Allianz Cyber Head: Businesses Facing Growing Risk From 'Ransomware as a Service'
For $40 a month, bad actors can use ransomware as a service to attack businesses, said Scott Sayce, global head of cyber for Allianz Global Corporate & Specialty and Allianz Group.
You've been covering cyber a long time — 20 years. What do you see is the biggest risk today for cyber?
I think it's been no shock to people — it's been heavily press-related and on top of our clients' risk mindset when it comes to cyber — and that would be around ransomware. Ransomware has been prolific. We identified in the AGCS risk barometer recently as one of our top concerns of cyber risks, and within that subset, ransomware topped the bill.
And it's not just ransomware for specific companies. What else do they have to worry about?
Some of the other core areas that they have to think about is — and it was identified in the same report — digital supply chains, remote working, and the other areas would be data breaches in general. But a lot of these topics can cause data breaches. One of the key things about ransomware, that doesn't necessarily get picked up that often, is double extortion. Double extortion is around where the ransomware attack is actually masking, subterfuge for data exfiltration to stealing the data as a result of that ransomware attack. So they're getting hit twice, not just once, from the same approximate area of that ransomware attack.
So are companies getting hit twice, they lose their data and have to pay a ransom?
So it's not necessarily about paying the ransom, it's more around the impact that these organizations have. So they can get hit with the data breach. There's people stealing data, then they're perhaps getting the target to say, look, we've got your data, if you don't pay a ransom or if you don't deal with this, we're going to detonate the ransomware and encrypt all the rest of your data and expose that out there.
Companies really need to think about disaster recovery planning, and need to think about plugging those gaps, regularly assessing, regularly testing.
And then with those disaster recovery plans actually put them to the test and regularly test them. It used to be, let's just do it once a year. With the proliferation of ransomware attacks globally speaking across all industry verticals, we really need to have our customers focus on that.
We've also seen a lot of investment over the past 12 months by our customers, and generally in the marketplace of organizations improving their cyber maturity levels, because of the heightened risks that now exist.
Have ransomware attacks become more sophisticated in your 20 years?
Ransomware itself doesn't need to be that sophisticated. It can be utilized now as a service. So "ransomware as a service" is a known term now, where people get access to technology for as little as $40 a month — almost renting the service — that are able to then target specific companies and identify vulnerabilities to perform these criminal acts against organizations. We forget sometimes the companies that have been impacted by this are victims of these attacks. I do feel incredibly sorry for these organizations that are in a situation where they are massively impacted, because it hits an organization emotionally as well, not just in the bank balance. We have a lot of risk dialogues with our customers to understand and work with them and how they can help with that.
Do you know who these bad actors are?
I think to say, if there was one, it's become so widespread, there are multitudes. We see different ones in the press, and we see law enforcement trying to target them. But as I say, with ransomware as a service it doesn't necessarily need to be the big gangs out there, and the big criminal activity gangs.
Have you seen viruses evolve since your tenure in the industry?
I read a stat a couple of years ago, so it's pretty outdated now, but around 300,000 to 400,000 new viruses are created every single day. And when you start looking at those variations, and with the advent of new technology comes advent of new risk areas that need to be factored in. So it finds a new way of targeting. New viruses are created. New attack vectors are created. Because we've moved to a different age, and technology is not going away. Therefore, the cyber risk isn't going away.
What's the difference between targeted and wild viruses?
You can have a virus has been specifically created or manipulated to target a specific individual organization. When a virus is in the wild, we're talking about it's a widespread virus that has no real main target. And it can self replicate across multiple different systems to really impact organizations with non targeted means. And it causes a lot of disruption across different industry verticals, or multiple industry verticals at the same time.
How would you describe the cyber insurance market overall? It's grown considerably since the early days. Is there enough capacity today?
There are many more insurers writing this line of business than it was when I started it 20 years ago in the market. And we certainly see more sophistication within that. But the demand from our customers now is their number one risk concern. And they're saying, okay, well, we may not have purchased it, or we've purchased X amount, but we want to buy more, we want to buy bigger capacity, we want more capacity. So as the risks continue to elevate, then the demand elevates.
And us as an insurance industry, we need to be mindful of that and keep up to speed with those trends. So that we're able to be here for the long term for our customers. And that's why we do a lot of regular risk engagement. AGCS specific cyber underwriters, along with our own AGCS cyber risk consulting arm, regularly engage with our customers to understand those shifts and those changes in that market.
Have we had a cyber catastrophe yet, like that would approach like a hurricane level event?
I think we've had events. I think the big event has not yet happened, we've had events we thought would happen but haven't materialized into major insurance-related losses.
But all insurance companies model for this, just like you would in that natural catastrophe, cyber accumulation modeling is probably at least three or four of my meetings every week, because we have to continue because it isn't a static risk. So those models are continuously invested upon, we utilize internal expertise, external expertise, because we build our knowledge.
We want to be able to continue to provide our clients with the right level of coverage to meet their growing risk. But also, insurers ... if they're losing money, they can't write the business. So we want to make sure we have a sustainable market for our customers, our AGCs customers to be able to continue to buy coverage from us.
How do you balance that risk? I know in the natural catastrophe market, there's levels of reinsurance and how do you manage the cyber risk?
You have to look at your capacity, you have to look at your rating environment, you have to look at your coverage. But then you also have to look at that on a per risk basis as well. So how much capacity are you going to allocate to a specific client, based on the risk posture, the cyber maturity of that customer? If their cyber maturity is great, then they're going to get stronger coverage, then they're going to get perhaps a bigger limit. But if their cyber maturity isn't a certain level, then you have to think, well, I can't provide that much. So insurance doesn't replace good risk management, it goes hand in hand. If cyber maturity levels are there they're going to get better cyber insurance as a result. And that's where that partnership piece really comes in.
If I go back to the risk dialogue point that I mentioned, we have to work very closely, especially in that large corporate environment. It's so important to have a true understanding both of the technology piece, but also the human element as well, because how much does an organization invest? How much is invested in training of its people?
I'm not talking about the core critical people, I'm talking about everybody from the receptionist to the CEO. Everybody has to have cybersecurity on their mind. Don't open that email, think about other different areas, how do we protect our data? And that's why cyber as a class of business is all encompassing when it comes to the risks around cyber. So we have to be very mindful of that as a marketplace, but also for our clients to understand, how they operate, how they want to go about it, what their concerns are, as well.