
Ranking history globally:
-
- 2023: 1 (34%)
-
- 2022: 1 (44%)
-
- 2021: 3 (40%)
-
- 2020: 1 (39%)
-
- 2019: 2 (37%)
Top risk in:
-
- Argentina
-
- Australia
-
- Austria
-
- Belgium
-
- France
-
- Germany
-
- India
-
- Italy
-
- Japan
-
- Kenya
-
- Mauritius
-
- Nigeria
-
- Portugal
-
- Switzerland
-
- Uganda
-
- UK
-
- USA
Ransomware on the rise
By the start of the next decade, ransomware activity alone is projected to cost its victims $265bn annually [1]. Activity surged by 50% year-on-year during the first half of 2023 with so-called Ransomware-as-a-Service (RaaS) kits, where prices start from as little as $40, a key driver.
Gangs are also carrying out more attacks faster, with the average number of days taken to execute one falling from around 60 days in 2019 to four [2]. Ransomware claims activity was up by more than 50% year-on-year in 2023.
Most ransomware attacks now involve the theft of personal or sensitive commercial data for the purpose of extortion, increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage. Allianz Commercial’s analysis of large cyber losses (€1mn+) in recent years shows that the number of cases in which data is exfiltrated is increasing – doubling from 40% in 2019 to almost 80% in 2022, with 2023 activity tracking even higher.
“Protecting an organization against intrusion is a cat and mouse game, in which the cyber criminals have the advantage,” says Rishi Baviskar, Global Head of Cyber Risk Consulting, Allianz Commercial. “Threat actors are now exploring ways to use artificial intelligence (AI) to automate and accelerate attacks, creating more effective malware and phishing. Combined with the explosion in connected mobile devices and 5G-enabled Internet of Things (IoT), the avenues for cyber-attacks look only likely to increase in future.”
Data breach is the cyber exposure of most concern, according to Allianz Risk Barometer respondents, followed by cyber-attacks on critical infrastructure and physical assets and the increase in ransomware attacks. In the context of turbulent geopolitics and the ever-deepening reliance on digital devices, the potential shutdown of critical infrastructure is likely to become a much more concerning risk for businesses in future, respondents believe.
The power of AI (to accelerate cyber-attacks)
AI adoption brings numerous opportunities and benefits but also risks. Threat actors are already using AI-powered language models like ChatGPT to write code. Generative AI can help less proficient threat actors create new strains and variations of existing ransomware, potentially increasing the number of attacks they can execute. An increased utilization of AI by malicious actors in the future is to be expected, necessitating even stronger cyber security measures.
Voice simulation software has already become a powerful addition to the cyber criminal’s arsenal. Meanwhile, deepfake video technology designed and sold for phishing frauds can also now be found online for prices as low as $20 per minute.
Deepfake video technology designed and sold for phishing frauds can also now be found online
for prices as low as $20 per minute.
Mobile devices expose data.
Lax security and the mixing of personal and corporate data on mobile devices, including smartphones, tablets, and laptops, is an attractive combination for cybercriminals. Allianz Commercial has seen a growing number of incidents caused by poor cyber security around mobile devices. During the pandemic, many organizations enabled new ways of accessing their corporate network via private devices without the need for multi-factor authentication (MFA). This also resulted in a number of successful cyber-attacks and large insurance claims.
“Criminals are now targeting mobile devices with specific malware to gain remote access, steal login credentials, or to deploy ransomware,” says Baviskar. “Personal devices tend to have less stringent security measures. Utilizing public wi-fi on such devices can increase their vulnerability, including exposure to phishing attacks via social media.”
The roll-out of 5G technology is also an area of potential concern if not managed appropriately, given it will power even more connected devices. However, many IoT devices do not have a good record when it comes to cyber security, are easily discoverable, and will not have MFA mechanisms, which, together with the addition of AI, presents a serious cyber threat.
Security skills shortage a factor in incidents
The current global cyber security workforce gap stands at more than four million people [3], with demand growing twice as fast as supply. Gartner [4] predicts that a lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025. Shortage of skilled workforce ranks joint #5 in the top concerns of the media sector and is a top 10 risk in technology in the Allianz Risk Barometer.
It is difficult to hire good cyber security engineers, and without skilled personnel, it is more difficult to predict and prevent incidents, which could mean more losses in the future. It also impacts the cost of an incident. Organizations with a high level of security skills shortage had a $5.36mn average data breach cost, around 20% higher than the actual average cost, according to the IBM Cost of a Data Breach Report 2023 [5].
Early detection is key.
Preventing a cyber-attack is, therefore, becoming harder, and the stakes are higher. As a result, early detection and response capabilities and tools are becoming ever more important. Investment in detection backed by AI should also help to catch more incidents earlier. If companies do not have effective early detection tools this can lead to longer unplanned downtime, increased costs and have a greater impact on customers, revenue and reputation.
The lion’s share of IT security budgets is currently spent on prevention with around 35% directed to detection and response.
“However, if undetected, an intrusion can quickly escalate, and once data is encrypted and / or stolen, the costs snowball – as much as 1,000 times higher than if an incident is detected and contained early. The difference between a €20,000 loss turning into a €20mn one,” explains Michael Daum, Global Head of Cyber Claims at Allianz Commercial.
“Looking forward, detection tools will be the next logical step for most companies to invest in. Ultimately, early detection and effective response capabilities will be key to mitigating the impact of cyber-attacks, as well as ensuring a sustainable cyber insurance market going forward.”
SMEs the increasing sweet spot
For smaller and mid-size companies (SMEs), the cyber risk threat has intensified because of their growing reliance on outsourcing for services, including managed IT and cyber security providers, given these firms lack the financial resources and in-house expertise of larger organizations.
As larger companies have ramped up their cyber protection, criminals have targeted smaller firms. SMEs are less able to withstand the business interruption consequences of a cyber-attack. If a small company with poor controls or inadequate risk management suffers a significant incident, there is a chance it might not survive.
“SMEs should remain vigilant and have a clear understanding of the risks involved and allocate ample resources in terms of personnel, IT infrastructure, and budget to implement the required security measures,” says Rishi Baviskar, Global Head of Cyber Risk Consulting, Allianz Commercial.
“Initiating a conversation with an MSSP [Managed Security Service Provider] can serve as an excellent initial move, allowing for the creation of an IT budget and strategy tailored to the business’s specific priorities.”
Businesses can take a proactive approach to tackling cyber threats by ensuring their cyber security strategy identifies their most crucial information system assets. Then, they should deploy appropriate detection and monitoring software, both at the network perimeter and on end-points, often involving collaboration with cyber-security service partners, to uncover and nullify threats attempting to gain network access.