鶹ýapp Risk Barometer 2024 -
Rank 1: Cyber incidents

Expert risk article | January 2024
Cyber incidents such as ransomwareattacks, data breaches, and ITdisruptions, rank as the top global riskin the 鶹ýapp Risk Barometer – and bya clear margin for the first time. Whatare the main trends set to drive cyberactivity in 2024?
The most important corporate concerns for the year ahead, ranked by 3,069 risk management experts from 92 countries and territories.

Following two years of high but stable loss activity, 2023saw a worrying resurgence in ransomware and extortionlosses, as the cyber threat landscape continues to evolve.Hackers are increasingly targeting IT and physical supplychains, launching mass cyber-attacks, and finding newways to extort money from businesses, large and small. It’slittle wonder that companies rank cyber risk as their topconcern (36% of responses – 5% points ahead of the secondtop risk) and, for the first time, across all company sizes,large (>US$500mn annual revenue), mid-size ($100mn+ to$500mn), and smaller (<$100mn), as well.

It is the cause of business interruption that companies fearmost, while cyber security resilience ranks as firms’ mostconcerning environmental, social, and governance (ESG)challenge. It is also the top company concern across a widerange of industries, including consumer goods, financialservices, healthcare, and telecommunications, to name justa few.

Ranking history globally:

  • 2023: 1 (34%)
  • 2022: 1 (44%)
  • 2021: 3 (40%)
  • 2020: 1 (39%)
  • 2019: 2 (37%)
Top risk in:
  • Argentina
  • Australia
  • Austria
  • Belgium
  • France
  • Germany
  • India
  • Italy
  • Japan
  • Kenya
  • Mauritius
  • Nigeria
  • Portugal
  • Switzerland
  • Uganda
  • UK
  • USA

By the start of the next decade, ransomware activity aloneis projected to cost its victims $265bn annually [1]. Activitysurged by 50% year-on-year during the first half of 2023with so-called Ransomware-as-a-Service (RaaS) kits,where prices start from as little as $40, a key driver. Gangsare also carrying out more attacks faster, with the averagenumber of days taken to execute one falling from around60 days in 2019 to four [2]. Ransomware claims activity was up by more than 50% year-on-year in 2023.

Most ransomware attacks now involve the theft of personalor sensitive commercial data for the purpose of extortion,increasing the cost and complexity of incidents, as well asbringing greater potential for reputational damage. 鶹ýappCommercial’s analysis of large cyber losses (€1mn+) inrecent years shows that the number of cases in which datais exfiltrated is increasing – doubling from 40% in 2019 toalmost 80% in 2022, with 2023 activity tracking even higher.

“Protecting an organization against intrusion is a catand mouse game, in which the cyber criminals have theadvantage,” says Rishi Baviskar, Global Head of CyberRisk Consulting, 鶹ýapp Commercial. “Threat actors arenow exploring ways to use artificial intelligence (AI) toautomate and accelerate attacks, creating more effectivemalware and phishing. Combined with the explosion inconnected mobile devices and 5G-enabled Internet ofThings (IoT), the avenues for cyber-attacks look only likelyto increase in future.”

Click on the bars in the chart for further details

Source: 鶹ýapp Risk Barometer 2024.
Total number of respondents: 1,112. Respondents could select more than one risk. Top four answers.
Data breach is the cyber exposure of most concern, according to 鶹ýapp Risk Barometer respondents, followed by cyber-attacks on critical infrastructure and physical assets and the increase in ransomware attacks. In the context of turbulent geopolitics and the ever-deepening reliance on digital devices, the potential shutdown of critical infrastructure is likely to become a much more concerning risk for businesses in future, respondents believe.

AI adoption brings numerous opportunities and benefits,but also risk. Threat actors are already using AI-poweredlanguage models like ChatGPT to write code. GenerativeAI can help less proficient threat actors create newstrains and variations of existing ransomware, potentiallyincreasing the number of attacks they can execute. Anincreased utilization of AI by malicious actors in the futureis to be expected, necessitating even stronger cybersecurity measures.

Voice simulation software has already become a powerfuladdition to the cyber criminal’s arsenal. Meanwhile,deepfake video technology designed and sold for phishingfrauds can also now be found online, for prices as low as$20 per minute.

