The top business risks that CEOs, risk managers, brokers and insurance experts have identified as being potentially harmful to their businesses, including business interruption, pandemic outbreak and cyber incident, are all changing somewhat, again, thanks to the pandemic.
In addition to shifting executive’s perceptions about the risks companies are facing, the pandemic has also caused and inspired activity that materially makes companies more susceptible to cyber risks than they have been in the past.
Despite the increased risk (more on that in a moment), it is interesting, if not entirely surprising to note that pandemic concerns have jumped dramatically among respondents, unseating their earlier concerns about cyber risk, in the most recent Allianz Risk Barometer 2021.
In its 10th iteration of the report, Allianz Global Corporate and Specialty (AGCS) says business interruption regularly places as a top concern among respondents surveyed for the company’s risk barometer report. In 2020, concerns about cyber incidents topped that list, before falling to third place in 2021 as pandemic interruption concerns rocketed from 17th place to the very top of the company’s risk list. In Canada, AGCS says business interruption was the number one concern, with 47 per cent of respondents ranking it as their top business threat, followed by 41 per cent who said another pandemic outbreak is a concern and 37 per cent who said a possible cyber incident is the top threat facing their company. Another risk management survey by AON, entitled Reprioritizing Risk and Resilience for a Post-COVID-19 Future, also saw respondents rating a major cyber event as their third most significant concern.
Extreme business interruption events
“One of the big lessons learned from the pandemic is that extreme business interruption events are not just theoretical, but a real possibility.” - Philip Beblo
“Given the widespread disruption caused by COVID-19, it is no surprise that it (pandemic business interruption) is ranked as the highest peril, while cyber was already one of the most concerning potential causes of business interruption,” writes AGCS global practice group leader, Philip Beblo. “One of the big lessons learned from the pandemic is that extreme business interruption events are not just theoretical, but a real possibility.”
Although cyber incidents have slipped into third position on its list of concerns, they add that more respondents are picking it as a top peril. “Cyber crime now costs the global economy over US$1-trillion, more than one per cent of global GDP, up from 50 per cent from two years ago,” AGCS authors write. They add that analysis of over 1,700 cyber-related insurance claims over the past five years shows that business interruption is the main cost driver behind losses when a cyber incident occurs, accounting for roughly 60 per cent of the value of those claims.
The shift to remote work
Despite those costs, the research suggests that there is a risk those responsible for budgeting and management won’t take cyber concerns seriously enough going forward. “The shift to remote working during the early stages of the lockdown was accompanied by a reduction in cyber security – some firms turned off multi-factor authentication – while employees working from home are more susceptible to phishing attacks. At the peak of the first wave of lockdowns in April 2020, the FBI reported a 300 per cent increase in cyber incidents alone,” AGCS adds. “Companies should now have the right processes and protections in place to enable safer remote working. However, there is a risk that companies will reduce IT budgets and security spend if the pandemic subsides and people return to offices, meaning vulnerabilities could re-emerge.”
Their concerns are not unfounded, either. The previously mentioned report by AON found that cyber security concerns ranked only 6.4 on a scale of one to ten with one being the most important. The concern came in well behind other concerns including those about employee wellbeing, retention, reputation risk and supply chain reviews. In asking survey respondents to discuss the likelihood of a future shock coming from a major cyber incident, those surveyed put the risk at number five, behind the risk of economic disruption, geopolitical tension or the possibility of being hit with another health crisis.
Potential vulnerability
AON adds that companies with annual revenues under USD $1-billion are more concerned about another health crisis, while companies with annual revenues above USD $1-billion are more concerned about a major cyberattack. “This may reflect an understanding that their global operations rely on technology. While this has allowed them to successfully invest in and accelerate digital plans, it nonetheless creates potential vulnerability if not managed effectively,” they write. “It is surprising that a major cyber event ranked only sixth in priority. Organizations’ increasing reliance on digital solutions and remote work increases their vulnerability by making cybersecurity a more concentrated possible point of failure.”
