2022 Cyber Landscape
According to the Allianz Risk Barometer 2022, cyberrisk is this year’s top global business risk, with respondents rating it higher than business interruption, natural catastrophes and pandemic outbreaks. As we kick off 2022, the overarching theme of the cyberrisk landscape can be summed up in one word: more. While there are always new cybersecurity threats to keep risk management professionals busy, some of the biggest risks for enterprises this year are not that new. Instead, they are even greater in number and severity—more ransomware, more business interruption, more money on premiums, more scrutiny, more attack vectors, and more regulation.
However, this also means there is more focus on the assessment, reporting and management of enterprise risk and more necessity for strong risk management. To help ensure you are more prepared to help protect your organization, report to your board, and hold up under scrutiny from your underwriters, these are the top risks and trends in cyberrisk to watch out for 2022:
Ransomware Wreaks More Havoc
No discussion of the cyberrisk landscape would be complete without mentioning ransomware. Allianz found ransomware was the top-rated cyberrisk of concern for businesses—and deservedly so. According to researchers from Check Point Software, ransomware attacks increased 93% from 2020 to 2021. By October, the firm reported that one of out every 61 organizations globally was impacted by ransomware each week. Last year also saw the highest (publicly disclosed) ransom payment to date, with insurer CNA Financial paying cybercriminals $40 million to unlock the firm’s data and regain control of its network. In 2022, these attacks will continue, resulting in significant business interruption, financial losses, third-party damage and, in some cases, even public safety threats in the event of attacks on critical infrastructure and health care.
The widespread damages and financial toll will also continue to fuel dramatic changes in the cyber insurance market, including rate increases and coverage exclusions specific to ransomware. “The hardening of the cyber insurance market and the prevalence of ransomware attacks go hand in hand since one (ransomware) is largely responsible for the other (market hardening),” said Tim Zeilman, global cyber product owner at HSB. “While neither trend will last forever, I expect both trends to continue through 2022, driven primarily by the continued attractiveness of ransomware as a business model for cybercriminals.”
This year, expect to see many twists on the threat, including the continued practice of double extortion, wherein cybercriminals not only lock access to systems, but also exfiltrate data and threaten to expose it. We will also continue to see attacks at the intersection of ransomware and the software supply chain, such as the attack on managed service provider Kaseya last July that impacted about 1,500 of their customers.
Supply Chain Attacks Increase Third-Party Risk
In 2021, Kaseya joined SolarWinds as a vivid example of the risks inherent in the software supply chain, demonstrating how cybercriminals can dramatically and efficiently broaden the impact of attacks by targeting service providers and software.
“A critical aspect of addressing cyberrisks is understanding third-party exposures from third-party vendors, including IT service providers, customer relationship management tools, online project management software, cloud computing providers, website design firms, and more,” said Shawn Ram, head of insurance at cyber insurance and security firm Coalition. “Third-party vendors often have access to their clients’ networks and, therefore, the personal information of their clients’ customers and employees. In many cases, these vendors also have access to update software on their clients’ systems and are trusted sources of links, files and other attachments capable of distributing malware. As a result, if a vendor experiences a security breach, their clients may be impacted, leading to a data breach (for which their clients are responsible), fraudulent funds transfers, and network outages caused by ransomware.”
According to IBM’s 2021 Cost of a Data Breach report, vulnerabilities in third-party software are the initial attack vector in 14% of breaches and cost businesses an average $4.3 million a year. In addition to perilous and pricey, they can be difficult to predict and protect against.
“These kinds of attacks are particularly troubling for cyber insurers because the attackers aren’t taking advantage of a security deficiency that exists at the insured company (and might be discoverable by a diligent underwriter), but rather are breaching the insured through a trusted third party,” Zeilman said.
In addition to products from targeted vendors, open-source software that is incorporated into other products and websites can pose significant widespread risk. This became very clear in December, when a common piece of open-source software called Log4j made headlines as hackers launched millions of attacks through a previously unnoticed vulnerability. Log4j is a Java-based logging utility that is widely used in apps and services, from consumer-facing products like the popular game Minecraft to companies’ back-end systems. The vulnerability, called Log4Shell, allows remote code execution, meaning attackers can load malware remotely and completely compromise a machine with surprising ease. There is now a patch, but those without it installed are still at risk, and similar attacks are likely to come.
Regulators Focus on Cyber Governance Failures
Following disclosure of the Log4j vulnerability, the Federal Trade Commission issued an official warning that it would pursue legal action against organizations that fail to secure customer data against the newly publicized threat.
“The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” the agency wrote. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
This heightened scrutiny is not limited to Log4j. The FTC announced plans to apply similar rigor in holding organizations accountable for their handling of other publicly disclosed cybersecurity vulnerabilities moving forward. The agency warned, “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
In the alert, the FTC pointed to the Equifax mega-breach that resulted from a failure to patch a known flaw in 2017. The incident ultimately led to a settlement of over $700 million with the agency and individual U.S. states, presenting a vivid reminder of the massive financial stakes companies could face.
