Corporate leaders would be mistaken to interpret reports of fewer ransomware-related cyber insurance claims and decelerating premiums in 2022 as evidence of a diminished threat level, according to cybersecurity experts.
While the private sector and government have made some progress in the fight against ransomware, the threat is still serious and evolving, the experts warned.
“I think hackers are always going to evolve, so we can’t rest on the laurels of 2022,” John Farley, managing director of the cyber practice at Gallagher, an insurance brokerage firm based in Rolling Meadows, Ill., told CFO Dive. “We have to be able to adapt quickly to this ever-evolving threat.”
With ransomware attacks, criminals use malicious software to prevent companies from accessing their own computer files, systems or networks, and they demand the payment of a ransom to have such access restored. Such attacks can also involve a threat to leak sensitive data to the public internet.
The prevalence and severity of the problem has helped to make cybersecurity much more of a C-suite level issue within organizations in recent years, according to John Pearce, a cyber risk advisory services principal at Grant Thornton, a Chicago-based accounting firm.
“With ransomware events, you have high visibility and a very large financial impact,” Pearce said in an interview. A ransom payment decision is “very much a management decision that the CEO has to make with the CFO and other members of the management team, in consultation with board members” and external parties such as public relations experts and ransom negotiators, he said.
When it comes to preventative measures, a good best practice for companies is to regularly test their cybersecurity plans and capabilities against the risks they face, Pearce said.
A total of 40 ransomware attacks were publicly reported in February, a 21% increase compared with January, according to Cheyenne, Wyo.-based cybersecurity company Blackfog. Hamburger chain Five Guys and produce giant Dole Foods are among companies that have made ransomware disclosures since the start of the year.
“It’s still a very pervasive threat, and it is not one to take lightly,” said Michael Daniel, who served as a former White House cybersecurity czar during the Obama administration and now leads the Cyber Threat Alliance, a Washington, D.C.-based nonprofit.
Of the 2,385 ransomware attacks disclosed to the FBI last year, 870 hit critical infrastructure organizations, according to a report by the FBI Internet Crime Complaint Center. The healthcare and public health sector was hit with the largest share of reported ransomware incidents, a total of 210 attacks in 2022, it said.
Earlier this month, the White House released a report that identified ransomware as a national security threat. The Biden administration will use “all instruments of national power to disrupt and dismantle threat actors,” as part of a broader cybersecurity strategy, according to the document.
“Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States,” the report said.
The strategy builds on steps the federal government has already taken, including successfully prosecuting transnational cybercriminals and state-sponsored actors and imposing sanctions on malicious cyber actors, including bans on travel and denying access to money service providers, it said.
Ransomware purveyors extorted about $456.8 million from victims in 2022, down from $765.6 million the year before, according to blockchain analysis firm Chainalysis. According to Farley, multiple factors contributed to the dip, including cyber insurance underwriters demanding more security controls from their clients.
“The cyber threat landscape that we saw in 2020 and 2021 is drastically different than the one we’re seeing today,” said Farley. “Back then, we were seeing ransomware run rampant in the sense that hackers were hitting all sorts of businesses across all industries and all sizes, and that resulted in full limit losses being paid by insurance carriers.”
As a result, the cyber insurance market was driven “to the hardest place we had ever seen,” he said. “We saw rates doubling and tripling sometimes.”
The situation improved as companies — with the help of insurance brokers — worked hard to achieve a cybersecurity maturity level that would satisfy underwriters, according to Farley. That contributed toward a significant decrease in the number of ransomware claims in 2022, which, in turn, helped to stabilize premiums.
Insurance broker Marsh estimates that global cyber insurance pricing increased 28% in the fourth quarter of 2022, compared with 53% in the third quarter.
“If your conclusion is that the threat is getting better because premiums are going down, you’re going to put yourself in a bad spot in the face of a continuously escalating threat,” said Allison Pan, senior vice president of emerging risks at Marsh. “The bottom line is that the sheer threat has not gone down.”