Is the risk trend our friend?
There is an alarming trend in cyber threats. Both the targets and the attack vectors are evolving. Despite the worsening risk picture, businesses' sense of confidence around cyber risk is notable - it is the technology threat to which businesses feel most resilient, even as attacks seem to increase in number and sophistication.
The dark web is awash with stolen personal financial data and its value is diminishing. As a result, there is a shift towards targeting via ransomware of operating systems and data belonging to economically significant industries and national infrastructure. Rather than selling personal data on, ransomware threat actors rely on companies and governments needing to buy their own data back or to reclaim autonomy over their own operations.
There is also a growing trend towards 'double extortion' where ransomware threat actors blackmail their victims into paying to recover important data, and also to prevent the threat actor from releasing confidential company data (and the fact that the attack has occurred) into the public domain - either for financial gain or out of pure malice.
Where there used to be separation of systems and assets, with companies and economies operating independently, and sharing information and data as needed; the increased global interconnectivity, and the rise of a relatively small number of global 'software as service' providers risks exposing economies and businesses to the same threat at the same time.
Regional and sector differences on cyber risk are striking
Executives are acutely aware of the risks they face. The exposure of energy and utility businesses was highlighted recently by the attack on US company Colonial Pipeline - the largest fuel pipeline business in the US - which led to fuel shortages across the East Coast of the US. While the loss of personal credit card data is troubling for retailers and consumers, failure of infrastructure is on a different scale - inhibiting economy activity and inviting civil unrest.
Shifting attack modes may explain why 53% of US energy and utility businesses rank cyber their top risk, compared with only 27% in the UK. There is a similar large discrepancy in TMT, with 50% of US businesses ranking cyber top versus just 22% in the UK.
Overall, sectors which feel most exposed to cyber threats include energy and utilities, with 40% of businesses ranking this their top risk, followed by retail and technology media and telecoms (TMT), both with 38% of companies ranking this risk top.
In 2021, the dependence on interconnected networks, cloud services and mission critical software delivered as a service has opened up organisations to exposures even when they have the best intentions with respect to cyber risk hygiene. In addition to daily discrete attacks launched against a single entity, recent ransomware attacks have exploited organisations’ reliance on routinely applying technology vendors’ system updates and software patches, simultaneously compromising thousands of customers’ systems.
Bob WiceHead of Underwriting Management, Cyber & Tech, Beazley
of executives rank cyber as their top risk
Experience breeds cyber resilience in retail and financial services
Industries that have the longest history of dealing with the cyber threat have learned from hard-won experience and tend to place greater confidence in their ability to mitigate and manage the risk than others. Retail, for example, is an industry which has been in cyber criminals’ sights for many years, with famous attacks on Target dating back to 2013 and TK Maxx even further to 2007. For retailers and financial services firms, a combination of experience, regulatory intervention and the threat of hefty penalties has served to ensure risk management is robust.
In the US, almost two thirds (65%) of retail leaders and over two thirds (69%) of financial and professional services leaders feel very prepared to anticipate and respond to cyber risk. In the UK, where data privacy regulation has been in place for a shorter period of time, these industries are notably less confident. Less than a third (28%) of financial and professional service leaders and only 32% of retail leaders feel very prepared to manage cyber risk in the UK.
All members of the cyber security community, including regulators, network security professionals, cyber insurers, brokers and risk managers, will need to collaborate to raise awareness and be prepared to combat the next global systemic threat.
Bob WiceHead of Underwriting Management, Cyber & Tech, Beazley
Lack of funding undermines cyber confidence in the public sector, education, marine and warehousing
Overall, sectors which are far less resilient to cyber risk include public sector and education, hospitality, and marine and warehousing. This suggests that lower budgets in the case of public entities, and wafer-thin margins for private entities in these sectors, mean they simply do not have the funding to invest in adequate cyber risk protection, even if this is as basic as regular staff training and essential software upgrades - which remain some of the most common way threat actors gain access to company systems. Companies in these sectors can also face difficulty in attracting and retaining talented information security professionals - a situation which is of concern given the growing propensity of state actors to attack these targets. In the US, only 31% of public sector and education leaders feel well prepared to manage cyber risk - five percentage points less than in the UK. In the UK, only 29% of marine and warehousing executives feel very prepared to manage cyber risk, 18 percentage points fewer than their US counterparts.
In 2020, attacks just from ransomware increased by 485% according to Bitdefender’s Consumer Threat Landscape report2 and the incidence of malware rose 72%3.
2 Ransomware Attacks Grew by 485% in 2020 - Infosecurity Magazine (infosecurity-magazine.com) 3 The Rise of Ransomware in the Era of Covid-19 (simplilearn.com)We have seen a clear increase in both the severity and complexity of ransomware events, as cybercriminals seek to maximise the value of their attacks. Increasingly, in an effort to turn up the pressure on cyberextortion demands, cybercriminals are exfiltrating data and threatening to expose the theft. With this exfiltration now occurring in approximately 80% of cyberextortion incidents, the investigation process has become lengthier and more expensive, with a deep forensic dive often necessary to ensure compliance with regulatory and notification obligations.
Moving beyond attacks on individual organisations, cybercriminals have also targeted infrastructure and supply chains. The collateral impact of such attacks is significant, particularly in attacks against technology supply chains. In March 2021, for instance, the Microsoft Hafnium vulnerability resulted in the number of incidents reported to Beazley to spike by 74% compared to the monthly average for the rest of HY 2021.
Frank QuinnBreach Response Manager, Beazley
US leaders continue to rate cyber risk and resilience
more strongly than UK peers
Asked to look ahead to 2022, 32% of business leaders continue to rank cyber as their top risk, two percentage points lower than in 2021, but with a far higher preponderance of US leaders ranking tech risk top. In terms of resilience to cyber, as we look ahead, 44% of businesses feel very prepared to anticipate and manage the risk, but this finding is very nuanced. Just over a third (35%) of UK business leaders feel confident on cyber compared with over half (52%) in the US.