The specter of regulatory trouble is not only coming from the FTC. The Securities and Exchange Commission and New York Department of Financial Services are among many other regulators looking to hold boards and executive leadership accountable for cyberrisk governance. Companies should expect to see increased regulatory scrutiny over their handling of known cyber vulnerabilities in the months ahead. At a minimum, failures to act on cyberrisk vulnerabilities will invite considerable scrutiny and potentially costly investigations, regardless of whether fines are ever levied.
The Hardest Market Gets Harder
At July 2021 renewals, cyber insurance rates soared 30% to 50% or more, particularly in certain lines of business or depending on the insurer’s experience. This year, the P&C market’s hardest line is only getting harder—if you can even obtain coverage. Insurers continue to constrict capacity, and rate increases are accelerating, with Willis Towers Watson’s Insurance Market Realities 2022 reporting that increases have spiked over the past three renewal cycles “from +10% to +30% a year ago, to +25% to +50% in the spring, and now for 2022, +50% to +150%.”
On the positive side, these brutal market conditions underscore the role of mature risk management as a key differentiator with concrete financial value for organizations, as companies see even more drastic variation in these rate hikes based on risk profile and risk controls. “The two-tiered marketplace…remains a reality in many lines of business: conditions are better for better risks and tougher—sometimes quite a bit tougher—for less attractive risks,” WTW noted. “The risk manager’s job of distinguishing his or her organization’s risks in the marketplace is more demanding than ever. More data and better data are required and expected, and the information must be presented in a way that is clear and compelling.”
As a result of market conditions and large-scale losses from cyberattacks, there may be dramatic changes in store for insurers as well. “Insurers have been collecting small premiums while facing near infinite risks,” according to Forrester’s insurance industry analysts, who predicted “at least one top 10 cyber insurance carrier will cease writing new business and selectively run off existing business in 2022.”
Whether or not that proves true, many cyber insurers are significantly pulling back on their activity in the market. Risk professionals last year reported dramatic increases in underwriter scrutiny and premiums, as well as notable exclusions and lower coverage limits. While having adequate coverage for cyber-related losses is unquestionably more important than ever, risk professionals should also expect more difficulty in procuring or renewing that coverage this year.
Targeting The Home Office Ecosystem
Cybersecurity among remote employees has proved a key issue throughout the COVID-19 pandemic, and home networks and cyber hygiene off-site will continue to present risks this year. In the Allianz Risk Barometer 2022, 34% of respondents said IT vulnerabilities due to a growth in remote working was one of their biggest cyber concerns for the year.
“Many organizations were forced to change how their core operations were performed due to pandemic lockdown restrictions,” said Raf Sanchez, global head of cyber services at Beazley. “Often, this meant hurriedly allowing operations to be made accessible remotely for home-workers. Unfortunately, this also meant that some organizations did this without sufficient preparation or understanding of the greater risks to which this exposed them, and many inadvertently opened the door to cybercriminals who moved fast to exploit staff, processes and networks that were suddenly exposed.”
Sanchez added, “With many organizations stating that hybrid and remote work is here to stay, attackers are continuing to exploit this attack vector even more efficiently.”
To protect against this risk, it is critical to prioritize endpoint management and protection, as well as employee cybersecurity education. If you have not already, it may also help to revisit and update the organization’s policies and procedures to include detailed instructions on cyber best practices in home office environments and to educate employees on how risks may differ while working remotely.
Mobile devices are one of the threat vectors that will continue to pose increased risk in remote work environments. As personal devices are increasingly used to access work systems, and users tend to relax security best practices on these devices, cybercriminals are increasingly exploiting this entry point to launch attacks. According to Check Point Software’s Mobile Security Report 2021, almost every organization faced at least one mobile malware attack in 2020, and 46% of organizations had at least one employee download a malicious mobile app that threatened their organization’s networks and data.
Sophisticated SMS-based phishing campaigns are also becoming more common. Many of these campaigns are capitalizing on consumer trends amid the pandemic or simply how busy people are when they check their phones during the work day. Those phony text messages claiming you have a package out for delivery and should click an anonymized tracking link are more than just a nuisance, they pose concrete threats to the enterprise, and more of those risks will materialize this year.
Burnout Breaches on the Rise
Two years into the pandemic, many are simply stretched too thin to face more challenges. The result is not just a human crisis, but a security one as well. In the recent report The Burnout Breach, security firm 1Password found 84% of security professionals and 80% of other workers feel burned out, and burned-out employees are more likely to ignore or circumvent security protocols. Burned-out employees are a third less likely to follow their company’s security guidelines (59% vs. 80%), and are more likely to use “shadow IT,” with 60% more burned-out employees creating, downloading or using software and apps at work without IT’s permission compared to those who are not burned out. Amid the Great Resignation, 1Password also found “‘ready to resign’ employees are 50% more likely to say convenience is more important than security at work.”
