Why is cyber risk a relevant topic for discussion and analysis? The answer lies in several key figures, as outlined by Gerry Glombicki, director at Fitch Ratings, at a recent webinar that explored current trends in the cyber insurance market. Among these is McAfee’s revelation that the global cost of cyber crime topped $1 trillion (around £0.72 trillion) in 2020, up almost 50% from 2018. Meanwhile, the average total cost of a breach in 2021 is about $4.24 million (around £3.07 million), up 10% from the prior year.
“It took, on average, about 287 days to identify and contain a data breach in 2021, up seven days from the prior year,” he said. “The average total cost of a ransomware breach was about $4.62 million (around £3.35 million) in 2021 according to IBM/Ponemon. CrowdStrike has said ransomware has increased over 400%, and costs and incidents are expected to increase further over the near term.
“Several other statistics to make you not sleep at night are that 85% of data breaches involve a human element, according to a Verizon report, and 61% of breaches involve hackers use of employee’s credentials… Most companies didn’t even know they were breached, and 80% of breaches were discovered by external third parties. In terms of multi-factor authentication, 57% of businesses actually use them according to LastPass. And in Q2 2021, EY did a survey of cybersecurity leaders and found 36% thought that it was only a matter of time before they suffer a serious breach.”
These eye-catching statistics reveal the full depth and breadth of cyber risk and highlight that it is not likely to be falling off the radar of risk managers any time soon. Ransomware remains a key concern for many businesses, particularly due to the changing trends being seen in this space. Glombicki highlighted that recently ransomware has moved from being a “confidentiality” problem (where a threat actor takes your files and threatens to leak them) to an “availability” problem (where a threat actor seeks to prevent you from doing your work).
“Three notable events in 2021 have changed how individual companies and governments are looking at this risk as well,” he said. “The first was Colonial Pipeline in May of 2021, then JBS in June of 2021, and Kesaya in July of 2021. These no longer just attacked the single business, but actually attacked the broader supply chain, which definitely got the attention of regulators and policymakers and had people looking at this as a more serious event.”
One of the key takeaways from cyberattacks in recent years has been that no industry is immune, Glombicki said. While certain industries may be targeted more often, everyone is a viable target. He highlighted that research shows that while RDP compromise remains a key source of exposure, email phishing and employee awareness is also a growing threat. However, an effective approach will see each of these factors addressed in concert with each other.
“The increase in ransomware attacks has been a wake-up call to boards of directors and senior leadership,” he said. “It has definitely gotten the attention of governments and law enforcement. And even at the policy levels, they’re starting to talk about the role of cryptocurrencies and if cyber insurers can even pay a ransom, or if companies can pay a ransom and what sort of penalties there could be. So, it’s being talked about in multi-levels, and [everybody] is not necessarily speaking with the same voice so [if] people can actually get together and provide a comprehensive solution, that would certainly be better for the overall participants.”
Glombicki highlighted the coalition formed by cyber insurers in response to help address the ever-evolving spectre of cyber risk - CyberAcuView - a consortium made up of AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual Insurance, and Travelers.
He noted that it’s important to recognise that this coalition operates under strict anti-trust review and guidance to ensure that they can gather and utilise better data for a variety of outcomes – including improving the industry’s understanding of systemic cyber risk threat. This is an example of the insurance industry coming together, he said, to get a better understanding of this risk, to share this risk and to champion transparency and more data which leads to better information.
“This is a step in the right direction that several participants are doing,” he said, “and they’re also trying to look to grow the number of participants so it is interesting to see its development.”