NEWS

Ransomware changes the story for cyber risks: Fitch

Rising costs from ransomware and systemic threats have changed attitudes to cyber threats over the last year, according to the ratings agency.


Providing its overview of cyber risk for the Monte Carlo Rendez-Vous, Gerry Glombicki, director at Fitch Ratings, noted the acceleration in cybercrime costs, according to industry estimates: up to $1 trillion in 2020, according to McAfee, a rise of almost half since from 2018.

Ransomware was a major driver, with CrowdStrike estimating the number of attacks up 400 percent over the last year, with the average successful attack costing $4.6 million, according to estimates by IBM/Ponemon.

The nature of attacks had also changed. “What ransomware has done recently is to go from a confidentiality problem where attackers take your files and threaten to leak them, to an availability problem that prevents you from doing your work,” explained Glombicki.

Three incidents in 2021 changed perceptions of the risk: the May attack on Colonial Pipeline, closing of one of the largest US pipelines; June’s attack on JBS, the world’s largest meat processing company, which disrupted operations in Australia, Canada and the US; and the July attack on IT vendor Kaseya that affected up to 1,500 businesses worldwide.

“These no longer attacked a single business but attacked the broader supply chain, which definitely got the attention of regulators and policymakers and made people looking at this as a more serious event,” said Glombicki.

So, too, did bigger regulatory fines, including Amazon’s $887 million penalties for breaches of the EU’s General Data Protection Regulation.

By contrast, cyber insurance remained in its infancy. Out of US direct insurance premiums of $725 billion in 2020, cyber insurance accounted for less than 0.5 percent.

“It takes up a lot of press in the media in terms of risks, but in terms of dollar value of premiums, it’s fairly low overall,” he said.

It is growing fast, however. National Association of Insurance Commissioners data showed direct premiums increasing from $1 billion to $2.7 billion and growing 22 percent in the last year. Rates are heading rapidly up, too, Glombicki noted, with Council of Insurance Agents & Brokers data showing cyber prices increasing 25 percent in the second quarter of 2021, on top of 18 percent and 11 percent increases in the previous two quarters. That reflects rising loss ratios.

“As losses have increased, so prices have increased in kind.” Terms and conditions have also become more restrictive, he added.

“If you have a plan but don’t practise it, that’s just as bad as not having a plan.”
Gerry Glombicki, Fitch Ratings

Ratings threats

Two main consequences followed from the increasing prevalence and sophistication of attacks, according to Glombicki. First, that no industry or organisation is safe.

“No industry is immune,” he said. “Certain sectors are targeted more often, but every industry is a target.”

The second was that total security was probably unachievable, but organisations could take a number of steps. One was to recognise that there was no single solution.

“It’s not as simple as just doing one of the things. If it were, they would have been done al-ready,” he said.

“It is definitely a multifaceted defence-in-depth strategy that one has to undertake to address ransomware seriously.”

Another step was to have an incident response plan in place beforehand—and make sure it’s rehearsed regularly.

“If you have a plan but don’t practise it, that’s just as bad as not having a plan,” he said.

Glombicki suggested the IST Ransomware Task Force recommendations for backups and the “3-2-1 Rule”: three backup copies, on two different media, with one in a separate location.

Organisations could also assess the level of their cybersecurity maturity using tools such as the Center for Internet Security Benchmarks.

Fitch itself is increasingly looking at such considerations when assessing businesses, Glombicki detailed. It has partnered with IT security firm SecurityScorecard, which grades businesses’ se-curity across various factors to look at new ways to consider rated entities’ exposure to cyber risk.

“It definitely gives us insights we never had before,” he said. Moreover, cyber risks have both a financial and a non-financial component, with potential impacts on customer welfare, privacy and data security; and on operational governance.

“It could have implications on the credit rating and the ESG scores,” he said.

The question it was putting to companies’ management, he said, was “where do you look weak from the internet’s perspective?”.


Main image: Shutterstock / Sashkin