“Pandemic-fueled burnout—and resultant workplace apathy and distraction—has emerged as the next significant security risk,” said Jeff Shiner, chief executive officer at 1Password. “It’s particularly surprising to find that burned-out security leaders, charged with protecting businesses, are doing a far worse job of following security guidelines—and putting companies at risk. It’s now a business imperative for companies to engage the humans at the heart of security operations with tools, training and ongoing support to create a culture of security and care that helps us all stay safe at work.”
Attacks on Critical Infrastructure
When a ransomware attack shut down the Colonial Pipeline last year, it marked the largest attack to date on U.S. energy infrastructure and made clear the threat of cyberattacks on critical infrastructure. Previously a somewhat theoretical risk to many people, the disrupted fuel supply and lines of cars at gas stations quickly made ransomware and critical infrastructure risk seem more real to the general public.
In October, Department of Homeland Security Secretary Alejandro Mayorkas warned that “killware”—malware designed to do real-world harm or cause death—was his greatest concern and may be the next big attack trend in cybersecurity. Last February, a hacker gained access to the water treatment system for the city of Oldsmar, Florida, and attempted to change chemical levels in the local water supply. The attacker reportedly tried to increase the concentration of sodium hydroxide (commonly known as lye) to 100 times the normal level, which could have poisoned thousands of residents.
Thankfully, the system’s operator was able to reset the levels before the water was actually affected. However, the case is one example of a growing number of cyberattacks that threaten critical infrastructure and physical safety, such as attacks targeting medical devices, hospitals or power grids.
The rate and sophistication of these attacks are increasing regularly, and the move to smart cities and connected infrastructure will only compound the threat. “As digital transformations continue and ‘traditional’ verticals (e.g., civil infrastructure) shift from air-gapped to connected, we will see increased attacks not just on traditional digital networks but also on [operational technology] infrastructure, from supply chains to healthcare facilities and beyond,” said Gidi Cohen, founder and CEO of Skybox Security.
Regulators Levy Big-Ticket Fines
Regulators around the world have begun to toughen enforcement of much of the cybersecurity and data privacy regulation passed in recent years. The anticipated impact of GDPR regarding lofty fines appears to have finally fully materialized in 2021, with European regulators handing down record fines under the EU’s data protection law. In July, Luxembourg’s data protection authority levied the largest fine to date under GDPR, charging Amazon €746 million (about $846 million) for violating personal data processing rules, compared to the previous record of €50 million imposed on Google in 2019. According to data compiled by Finbold, GDPR fines totaled almost €1 billion ($1.13 billion) in the third quarter of 2021 alone—a sum 20 times greater than the total from the year’s first and second quarters.
On January 6, French regulators fined Google and Facebook over €200 million for not making it as easy to opt out of online tracking as to accept it, and threatened daily fines of €100,000 if the issue is not addressed for French users within three months. Judging by just the first week of 2022, the trend of surging fines will continue through the new year.
Deep Fakes Fuel Voice Fraud
Advances in artificial intelligence and machine learning technologies continue to facilitate creation of increasingly realistic “deep fake” videos with greater ease at little to no cost. Cybercriminals are now successfully exploiting deep fake technology in the wild, and the use cases include troubling moves to undermine a common cybersecurity safeguard: voice.
Voice verification has been considered a key safeguard against social engineering attacks including funds transfer fraud (“CEO impersonation” or “traveling executive” schemes), and often plays a role in other security protocols to authenticate user accounts. In turn, advances in deep fake technology present significant risks for organizations, and the increasing ease of execution is rapidly broadening the range of enterprises that may fall prey to attacks.
In a 2020 case that came to light last year, fraudsters used AI-based technology to dupe a Hong Kong bank manager into authorizing $35 million worth of money transfers. The criminals used “deep voice” technology to clone the voice of a company director with whom the manager had spoken before, and informed him the company was preparing to make an acquisition. They then sent an email seemingly from the director and a U.S.-based attorney listing the sums to be transferred and accounts to wire funds to. Believing the requests were legitimate, the bank manager began authorizing the transfers. This is only the second such case to make headlines, but dwarfs a 2019 incident in which criminals used AI for CEO impersonation and attempted to transfer $243,000. The two cases are likely only the tip of a sizeable iceberg.
“We are currently on the cusp of malicious actors shifting expertise and resources into using the latest technology to manipulate people who are innocently unaware of the realms of deep fake technology and even their existence,” Jake Moore, a security specialist from cybersecurity firm ESET, told Forbes. “Manipulating audio—which is easier to orchestrate than making deep fake videos—is only going to increase in volume and without the education and awareness of this new type of attack vector, along with better authentication methods, more businesses are likely to fall victim to very convincing conversations.”
Reprinted with permission from Risk Management Magazine. Copyright Risk and Insurance Management Society, Inc. All rights reserved.
Written by Hilary Tuttle, 2022