�鶹��ýapp

Following two years of high but stable loss activity, 2023��saw a worrying resurgence in ransomware and extortion��losses, as the cyber threat landscape continues to evolve.��Hackers are increasingly targeting IT and physical supply��chains, launching mass cyber-attacks, and finding new��ways to extort money from businesses, large and small. It’s��little wonder that companies rank cyber risk as their top��concern (36% of responses – 5% points ahead of the second��top risk) and, for the first time, across all company sizes,��large (>US$500mn annual revenue), mid-size ($100mn+ to��$500mn), and smaller (<$100mn), as well.

It is the cause of business interruption that companies fear��most, while cyber security resilience ranks as firms’ most��concerning environmental, social, and governance (ESG)��challenge. It is also the top company concern across a wide��range of industries, including consumer goods, financial��services, healthcare, and telecommunications, to name just��a few.

By the start of the next decade, ransomware activity alone��is projected to cost its victims $265bn annually [1]. Activity��surged by 50% year-on-year during the first half of 2023��with so-called Ransomware-as-a-Service (RaaS) kits,��where prices start from as little as $40, a key driver. Gangs��are also carrying out more attacks faster, with the average��number of days taken to execute one falling from around��60 days in 2019 to four [2]. Ransomware claims activity was up by more than 50% year-on-year in 2023.

Most ransomware attacks now involve the theft of personal��or sensitive commercial data for the purpose of extortion,��increasing the cost and complexity of incidents, as well as��bringing greater potential for reputational damage. �鶹��ýapp��Commercial’s analysis of large cyber losses (€1mn+) in��recent years shows that the number of cases in which data��is exfiltrated is increasing – doubling from 40% in 2019 to��almost 80% in 2022, with 2023 activity tracking even higher.��

“Protecting an organization against intrusion is a cat��and mouse game, in which the cyber criminals have the��advantage,” says Rishi Baviskar, Global Head of Cyber��Risk Consulting, �鶹��ýapp Commercial. “Threat actors are��now exploring ways to use artificial intelligence (AI) to��automate and accelerate attacks, creating more effective��malware and phishing. Combined with the explosion in��connected mobile devices and 5G-enabled Internet of��Things (IoT), the avenues for cyber-attacks look only likely��to increase in future.”

Lax security and the mixing of personal and corporate��data on mobile devices, including smartphones, tablets,��and laptops, is an attractive combination for cyber��criminals. �鶹��ýapp Commercial has seen a growing number��of incidents caused by poor cyber security around mobile��devices. During the pandemic many organizations enabled��new ways of accessing their corporate network via private��devices, without the need for multi-factor authentication��(MFA). This also resulted in a number of successful cyber-attacks��and large insurance claims.��

“Criminals are now targeting mobile devices with specific��malware to gain remote access, steal login credentials, or��to deploy ransomware,” says Baviskar. “Personal devices��tend to have less stringent security measures. Utilizing��public wi-fi on such devices can increase their vulnerability,��including exposure to phishing attacks via social media.”

The roll-out of 5G technology is also an area of potential��concern if not managed appropriately, given it will��power even more connected devices. However, many��IoT devices do not have a good record when it comes to cyber security, are easily discoverable, and will not have��MFA mechanisms, which, together with the addition of AI,��presents a serious cyber threat.

The current global cyber security workforce gap stands at��more than four million people [3], with demand growing twice as��fast as supply. Gartner [4] predicts that a lack of talent or human��failure will be responsible for over half of significant cyber��incidents by 2025. Shortage of skilled workforce ranks joint #5��in the top concerns of the media sector and is a top 10 risk in��technology in the �鶹��ýapp Risk Barometer.��

It is difficult to hire good cyber security engineers, and without��skilled personnel, it is more difficult to predict and prevent��incidents, which could mean more losses in the future. It also��impacts the cost of an incident. Organizations with a high��level of security skills shortage had a $5.36mn average data��breach cost, around 20% higher than the actual average cost,��according to the IBM Cost of a Data Breach Report 2023 [5].

Preventing a cyber-attack is therefore becoming harder,��and the stakes are higher. As a result, early detection and��response capabilities and tools are becoming ever more��important. Investment in detection backed by AI should also��help to catch more incidents earlier. If companies do not��have effective early detection tools this can lead to longer��unplanned downtime, increased costs and have a greater��impact on customers, revenue and reputation.

The lion’s share of IT security budgets is currently spent on��prevention with around 35% directed to detection and response.��

“However, if undetected, an intrusion can quickly escalate, and��once data is encrypted and / or stolen, the costs snowball – as��much as 1,000 times higher than if an incident is detected��and contained early. The difference between a €20,000 loss��turning into a €20mn one,” explains Michael Daum, Global��Head of Cyber Claims at �鶹��ýapp Commercial.

“Looking forward, detection tools will be the next logical��step for most companies to invest in. Ultimately, early��detection and effective response capabilities will be key to��mitigating the impact of cyber-attacks, as well as ensuring a��sustainable cyber insurance market going forward.”