It’s every company’s nightmare: servers, networks, and business IT are unavailable due to a cyber- attack. Cybercrime is a part of everyday digital life, and online extortion has become a booming business. The economic consequences are costly. A recent study by Allianz subsidiary AGCS shows how expensive cybercrime can be for companies. Ransomware and DDoS attacks are the main cost drivers.
The damage caused by cybercrime is becoming increasingly expensive for companies and their insurers. This is the conclusion of an analysis by AGCS (Allianz Global Corporate & Specialty), Allianz’s center for global business insurance, which evaluated 1736 cyber-damage reports filed between 2015 and 2020. According to AGCS, the total losses amounted to 660 million euros*. The number of cyber-insurance claims is following an upward trend: Their number rose from 77 in 2016, when cyber-insurance was still a niche product, to 809 in 2019. Seven hundred and seventy claims were filed with AGCS in the first nine months of 2020.
The increasing number of reported claims can only be partly explained by the fact that more and more companies are taking out cyber-insurance. Other factors – involving the attackers and the insurers – also come into play, including:
Companies are increasingly aware of this risk. According to Allianz’s annual Risk Barometer, cyber-incidents have topped the ranking of the most important business risks for companies worldwide for the first time.** In Germany and the Netherlands, damage caused by cybercrime ranks second behind business interruption. In contrast, cybercrime is considered the top risk in the UK and France.
According to the AGCS figures, the largest losses in the cybercrime environment are due to “external manipulation of systems“. Such manipulation is responsible for 85% of the damage amount, followed by internal attacks (9%) and technical failures (9%). Two types of external attacks stand out: ransomware and DDoS attacks.
Both types of attack can cause long-lasting outages and result in business interruptions of several days or weeks. The University Hospital of Dusseldorf (Germany) learned this painful lesson in September 2020. After the encryption of its servers by extortionists, the clinic needed a full month to return to normal patient operations.
The New Zealand Stock Exchange had to halt trading for four days at the end of August/beginning of September 2020 due to prolonged DDoS attacks. In addition to the stock exchange, numerous other companies in the financial sector were extorted with DDoS attacks. The ransom demands by cybercriminals posing as notorious hacker groups such as Armada Collective and Fancy Bear were not only aimed at companies in the Asia-Pacific region. They also targeted companies in North America and Europe.
In view of these damage scenarios, it is often tempting for blackmailed companies to get rid of the problem by quickly paying the demanded sum without having to involve law enforcement, IT experts, or insurers. Since October 2020, the USA has put a legal stop to this. The law-enforcement authorities are now allowed to prosecute companies that violate sanctions by paying ransom. If the sanctions, aimed at known cyber-extortionists and certain states such as Iran and North Korea, are disregarded, heavy fines and imprisonment may be imposed. Under these circumstances, the victim can become the perpetrator himself.
Each company must decide how to respond to the increasingly complex cyber risks it faces. In almost every case, investments will be necessary so the firm’s protection solutions can keep pace with the perpetrators’ expertise. Companies must also invest either in trained specialist staff or external service providers. Both solutions are associated with additional costs, but the price that unprotected companies pay after an attack and failure can far exceed this. And their insurer will also link the company’s cyber-policy to good IT security.
Sources mentioned:
*AGCS: Managing the Impact of Increasing Interconnectivity. Trends in Cyber Risk, November 2020
** Allianz Risk Barometer, Januar 2020
