Is cyber crime insurance feeding on itself?

Summary: A large increase in the number of cyber attacks over the past few years brought with it increased demand for cyber crime insurance, driving premiums higher. However with the vast majority of companies targeted by ransomware paying the demanded ransoms - ultimately paid by the insurance companies - the incentive to commit these crimes has increased, leading to a vicious circle.

Why this is important: With the COVID pandemic accelerating the digitalisation of the world, securing our data and digital assets becomes ever more crucial.

The big theme: The transition to a digital economy is an important sustainability theme both from the emergence of new vulnerabilities such as cyber crime and from shifting energy requirements and potential emissions issues. There are a number of ways in which corporates, the financial sector including insurance, and investors can help mitigate those vulnerabilities and support innovation to ensure that the digitalisation of our lives does not compromise other sustainability objectives.

Summary of a story from The Conversation

In the early stages of the COVID pandemic there was an enormous increase in the number of cyber-attacks, according to a study from the University of Leeds. Global cyber security firm Sophos found that almost double the proportion of firms in their survey across 31 countries were hit by ransomware in 2021 compared with 2020 with the average ransom paid increasing 5x to more than £700,000. A study by security firm Proofpoint found that 82% of UK organisations chose to pay the ransom demanded, i.e. insurance companies are paying out on the policies. They also found that only four percent of organisations that paid a ransom were subsequently unable to retrieve their data further driving the incentive to comply and criminals to persist with attacks.

Specialist cybercrime insurance policies have grown rapidly in recent years with gross written premiums forecast by GlobalData to almost triple by 2025 to US$20.6 million. Fitch estimates that insurance premiums increased by 22% in 2020 and Howden saw a further 32% rise in 2021 with no signs of slowing. The problem is that cyberinsurance policies rarely audit and organisation's IT security before a policy is signed. In addition, the probability of a cyber attack happening is hard to forecast as digital technology evolution can be unpredictable and attackers' intentions and capabilities change quickly. Indeed, new rules released by the Lloyds Market Association (LMA) at the end of 2021 restrict the liability of underwriters so that "war or a cyber operation that is carried out in the course of war" are excluded from coverage.

Let's take a look at why this is important...

Why this is important

Security in a digital world brings added complexity relative to a purely physical one. In the physical world, an attacker trying to steal physical assets will be local to those assets, whereas in the digital world the attack could come from any location. In addition digital assets can be copied or altered and so it could take time to even realise that an asset has been compromised. Even worse that compromised asset could be doing harm operationally to your business or investment. The long term trend of increasing digitalisation of both work and life more broadly was given added impetus during the COVID pandemic with the associated lockdowns driving a rapid shift to remote working. A study from careers site Ladders found that for high paying jobs with salaries exceeding US$100,000 per annum, only four percent where available remotely pre-pandemic. By the end of 2021 that had risen to 18%. With the shift to remote working, there has come an increased need for technology tools, internet access and digital collaboration tools such as MS Teams, Slack and Zoom and skills in many cases were lacking, creating a vulnerability.

The most common cyber threats include hacking, phishing, malicious software and distributed denial of service attacks ('DDOS'). Hacking or the gaining of unauthorised access to a system and its data is a high level activity often achieved through phishing. Phishing involves the sending of emails pretending to be from a colleague, personal contact or a reputable company with the aim of inducing people to reveal personal and/or confidential information. They can also sometimes contain malicious software such as ransomware which can lock up your data unless you pay a ransom. In a distributed denial of service or DDOS attack, a server is flooded with requests in an attempt to overwhelm it, so that legitimate requests can't get through and the business grinds to a halt. Varying degrees of expertise are used but there are even 'off the shelf' tools meaning that even less technically proficient criminals can commit cyber crime.

As we have discussed before, insurance companies can directly intervene in an activity, thereby actively reducing the risk of the event being insured happening. In the cyber crime area for example, Volante Global (now owned by Acrisure), which provides cyber insurance, launched a ransomware technology product in the early days of the pandemic to help protect its customers but also actively reduce the risk of a payout on the policy. Given that human weaknesses are often exploited as the first entry point - after all in a phishing attack the whole point is to gain the trust of the reader of the email - another option for insurance companies is to provide training to help people identify phishing emails, thereby preventing harm or loss occurring in the first place. Many outsourced IT services providers will often send simulated phishing emails to reinforce common things for employees to look out for to help them identify, avoid and report real attacks.

Please read: important legal stuff.