Cybercrime is an ever-evolving beast. Over the past 20-years, hackers have changed their tactics time and time again, finding multiple ways to monetise their illegal access to corporate networks.
It used to be that criminals would steal the actual computer hardware – for example, snatching a laptop from a travelling businessperson - which they would then use to access corporate systems and authorise fraudulent actions, before stripping the machine of any sensitive data (passwords, contacts etc.). Then they moved on to targeting entire computer resources – the term used to describe all computer hardware, software, communications devices, facilities, equipment, networks, passwords, licensing and attendant policies, manuals and guides – again with the idea of exploiting and monetising whatever possible.
After that, cyber criminals realised the potential in stealing and selling personally identifiable information (PII). In 2013, US retail giant Target fell victim to a data breach in which it lost 40 million payment card credentials and 70 million customer records at the height of the Christmas holiday season. The following year, fellow retail juggernaut Home Depot suffered an even bigger breach, whereby hackers infiltrated the retailer’s point-of-sale system and stole more than 50 million customer credit card numbers and 53 million email addresses.
Once the cybersecurity industry got to grips with how to protect and secure PII, hackers changed their tactics once again and started plaguing businesses with ransomware – a quick and easy way for cybercriminals to make money by extorting vulnerable individuals or corporations by encrypting important files and demanding payment for de-encryption. Since 2017, hackers have achieved tremendous success by weaponising ransomware, to the extent that they are now demanding multi-million-dollar ransoms in cryptocurrency from large organisations.
“We see the threat vectors changing and evolving. We see new threats actors. We see increasing ransomware demands, and new exploits as well,” said Brad Gow, global cyber product leader, Sompo International. “Whereas a year ago, the attacks were limited to the encryption of corporate networks, now, something like 70% or 80% of attacks also involve the exfiltration of data. So, even in the event that the ransomware victim can restore from the backups they have on hand, the threat actors still have a vehicle by which they can try and continue the extortion.”
Cyber underwriters have responded to the recent surge in frequency and severity of ransomware attacks in multiple ways, according to Gow. Many markets are offering lower limits to control their exposure, because oftentimes ransomware claims become full-limit losses on cyber policies.
“Rates have gone up, and the underwriting controls that carriers are now mandating have gotten a lot more robust,” Gow added. “I think that is where the insurance industry can really add value to the corporate market. By settling on some established standards around insurability, we can ensure that everyone is in a better position to fight ransomware and other cyber threats.”
Another big issue that companies and insurers have to figure out is whether to actually pay ransoms for data decryption, especially if threat actors are ‘double extorting’ victims by selling or auctioning the stolen data anyway.
Gow commented: “There’s been a slight change in the dynamic in that two- or three-years-ago, the ransomware gangs were concerned about their reputation, and they knew they wouldn’t get paid unless they performed and provided decryption keys. So, customer service was kind of the watchword, but over the past six to nine months, so many of these attacks have moved to a ransomware-as-a-service (RaaS) dynamic, so the threat actor that’s actually performing the extortion is just borrowing all of the underlying technology, code and services. And so, with those groups, there’s no honour among thieves, and you really have to be careful.”