Lax security and the mixing of personal and corporatedata on mobile devices, including smartphones, tablets,and laptops, is an attractive combination for cybercriminals. 鶹ýapp Commercial has seen a growing numberof incidents caused by poor cyber security around mobiledevices. During the pandemic many organizations enablednew ways of accessing their corporate network via privatedevices, without the need for multi-factor authentication(MFA). This also resulted in a number of successful cyber-attacksand large insurance claims.

“Criminals are now targeting mobile devices with specificmalware to gain remote access, steal login credentials, orto deploy ransomware,” says Baviskar. “Personal devicestend to have less stringent security measures. Utilizingpublic wi-fi on such devices can increase their vulnerability,including exposure to phishing attacks via social media.”

The roll-out of 5G technology is also an area of potentialconcern if not managed appropriately, given it willpower even more connected devices. However, manyIoT devices do not have a good record when it comes to cyber security, are easily discoverable, and will not haveMFA mechanisms, which, together with the addition of AI,presents a serious cyber threat.

The current global cyber security workforce gap stands atmore than four million people [3], with demand growing twice asfast as supply. Gartner [4] predicts that a lack of talent or humanfailure will be responsible for over half of significant cyberincidents by 2025. Shortage of skilled workforce ranks joint #5in the top concerns of the media sector and is a top 10 risk intechnology in the 鶹ýapp Risk Barometer.

It is difficult to hire good cyber security engineers, and withoutskilled personnel, it is more difficult to predict and preventincidents, which could mean more losses in the future. It alsoimpacts the cost of an incident. Organizations with a highlevel of security skills shortage had a $5.36mn average databreach cost, around 20% higher than the actual average cost,according to the IBM Cost of a Data Breach Report 2023 [5].

Preventing a cyber-attack is therefore becoming harder,and the stakes are higher. As a result, early detection andresponse capabilities and tools are becoming ever moreimportant. Investment in detection backed by AI should alsohelp to catch more incidents earlier. If companies do nothave effective early detection tools this can lead to longerunplanned downtime, increased costs and have a greaterimpact on customers, revenue and reputation.

The lion’s share of IT security budgets is currently spent onprevention with around 35% directed to detection and response.

“However, if undetected, an intrusion can quickly escalate, andonce data is encrypted and / or stolen, the costs snowball – asmuch as 1,000 times higher than if an incident is detectedand contained early. The difference between a €20,000 lossturning into a €20mn one,” explains Michael Daum, GlobalHead of Cyber Claims at 鶹ýapp Commercial.

“Looking forward, detection tools will be the next logicalstep for most companies to invest in. Ultimately, earlydetection and effective response capabilities will be key tomitigating the impact of cyber-attacks, as well as ensuring asustainable cyber insurance market going forward.”

For smaller and mid-size companies (SMEs),the cyber risk threat has intensified becauseof their growing reliance on outsourcing forservices, including managed IT and cybersecurity providers, given these firms lack thefinancial resources and in-house expertise oflarger organizations.

As larger companies have ramped up theircyber protection, criminals have targetedsmaller firms. SMEs are less able to withstandthe business interruption consequences of acyber-attack. If a small company with poorcontrols or inadequate risk managementsuffers a significant incident, there is a chanceit might not survive.

“SMEs should remain vigilant and have aclear understanding of the risks involvedand allocate ample resources in terms ofpersonnel, IT infrastructure, and budget toimplement the required security measures,”says Rishi Baviskar, Global Head of CyberRisk Consulting, 鶹ýapp Commercial.

“Initiating a conversation with an MSSP[Managed Security Service Provider] canserve as an excellent initial move, allowingfor the creation of an IT budget and strategytailored to the business’s specific priorities.”

Businesses can take a proactive approach totackling cyber threats by ensuring their cybersecurity strategy identifies their most crucialinformation system assets. Then, they shoulddeploy appropriate detection and monitoringsoftware, both at the network perimeter andon end-points, often involving collaborationwith cyber-security service partners, touncover and nullify threats attempting togain network access.

[1]Cybersecurity Ventures, Global ransomware damage costs to exceed $265 Billion by 2031, June 4, 2021
[2] IBM Security X-Force Threat Intelligence Index 2023
[3] ISC2 reveals growth in global cybersecurity workforce, but record-breaking gap of 4 million cybersecurityprofessionals looms, October 31, 2023
[4] Gartner, Gartner predicts nearly half of cybersecurity leaders will change jobs by 2025, February 22, 2023
[5] IBM Security, Cost Of A Data Breach Report 2023

Picture: Adobe Stock

Keep up to date on all news and insights from 鶹ýapp Commercial