Cyber intrusion activity globally jumped 125% in the first half of 2021 compared to the previous year, according to Accenture, with ransomware and extortion operations one of the major contributors behind this increase. According to the FBI, there was a 62% increase in ransomware incidents in the U.S. in the same period that followed an increase of 20% for the full year 2020.
By Thomas Kang, North American Head of Cyber, Tech & Media at Allianz Global Corporate & Specialty
In a new risk report, cyber insurer Allianz Global Corporate & Specialty (AGCS) analyzed the latest risk developments around ransomware and found that business interruption and restoration costs are the biggest drivers behind cyber losses such as ransomware attacks, according to its claims analysis. They account for over 50% of the value of close to 3,000 insurance industry cyber claims worth around €750 million ($885 million) it has been involved in since 2016.
In 2020, AGCS was involved in over a thousand cyber claims, up from around 80 in 2016; the number of ransomware claims (90) rose by 50% compared to 2019 (60). In general, losses resulting from external cyber incidents such as ransomware or Distributed Denial of Service (DDoS) attacks account for most of the value of all cyber claims analyzed by AGCS over the past six years.
The average total cost of recovery and downtime – on average 23 days – from a ransomware attack more than doubled over the past year, increasing from $761,106 to $1.85 million in 2021.
The surge in ransomware attacks in recent years has triggered a major shift in the cyber insurance market. Cyber insurance rates have been rising, according to broker Marsh, while capacity has tightened. Underwriters are placing increasing scrutiny on the cybersecurity controls employed by companies. AGCS estimates that three out of four companies do not meet its requirements for cybersecurity.
Taking steps to harden cybersecurity can help companies defend against the majority of ransomware attacks, but what does good IT security look like? AGCS developed a checklist for companies to review to shore up their IT defenses against a ransomware incident:
Ransomware identification:
- Are anti‑ransomware toolsets deployed throughout the organization?
- What proactive measures are in place for the identification of ransomware threats?
- Are policies, procedures, access controls methods, and communication channels updated frequently to address ransomware threats?
- Are in-house capabilities or external arrangements in place to identify ransomware strains?
Business continuity planning/incident response plan:
- Are ransomware-specific incident response processes in place?
- Have there been any previous ransomware incidents? If so, what lessons have been learned?
- Are pre‑agreed IT forensic firm or anti‑ransomware service provider arrangements in place?
Anti-phishing exercises and user awareness training:
- Is regular user training and awareness conducted on information security, phishing, phone scams, and impersonation calls, and social engineering attacks?
- Are social engineering or phishing simulation exercises conducted on an ongoing basis?
Backups:
- Are regular backups performed, including frequent backups for critical systems to minimize the impact of the disruption? Are offline backups maintained as well?
- Are backups encrypted? Are backups replicated and stored at multiple offsite locations?
- Are processes in place for successful restoration and recovery of key assets within the Recovery Time Objective (RTO)?
- Are backups periodically retrieved compared to the original data to ensure backup integrity?
Endpoints:
- Are endpoint protection (EPP) products and endpoint detection and response (EDR) solutions utilized across the organization on mobile devices, tablets, laptops, desktops, etc.?
- Are Local Administrator Password Solutions (LAPS) implemented on endpoints?
Email, web, office documents security:
- Is Sender Policy Framework strictly enforced?
- Are email gateways configured to look for potentially malicious links and programs?
- Is web content filtering enforced with restricting access to social media platforms?
Segmentation:
- Are physical, logical segregations maintained within the network, including the cloud environment?
- Are micro-segmentation and zero-trust frameworks in place to reduce the overall attack surface
Monitoring patching and vulnerability management policies:
- Are automated scans run to detect vulnerabilities? Are third-party penetration tests performed on a regular basis?
- Does the organization ensure appropriate access policies, enforcement of multi‑factor authentication for critical data access, remote network connections, and privileged user access?
- Is continuous monitoring in place for detecting unusual account behavior, new domain accounts, and any account privilege escalations (administrator level), new service additions, and unusual chain of commands being run during a short time period?
Mergers and acquisitions:
- What due diligence and risk management activities are performed prior to M&A?
- Are regular security audits conducted on newly‑integrated entities to ensure evaluation of security controls?
About the Author
As the Head of Cyber, Technology and Media for North America at Allianz Global Corporate & Specialty (AGCS), Thomas is responsible for developing and executing a strategic vision for the line of business across all market segments in the U.S and in Canada.
Prior to joining AGCS, he served as the Global Cyber Product Leader at Willis Towers Watson, creating a client-centered, strategic product and services alignment across geographies. Over the past 15 years, he has held various executive positions in cyber and E&O insurance across underwriting, product, claims, and legal with a focus on delivering innovative cyber insurance and service solutions to clients across all segments and geographies.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
