So, what did we learn about cyber risks in 2020?

The year 2020 was unlike any other we’ve ever seen. In addition to a global pandemic, unemployment and social unrest, the cyber world experienced significant developments that will impact the years to come. Here are five things we learned…

First, ransomware events didn’t slow down in 2020. Instead, things got worse, a lot worse. The market experienced a substantial increase in the volume and severity of attacks, along with an increase in the ransom amounts demanded. The Bitdefender Mid-Year Threat Landscape Report 2020 highlights a seven-fold year-on-year increase in ransomware reports, while according to the Ponemon Institute, the average cost of a ransomware attack is $4.44m. Alongside the ransom demand itself, the interruption to business activity, including costs to restore systems, has had a material impact on the overall cost of the average incident.

These increases were caused by several factors. Covid-19-themed phishing emails became an effective means of penetrating network security. Throughout the pandemic, fear of Covid-19, social isolation and more time on the computer gave hackers plenty of material to create clickbait. This notice from the US government – FinCEN Notice, FIN-2020-NTC4, 28 December 2020 – is an example of the concerns over these attacks. Ransomware became a commodity; more threat actors were involved than ever before and distribution of malware exploded. For a criminal it became a perfect business: carried out from anywhere in the world, ransoms paid into untraceable Bitcoin accounts, and increasing ransom amounts paid by nervous businesses. For more on this, click here.

Second, network security grew more complicated. A surge in working-from-home employees stressed company networks and gave IT executives headaches as they tried to manage and secure their company’s infrastructure. To top it off, cyber threats kept evolving. In the recent past, most companies were concerned with securing their data. In 2020, that challenge remained but became linked with the task of fighting ransomware attacks. As hackers became more sophisticated, regulation, enforcement and protection tried to keep up.

To meet these challenges, CIOs needed help and additional funding to build better, more secure, networks, as outlined here. Costs involved in the management of compliance and financial protection for internal cybersecurity rocketed as firms built bigger and more knowledgeable cyber teams to protect their assets. The 2021 Global Digital Trust Insights from PwC provides some examples of this.

The financial challenges companies faced as a result of Covid-19 prohibited the expansion of IT budgets in 2020, and in some firms budgets were reduced. As the growth of cybercrime accelerates, this portends challenging times for IT executives.

Third, governments took a more active role in the enforcement and regulation of cyber risks.

Regulation

In Europe in 2018, the General Data Protection Regulation (GDPR) was launched to create standardisation across the EU, providing greater control of a person’s data by individuals, instituting fines and penalties against companies that violated the GDPR, and creating stricter reporting requirements. The focus of regulation in Europe, at least in terms of the GDPR, has been on creating secure and responsible IT platforms. It is not so much about sanctions and terrorists, but more about the accountability of organisations to protect their data and report breaches promptly.

Other cyber regulations across the globe have been passed in recent years. In the US, the California Consumer Privacy Act created the beginning of a strong state regulatory framework. The Federal Information Security Act (FISMA) and FISMA2014 require individual federal agencies to adopt certain procedures to ensure cybersecurity.

In Asia in 2015, Indonesia and Singapore each introduced cyber agencies, while Japan enacted the Cyber Security Basic Act. In 2020, Brazil enacted the Lei Geral de Proteção de Dados (LGPD), which was closely modelled on the GDPR.

Enforcement

This year, even before the attack on SolarWinds, the US Treasury’s Office of Foreign Assets Control (OFAC) issued a 1 October advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities”. OFAC observed that companies involved in facilitating ransomware payments on behalf of victims should consider whether they have regulatory obligations under the Financial Crimes Enforcement Network regulations.

The advisory did not change any previous guidance in relation to ransomware events. Rather, it was a reminder to US companies and cyber insurers that the existing US regulatory framework applied to ransomware events.

Enforcement under the GDPR has been very active, and fines involving data protection have increased. More than 220 fines were handed out for GDPR violations during the first ten months of 2020, with the total amount of fines issued exceeding €175m. In 2020, Google received the biggest fine (€50m).

Fourth, cyber is an interconnected global risk. There have been many calls for global standards and better regulation – businesses need clarity to operate efficiently. But because the cyber world is constantly changing, that world is hard to regulate. Regulations written today may not address emerging issues in two years. As cyber problems become multijurisdictional, data breaches and attacks must be reported in many different jurisdictions, each having their own regulations and reporting timeframes.

Global regulatory standards are in their infancy, and governments are at different stages in the sophistication of their cyber regulation. In the EU, the GDPR provides one organisation to regulate a multitude of countries. The US is more of a hodgepodge – complying with state and federal regulations often makes things more complicated.

With no borders for cyber, and with global regulatory standards some way off, dealing with cyber threats remains a complex issue. To successfully manage their cyber regulatory issues, risk managers will need to work closely with their compliance, legal and IT groups.

Fifth, cybersecurity remains an unappreciated risk by many businesses. Many firms don’t buy cyber coverage. Cyber insurance is often seen as a ‘nice to have’ and cyber losses are regarded as something that other businesses experience. Today, the cost of purchasing a cyber policy is money that risk managers may not have when faced with the rising costs of other insurance programmes they need.

The impact of this is that hackers attack the sizeable pool of companies that ‘hope for the best’ but may not have installed the cybersecurity they need. Hackers use the element of surprise and lack of preparation among these firms to their advantage. Consequently, in 2020 cyberattacks continued to rise and ransomware payments reached an all-time high. Conversely, the appetite for cyber insurance grew only moderately.

Conclusion

It’s hard to predict what will happen in 2021 – the cyber world just keeps evolving – but some safe bets are:

• The cost of network security will become a larger portion of the CIO’s budget as firms digitalise their operations. Cyber risks are getting bigger, and as firms rely more and more on technology, they will spend the money to protect themselves.
• The impact of government cyber regulations will increase because of:
  • New reporting requirements under new regulations
  • The increased cost of maintaining and complying with cyber regulations
  • Fines and penalties assessed for the breach of cyber regulation.
• Ransomware attacks will continue to accelerate until the payment of ransoms becomes illegal or companies put more resources into cybersecurity. Today, there are few impediments to their growth.
• Because of the above and need for higher limits, the cost of cyber insurance will increase.

 

Contributed by Thomas Ripp, global claims head, specialty lines, ‎Zurich Insurance Group