Allianz North American head of cyber Tresa Stephens has warned that “ransomware is back with a vengeance”.
“Because we're in this very interconnected IT landscape with so much reliance on outsourcing services to third parties, we've created this digital web infrastructure that can be impacted,” Stephens told Insurance Business.
Stephens also noted a proliferation of the “ransomware as service” groups, where sophisticated threat actors are selling kits for more novice hackers to carry out attacks on unsuspecting victims.
In an interview with Insurance Business, Stephens spoke about why mass ransomware attacks may be a game changer, why more threat actors are moving towards total data exfiltration attacks, and what are some future threats to be aware of.
Within the first quarter of 2023, ransomware attacks increased 143% globally per a new report conducted by Allianz Commercial.
Elsewhere, the total time it took to carry out an attack dropped from 60 days in 2019 to just four in 2021.
One of the most telling aspects of this is mass ransomware attacks, like what was witnessed with the MOVEit breach, is causing insurers to think about threat quite differently.
“Carriers are concerned with the enormity of the threat and its downstream impact,” Stephens said.
“I think for insurance it's changed the way that we look at our portfolios. It's changed the way that we look at what we can do to help our insurers manage their own risk and exposure.”
Rather than looking at threat in siloed spaces, carriers are concerned about the ecosystem that an insured is a part of.
“We're having more conversations with our customers around that knowledge sharing. And I do think that's because in our position in the value chain, as we see how things go wrong,” Stephens said.
“It's changed how we look at an individual risk, because we're not looking at individual risks anymore.”
The notion of data exfiltration through encryption and paying a ransom to receive that encryption key is a thing of the past as threat actors move to lower hanging fruits, according to Stephens.
“It's cheaper and less time consuming for a threat actor to come in and just steal all your information,” she said.
They are resorting to these measures because hackers understand that there are reputational risks, as well as regulatory and privacy concerns for companies that do not want to pay the money to avoid any legal or public scrutiny.
The proportion of cases in which data is exfiltrated increased from 40% in 2019 to 77% in 2022, with 2023 on course to surpass this, according to Allianz.
Additionally, the average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years.
“Companies are two and a half times as likely to pay a ransom where the data's been exfiltrated,” Stephens said. “Data is much more critical now, and threat actors understand this so they're going to go after stealing your sensitive information.”
When asked about what are some emerging threats that insurers are taking note of, Stephens said she would be remiss to note mention how generative AI and large language models are creating new possibilities.
“These technologies are creating more sophisticated phishing campaigns and voice simulation attacks,” she said.
“There's been cases of people wiring money because they're hearing the voice on the phone sounds exactly like their CEO.”
For threat actors, the warp speed that technology is progressing is providing better and more sophisticated opportunities to remain as a holistic threat across industries.
On the flip side, Stephens noted how there is a concerning lack of security professionals to help combat the increased risk of cyber attacks.
“There’s a dearth of individuals who are as dedicated to security measures as threat actors are to carrying out these campaigns and attacks,” Stephens said.
As a result, SMEs in the middle market space are relying on third party suppliers for services and security services, which we know creates many difficulties in keeping businesses safe.
“The threat landscape just keeps shifting with technology and evolving consumer privacy rights, evolving data, privacy regulations,” Stephens said.
“It feels like there's a lot of pressure and a lot of moving targets in cyber right now that companies are having to navigate.”