So why exactly is the pandemic seen as such a risk by security experts? In addition to accelerated digitalization and the laxer security controls allowed to keep companies in business while whole workforces moved into home offices, security experts say phishing is on the rise (citing INTERPOL statistics, AGCS says malware and ransomware incidents increased by more than one-third in 2020, while phishing, scams and fraud have increased more than 50 per cent), ransomware attacks are increasing in number and severity, cloud usage, personal device usage, unvetted apps and platforms all potentially create vulnerabilities, and business email compromise attacks are becoming more sophisticated.
Compromised email and spoofed accounts
“Criminals now use compromised email and spoofed accounts to imitate senior executives, vendors or customers in order to gain access to corporate IT systems,” say authors of the AGCS report, Managing the impact of increasing interconnectivity: Trends in cyber risk. “Historically, business email compromise attacks focused on the fraudulent transfer of funds, but today they are also used to steal valuable data or to carry out account takeover attacks.”
IBM Security, meanwhile, describes the very same behaviour being used to launch ransomware attacks. “Threat actors carried out ransomware attacks predominantly by gaining access to victim environments via remote desktop protocol, credential theft, or phishing – attack vectors that have been similarly exploited to install ransomware in prior years,” say the authors of the 2021 X-Force Threat Intelligence Index published by IBM Security.
In looking at operational technology threats (those which have real-world consequences including chemical spills, machinery malfunction or even passenger vehicle failure) they add that insider incidents made up 13 per cent of all operational technology incidents in 2020. Of those, they say 60 per cent involved malicious insiders while about 40 per cent of the cases were the result of negligence.
Ransomware and human error
For those who are technically inclined, IBM adds that server attacks, the third most common attack type in 2020, account for more than 10 per cent of all the attacks remediated by the company. More, they say nearly 36 per cent of the server access attacks observed in 2020 targeted the finance and insurance sector.
IBM’s report is also interesting in that it ranks the most frequently attacked industries each year. “For the fifth year in a row, the finance and insurance industry was the most-attacked industry, underscoring the significant interest threat actors have in these organizations,” they write.
Broadly speaking, IBM says the top three attack types identified in 2020 included ransomware, which made up 23 per cent of the attacks IBM identified, data theft, which has increased more than 160 per cent since 2019, and server access attacks which jumped 233 per cent between 2019 and 2020. Data theft accounted for 13 per cent of attacks remediated by the company, a marked jump up from just five per cent of attacks in 2019. Financial services and insurance industry attacks made up 17 per cent of all data theft attacks studied by the X-Force group, 28 per cent of attacks on finance and insurance in 2020 were server access attacks and 10 per cent of attacks on finance companies were ransomware.
“Losses resulting from the external manipulation of computer systems such as distributed denial of service attacks or phishing and malware/ransomware campaigns account for the significant majority of the value of claims analyzed,” by analysts preparing the interconnectivity report from AGCS. “Cybercrime generates headlines but the analysis also shows that more mundane technical failures, IT glitches or human error incidents are the most frequent generator of claims.” While internal accidents happen more frequently, they add that external attacks cause the most expensive losses.
A look at professional services
Whether a professional services firm is part of your supply chain or if you are that professional services firm in question, it is also worth noting that professional services firms are often targeted too, so much so that IBM even goes so far as to include them as a stand-alone sector in its analysis.
“Professional services ranked as the fifth-most attacked industry in 2020 and received 8.7 per cent of all attacks on the top ten industries – holding its same rank as in 2019 when it received 10 per cent of all attacks,” they write. “Professional services organizations are particularly attractive to attackers because of the avenue they provide to additional victims.” They add that ransomware attackers aggressively targeted these firms in 2020. In one example, they say a law firm’s data was put up for auction for $40-million.
“In addition to ransomware attacks, data theft and server access attacks hit professional services hard in 2020, accounting for 13 per cent of attacks each on the industry.”