When the COVID-19 pandemic hit the U.S. in March 2020, workflows and routines around the country changed irrevocably. Companies started using the internet as the single, fundamental binding agent between all branches within an organization. The pandemic accelerated and finalized a process that was already well underway: the movement of almost all work into a digital space.
With this total reliance on virtual communication came a proportional increase in cybercrime. Just two months after the beginning of the pandemic, in May of 2020, the U.N. disarmament chief reported, "Cybercrime is also on the rise, with a 600% increase in malicious emails during the current crisis."1 Cybercrime is expected to cost the world a total of $10.5 trillion by 2025,2 up from $3 trillion in 2015.
Rising Incidence of Ransomware Attacks
Ransomware attacks, in particular, are increasingly frequent. A ransomware attack is a hack that restricts a company's access to their own vital data or systems until a ransom has been paid, rendering large swaths of essential company data unrecoverable. Even when the ransom is paid, companies rarely recover their information.
These attacks are becoming harder for organizations to defend against, and in many cases, companies don't even know they've been hacked until the aggressors contact them with the ransom note. Further fueling the crisis are Ransomware-as-a-Service (RaaS) groups3 that sell access to simple ransomware software that unskilled hackers can use against even well-defended companies. Hacker groups are becoming better organized and better funded, allowing them to develop stronger tactics.
In 2021, the [Internet Crime Complaint Center] received 3,729 complaints identified as ransomware with adjusted losses of more than $49.2 million.
Rising Supply Chain Attacks
Outsourcing software needs has made it easier for hackers to access information. As more organizations switch to software-as-a-service (SaaS) models for programs, tools and even their entire internal communication system, more data is being shared by more companies. It's not that these new systems or programs are inherently more susceptible to attack — in fact, many offer stronger security than ever. The issue is that as more companies start to rely on other software companies to facilitate their systems and communications, they end up sharing much of their data with their new partners. Having confidential data stored in more than one location automatically increases the risk of a breach, simply by creating another access point.
Attacks that take advantage of this distribution of data are known as supply chain attacks, or third-party attacks. According to a 2022 report,4 62% of companies surveyed experienced a software supply chain attack in the last year. More than half — 54% — of the respondents indicated that they're focused on securing the software supply chain. Only 3% said supply chain security isn't a propriety at all.
What Can Organizations Do to Limit Their Risk?
As hacks continue to ramp up, there's no question that organizations around the world are subject to more risk than ever before. But what can we do to mitigate risk, both on a macro and micro scale?
At the international level, increased coordination between governments and companies would alleviate some of the risk. Some experts have called for an international treaty on cybercrime and ransomware.5 Because many attacks that companies in the U.S. experience come from overseas — and often are sponsored by foreign governments — a top-down approach to cutting down on cybercrime could deter some of the criminal activity.
While diplomatic commitment to cracking down on crime won't solve the entire problem, even a small reduction in the volume of attacks could allow organizations to develop more sophisticated infrastructure to defend themselves. Given that a large proportion of attacks come from a small numbers of countries, a commitment to prosecute some of these hackers could be an effective deterrence method.
In the case of ransomware, some experts have suggested creating a commitment not to pay ransoms. Because data is so often not recovered, even when the ransom is paid, they contend that a ban on paying ransoms completely could deter hackers from continuing attacks. At best, refusal to pay ransoms could be part of a larger effort to make attacks unprofitable for hackers everywhere, hopefully shifting the balance of risk and reward for potential criminals.
The U.S. cyber insurance market is at a standoff. As coverage demand continues to accelerate, coverage supply has put on the brakes.
Of course, better internal security practices and more stringent vetting of companies can help executives decrease their organization's risk. But there's also a quickly growing need for cyber insurance that both helps companies defend against attacks and supports them when they've been hit.6
Understanding Risk and Preparing for Unavoidable Attacks
The field of cybercrime insurance is growing extremely fast, as agents rush to adjust to a current underwriting imbalance. As cloud-based technology becomes more prevalent, hackers will continue to find novel ways to exploit it. Additionally, each type of business is vulnerable to cybercrime in different ways. Organizations in the medical field often store large amounts of patient data on cloud based drives, while tech companies might store customer data on internal servers that are vulnerable to an entirely different type of attack. Assessing your client's type and level of cyber risk can help you protect organizations and act as an advisor to those at the highest risk levels.
Regardless of the security level of an organization, it's likely that eventually an attack will breach their system. When the breach happens, having comprehensive cybercrime insurance is a game changer. Many cyber insurance companies are also actively working with cyber security companies to bundle services to help prevent attacks. Agents who recognize this rise in cybercrime and want to help companies mitigate these new costs of doing business may find themselves in a strong position.
Sources
1The Associate Press. "The Latest: UN Warns Cybercrime on Rise During Pandemic," AP News, 22 May 2020.
2Morgan , Steve. "Cybercrime to Cost the World $10.5 Trillion Annually by 2025," Cybercrime Magazine, 13 Nov 2020.
3Baker, Kurt. "Ransomware as a Service (Raas) Explained," Crowdstrike, 7 Feb 2022.
4"2022 Security Trends: Software Supply Chain Survey," Anchore, 19 Jan 2022.
5Schiappa, Daniel. "The Ransomware Crisis Is Getting Worse," Forbes, 12 Aug 2021.
6Thompson, Caroline. "How Cyber Underwriters Can Better Respond to the Current Cyber Pandemic," Security Magazine, 22 Dec 2021.
