So, what did we learn about cyber risks in 2020?

First, ransomware events didn’t slow down in 2020. Instead, things got worse, a lot worse. The market experienced a substantial increase in the volume and severity of attacks, along with an increase in the ransom amounts demanded. The Bitdefender Mid-Year Threat Landscape Report 2020 highlights a seven-fold year-on-year increase in ransomware reports, while according to the Ponemon Institute, the average cost of a ransomware attack is $4.44m. Alongside the ransom demand itself, the interruption to business activity, including costs to restore systems, has had a material impact on the overall cost of the average incident.

These increases were caused by several factors. Covid-19 themed phishing emails became an effective means of penetrating network security. Throughout the pandemic, fear of Covid-19, social isolation and more time on the computer gave hackers plenty of material to create clickbait. This notice from the US government FinCEN Notice, FIN-2020-NTC4, December 28, 2020 is an example of the concerns with these attacks. Ransomware became a commodity; more threat actors were involved than ever before and distribution of malware exploded. For a criminal it became a perfect business: carried out from anywhere in the world, ransoms paid into untraceable Bitcoin accounts, and increasing ransom amounts paid by nervous businesses.

Second, network security grew more complicated. A surge in working-from-home employees stressed company networks and gave IT executives headaches as they tried to manage and secure their company’s infrastructure. To top it off, cyber threats kept evolving. In the recent past, most companies were concerned with securing their data. In 2020 that challenge remained but became linked with the task of fighting ransomware attacks. As hackers became more sophisticated, regulation, enforcement and protection tried to keep up.

To meet these challenges, CIOs needed help and additional funding to build better, more secure, networks. Costs involved in the management of compliance and financial protection. Internal cyber security rocketed as firms built bigger and more knowledgeable cyber teams to protect their assets. The 2021 Global Digital Trust Insights from PwC provides some examples of this.

The financial challenges companies faced as a result of Covid-19 prohibited the expansion of IT budgets in 2020, and in some firms budgets were reduced. As the growth of cybercrime accelerates, this portends challenging times for IT executives.

Third, governments took a more active role in enforcement and regulation of cyber risks.

Regulation

In Europe, in 2018 the GDPR (General Data Protection Regulation) was formed to create standardisation across the EU, providing greater control of a person’s data by individuals, instituting fines and penalties against companies that violated the GDPR, and creating stricter reporting requirements. The focus of regulation in Europe, at least in terms of the GDPR, has been on creating secure and responsible IT platforms. It is not so much about sanctions and terrorists, but more about the accountability of organizations to protect their data and report breaches promptly.

Other cyber regulations across the globe have been passed in recent years. In the US, the California Consumer Privacy Act created the beginning of a strong state regulatory framework. FISMA (Federal Information Security Act) and FISMA2014 requires individual federal agencies to adopt certain procedures to ensure cyber security. In Asia in 2015, Indonesia and Singapore each introduced cyber agencies, while Japan enacted the Cyber Security Basic Act. In 2020 Brazil enacted the Lei Geral de Proteção de Dados (or “LGPD”) which was closely modeled after the GDPR.

Enforcement

This year, even before the attack on SolarWinds, the US Treasury’s Office of Foreign Assets Control (OFAC) issued an October 1 advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” OFAC observed that companies involved in facilitating ransomware payments on behalf of victims should consider whether they have regulatory obligations under the Financial Crimes Enforcement Network regulations.

The advisory did not change any previous guidance in relation to ransomware events. Rather it was a reminder to US companies and cyber insurers that the existing US regulatory framework applied to ransomware events.

Enforcement under the GDPR has been very active, and fines involving data protection have increased. Over 220 fines were handed out for GDPR violations during the first ten months of 2020, with the total amount of fines issued exceeding €175m. In 2020, Google received the biggest fine (€50m).

Fourth, cyber is an interconnected global risk. There have been many calls for global standards and better regulation - businesses need clarity to operate efficiently. But because the cyber world is constantly changing, that world is hard to regulate. Regulations written today may not address emerging issues in two years. As cyber problems become multi-jurisdictional, data breaches and attacks must be reported in many different jurisdictions, each having their own regulations and reporting timeframes.

Global regulatory standards are in their infancy, and governments are at different stages in the sophistication of their cyber regulation. In the EU, GDPR provides one organization to regulate a multitude of countries. The United States is more of a hodgepodge, complying with state and federal regulations often makes things more complicated.

With no borders for cyber, and with global regulatory standards some way off, dealing with cyber threats remains a complex issue. To successfully manage their cyber regulatory issues risk managers will need to work closely with their compliance, legal and IT groups.

Fifth, cyber security remains an unappreciated risk by many businesses. Many firms don’t buy cyber coverage. Cyber insurance is often seen as a ‘nice to have’ and cyber losses are something that other businesses experience. Today, the cost of purchasing a cyber policy is money that risk managers may not have when faced with the rising costs of other insurance programs they need.

The impact of this is that hackers attack the sizeable pool of companies who ‘hope for the best’ but may not have installed the cyber security they need. Hackers use the element of surprise and lack of preparation of these firms to their advantage. Consequently in 2020 cyberattacks continued to rise, and ransomware payments reached an all-time high. Conversely the appetite for cyber insurance grew only moderately.

Conclusion: It’s hard to predict what will happen in 2021 – the cyber world just keeps evolving - but some safe bets are that:

• The cost of network security will become a larger portion of the CIO’s budget as firms digitise their operations. Cyber risks are getting bigger, and as firms rely more and more on technology, they will spend the money to protect themselves.
• The impact of government cyber regulations will increase because of:
  • New reporting requirements under new regulations
  • The increased cost of maintaining and complying with cyber regulations
  • Fines and penalties assessed for the breach of cyber regulation.
• Ransomware attacks will continue to accelerate until the payment of ransom becomes illegal or companies put more resources into cyber security. Today there are few impediments to their growth.
• Because of the above and need for higher limits, the cost of cyber insurance will increase.

By Thomas Ripp, global claims head, specialty lines, ‎Zurich Insurance Group, published online by Commercial Risk Online on January 29, 2021