The top cyber threats to businesses in 202116th March 2021
Ransomware, the changing legal and regulatory landscape, and the ramifications of the SolarWinds, Accellion, and Microsoft Exchange incidents are likely to dominate cyber concerns in 2021 says Andrew Lewis – Lead Cyber Underwriter for Hiscox London Market.
According to Hiscox’s CyberClear Centre, the top five cyber risks in 2021 will be the continued COVID-19 threat, particularly as threat actors attack the global response effort to the pandemic; the emergence of new attack vectors against areas such as point-of-sale malware; the shift in the legal and regulatory landscape; the continued evolution of ransomware; and the implications of the incident involving SolarWinds – to which can now be added similar attacks on Accellion and Microsoft Exchange.
While each poses a significant threat, it’s perhaps the last three cyber risks listed that are causing the greatest concern from the perspective of Hiscox’s London Market cyber team, further underlining the need for businesses to keep building up their cyber resilience.
Big game hunting
Let’s start by looking at ransomware. In the last 18 months, the evolution of the risk has been rapid. While losses were relatively low, that all changed towards the end of 2019 as threat actors changed their methodology and started ‘big game hunting’. They realised that by selectively targeting big businesses they could reap much greater rewards than their previous scatter gun approach. Total insured losses from ransomware events are now averaging out at between US$25-US$50 million.
Total insured losses from ransomware events are now averaging out at between US$25-US$50 million.
Part of this growth in losses relates to the increased use of doxing – the theft and threatened publication of confidential data. For businesses, whether the data is released publicly or not, legal and regulatory requirements of the relevant jurisdiction may still apply, meaning considerable further first party costs and potential third-party liability are likely to impact the size of loss irrelevant of whether ransom demands were paid.
Keeping up with compliance
Secondly, the legal and regulatory landscape is evolving when it comes to cyber risk. One of the big challenges for larger businesses is dealing with the requirements in different jurisdictions when it comes to handling and safeguarding data. Take the US for example, where states have their own legislation such as the California Consumer Privacy Act (CCPA) already in force, with others such as Virginia’s Customer Data Protection Act (CDPA) on the way.
It can be difficult for businesses to ensure they remain compliant within all these different jurisdictions and inevitably it means an increase in compliance costs as they move to allocate additional resources. This isn’t just a US issue either; the UK, Europe and Australia are changing from a compliance perspective, demanding more of businesses should they experience a breach.
One of the big challenges for larger businesses is dealing with the requirements in different jurisdictions when it comes to handling and safeguarding data.
Class actions will play their part too. Previously a preserve of the US and Canadian legal systems, we could see class actions pop up in the UK. The UK’s Supreme Court is shortly due to hear the case of Lloyd v Google concerning Google’s use of tracking cookies on iPhones and a “loss of control of [users’] data”. Bringing the claim on behalf of potentially millions of individuals, the wider outcome could be a greater exposure amongst businesses to mass compensation claims.
The virtual keys to many front doors
The third risk relates to the fallout from recent high profile cyber incidents involving SolarWinds, Accellion, and Microsoft Exchange. In 2020, SolarWinds – a business that develops software for clients to manage their networks and information technology infrastructure – was reportedly attacked by Russian threat actors who compromised the company’s software, allowing entry into US government networks and over 100 companies. Cloud solutions company Accellion is believed to have been breached in December 2020 and January 2021, putting companies and organisations at risk. While, it’s also believed that nation state actors from China breached Microsoft’s Exchange, allowing them access to organisations’ email accounts, with reports suggesting there have been up to 60,000 victims. Breaching these businesses potentially provides threat actors or nation states the virtual front door keys to thousands of organisations.
Unfortunately, given the aggregation of risk related to the breach of a third-party provider, it’s no surprise that businesses will continue to see more challenging market conditions as underwriters reassess their portfolios. One obvious risk mitigation for businesses vulnerable to the risk of a third party being breached – and a step underwriters will be looking out for when considering an organisation’s risk profile – is to make sure they have a rigorous approach to vulnerability and patch management processes.
That’s one essential action but the onus is on every organisation, regardless of size, to understand these key cyber risks and build their preparedness and resilience to both prevent a successful cyber incident and, if the worst should happen, be in the best place to deal with it to minimise the financial, operational and reputational consequences.