The Evolving Ransomware Threat: How Can Organizations Be Better Prepared?
This year’s Airmic conference was held between 6-8 June at the Arena Convention Centre in Liverpool under the theme ‘Moving Forward Together,’ with one of the key panel sessions addressing the impact of cyber risks on organizations and how they can better protect themselves.
Cyber modelling has evolved a lot over time – it is one of the fastest growing areas of modelling. There are various types of modelling – modelling for individual risks which is what we are focused on the Marsh side.
The panel session shone a spotlight on cyber under the heading ‘Cyber risk and insurance — can insurance provide a solution for financing cyber risks, when almost half of businesses in the UK do not buy this cover?’ and highlighted the cyber threats we see today and the losses that arise when organisations do not have the right security controls in place.
The expert panel consisted of: Scott Stransky, managing director at Marsh; Kate Loades, director of insurance at Liberty Global; Ayesha West, head of cyber liability at Everest Re; Rahelia Nazir, head of cyber technology at Chubb; Shannon Fort, financial lines partner for cyber at McGill; Greig Anderson, partner at HSF; William Wright, partner and director at Paragon International Brokers; Ben Hobby, global forensics and litigation services partner at Baker Tilly.
The impact of ransomware on organizations is huge, with the cost to the global economy currently over US$1.5 trillion per year, with this figure expected to rise.
Addressing the audience, Nazir said: “The explosion of ransomware has had a significant impact, especially in the international markets where we’ve started looking at business interruption claims that have been driving a lot of losses and a lot of first-party costs associated with that. Last year over 50% of UK organisations had some kind of cyber breach.
“The initial ransomware demand was something like US$300 and very quickly attackers realised this was a multi-million dollar lucrative business. It became a targeted approach when attackers started focusing on public health entities and government organizations where typically the security controls were not up to scratch.
"However now from a geographical perspective or an industry perspective there is any distinction. From an insurance perspective the ransomware demand is not the biggest issue it’s more the business interruption loss that arises out of that when an organisation cannot recover from the attack as they don’t have the right controls or the right back up.”
There is no ‘one-size-fits-all’ approach to addressing cyber risks, with specific business circumstances varying greatly from one organisation to another.
Speaking to Insider Engage, Scott Stransky, managing director at Marsh said: “Ransomware is the biggest threat right now. From an individual risk perspective, it’s a ransomware where they encrypt your data but they can steal your data and threaten to release it. Even if you have a good back up there is a chance that may not save you because they may threaten to release the data for a ransom.
“Most of these ransoms are negotiable, so if they give you a first ransom offer you shouldn’t just accept it and pay. You should work with the team who is good at negotiating with the bad actors and negotiate down the ransom — there are companies that specialize in that and can get you a much better deal."
Julia Graham, Airmic CEO highlighted that although it seems that ransomware attacks are on the rise, it is more likely that detection techniques have improved.
In a press conference held at the event she said: “Activity like ransomware appears to be going up but when you read some of the government reports, it’s not the incidence of ransomware that’s going up, it’s the incidence of detection that’s going up and people are getting better at finding it and reporting it. Some organizations may not feel that they need to invest more money in doing that.”
According to Stransky, there are many ways businesses can protect themselves from cyber risks but first they need to focus on the key controls.
He said: "There are 12 key controls we focus on but multi-factor authentication, encryption of data, anti-virus and firewalls are really important.
"If we look at multi-factor authentication (MFA) — there are a lot of nuances around that. You can have multi-factor authentication when signing into a laptop but you can have it only for the system administrators when they are signing into the servers and anything in between.
He added: "Real MFA is a lot more substantial than when people just say I have MFA. Each of these controls have to be implemented correctly to the point where it helps. If you say you have MFA and it’s only because your one system administrator has MFA on their computer that actually doesn’t cut it.
The Marsh & McLennan Companies Cyber Risk Analytics Center was launched in 2021 to provide cyber modeling, thought leadership, and cyber analytics guidance across Marsh McLennan.
Stransky said: “One of my roles at the Marsh & McLennan Companies Cyber Risk Analytics Center is to bring together that whole modelling ecosystem. So we’re not just focused on single risk. We bring together our own internal data and we bring together external partners, vendors, data sources and we put that together into a framework that allows us to help our clients.
The explosion of ransomware has had a significant impact, especially in the international markets where we’ve started looking at business interruption claims that have been driving a lot of losses and a lot of first-party costs associated with that.
“Cyber modelling has evolved a lot over time – it is one of the fastest growing areas of modelling. There are various types of modelling – on the Marsh side we are focused on modelling for individual risks.
"There we are looking at how a single company can help reduce their losses and also what their potential losses are. When we think about it from the Guy Carpenter side – from an aggregation perspective, there we’re focused on cloud failure, a mass ransomware attack, seeing points of failure.
"We need to bring all of this together – the whole spectrum – from individual risk events, through those mass aggregation events to get that full modelling paradigm."
Airmic has published a second guide in its series "perfecting governance", in partnership with McGill and Partners to answer 12 questions associated with cyber risk and insurance, posed from a director's perspective.
Commenting on the launch, Julia, Airmic CEO said: “There is no ‘one-size-fits-all’ approach to addressing cyber risks with specific business circumstances varying greatly from one organisation to another. It may be appropriate for organisations to consider accreditation or certification from a recognized body, such as Cyber Essentials, Cyber Essentials Plus or ISO 270001.
"These accreditations may help an organisation, however, accreditation alone is not enough. Asking the right questions before a problem arises, makes good management sense. This guide is an important contribution to our members who support their leadership, as they collectively navigate an increasingly complex world and associated governance responsibilities."
While cyber was one the key themes at this year's conference, ESG and people were two other key themes, and this was reflected in the seminars, workshops and keynotes that took place during the three-day event.
Commenting on this year's event, Stransky said: “The conference has been great — I always like working with the Airmic team — it brings the right audience.
“It was great to be part of a panel where you have so many different types of expertise within cyber.”