December is our month of Predictions, so here are some insights from Corvus Insurance;
Ransomware Trends, Cost and Frequency – Jason Rebholz, CISO
Ransomware is the defining force in cyber risk in 2021 and will likely continue to be in 2022. While ransomware has gained traction over the years, it jumped to the forefront of the news this year with high profile attacks that had impacts on the day to day lives of millions of people. The increased visibility brought a positive shift in the security posture of businesses looking to avoid being the next news headline. We’re starting to see the proactive efforts of shoring up IT resilience and security defenses pay off, and my hope is that this positive trend will continue. When comparing Q3 2020 to Q3 2021, the ratio of ransoms demanded to ransoms paid is steadily declining, as payments shrank from 44% to 12% respectively, due to improved backup processes and greater preparedness. Decreasing the need to pay a ransom to restore data is the first step in disrupting the cash machine that is ransomware.
Although we cannot say for certain, in 2022 we can likely expect to see threat actors pivot their ransomware strategies. Attackers are nimble — and although they’ve had a “playbook” over the past couple years, thanks to widespread crackdowns on their current strategies, we expect things to shift. We have already seen the opening moves from threat actors. In a shift from a single group managing the full attack life cycle, specialized groups have formed to gain access into companies who then sell that access to ransomware operators. As threat actors specialize on access into environments, it opens the opportunity for other extortion based attacks such as data theft or account lockouts – all of which don’t require the encryption of data. The potential for these shifts will call for a great need in heavier investments in emerging tactics and trends to remove that volatility.
Increased Policyholder Engagement – Lauren Winchester, VP Risk + Response
There has been a shift in cyber insurance to proactively alert prospective and current policyholders to vulnerabilities by tapping into digital tools, including AI-driven cybersecurity scans, to help identify and analyze threats on an ongoing basis. The increasing sophistication and frequency of cyber attacks have led some cyber insurance providers to develop and implement new technologies to understand risk, both for their own underwriting decisions as well as to educate brokers and policyholders about the risks they face.
In 2022, I expect it will become increasingly necessary for policyholders and their insurance providers to work even more closely to identify new areas of vulnerability and cyber threats as they arise and work to quickly eliminate the risk. Insurance providers that wish to truly combat risk and mitigate the destructive impact of cyber attacks will lean into tech-enabled policyholder engagement; helping policyholders recognize gaps in their existing cybersecurity controls and quickly identify new threats and how to mitigate them.
Insurance and Security Get Tighter – Brian Alva, VP Cyber Underwriting
In 2022, cyber insurance will continue to be an essential part of an organization’s holistic security and business strategy. What we’re seeing now is an important shift in how insurance deals with cybersecurity. Over the past year, the market has required better basic security controls of policyholders, and it is having a positive impact. Security largely comes down to understanding the basics. If you follow some core principles, you are in a strong position to prevent, or lessen, an attack’s impact. 2022 will be about analyzing the impact of better security controls, and leaning in to providing policyholders with tools to improve their security posture. I expect we’ll see insurance providers continue to invest in security expertise, bringing together the best of insurance, technology, and security to become a dynamic trio to combat cyber criminals.
Cyber Insurance Policy – Mike Karbassi, Chief Underwriting Officer
This past year, it’s been really enlightening to see attention on cyber insurance, from as high up as the White House, commending cyber insurers for raising the bar in security. That’s because of our role in helping to bring basic security requirements — which security professionals begged for for years — up to the level of attention they deserve. For example, robust backup solutions and vulnerability patching are, at long last, becoming mandatory for organizations looking to buy a cyber policy. We’re just getting started in being able to see the fruits of those last few mandates as the ratio of ransoms demanded to ransoms paid is declining. In 2022, we need to continue to collectively raise the bar to ensure policyholders are in the best position possible, to keep themselves secure and keep the cyber insurance space viable.
Data’s Evolving Role in Risk Aggregation + Cyber Reinsurance – Phil Edmundson, CEO + Founder
Concerns have grown about the aggregation of cyber risks, which have been exposed by high-profile events such as Colonial Pipeline, SolarWinds and the Kaseya ransomware attack in the past year alone. In the year ahead I hope, and expect, to see capital providers take critical steps to address these challenges by honing in on properly understanding and underwriting risk with insight and data around systemic cyber security metrics. Only with real-time, aggregated data coupled with effective cyber catastrophe modeling can providers better manage these risk aggregations. It also gives reinsurers the certainty they need to support the booming cyber insurance market. As the economy continues to digitize, the demand for cyber reinsurance capacity is only going to grow. As an industry, we can meet this demand using the same type of tools that we use for other catastrophic risk aggregations – data and modeling.