Cyber Risk Trends

Air date: 3/22/23
Record date: 2/20/2023

Over 70% of global companies experienced some form of ransomware attack through 2022 and approximately 60% of small businesses impacted by a cyberattack in the U.S. have gone out of business within six months of that attack. Michelle Chia, Head of Professional Liability and Cyber for Zurich North America, and Stephen Moss, Zurich Insurance Group’s Global Head of Financial Lines and Cyber, are aligned in their opinions about the issues at the forefront of business security. Listen as Chia and Moss discuss the “five pillars” of cyber resilience: to identify, protect against, detect, respond to, and recover from cyber threats that businesses face with their increasing reliance on digital technology.

Guests:

Michelle Chia
Head of Professional Liability and Cyber, USNA
Zurich North America

Michelle Chia is the Head of Professional Liability and Cyber at Zurich North America, where she manages profit and loss for the Technology, Manufacturing and Miscellaneous Professional Liability and Cyber portfolios. In addition to industry engagements, she has collaborated with regulatory and defense stakeholders to build awareness and public-private partnerships to encourage cyber resilience.

Stephen Moss
Head of Financial Lines and Cyber
Zurich Global

Stephen Moss has an insurance career spanning 25 years, holding various senior positions as both a broker and underwriter in the London market and specializing in a wide range of long-tail insurance products. He joined Zurich in 2017 as Head of Specialties in the UK and was promoted in 2022 to Global Head of Financial Lines and Cyber.

Host:

Stephani Gordon
Executive Employee Communications Business Partner
Zurich North America

As part of the Zurich North America Communications team, Stephani Gordon finds and shares stories by asking questions that connect people with ideas to pique curiosity, broaden awareness and create communities. Fondly considered a compassionate interrogator, she has coached executive communications for the CEOs of Zurich North America and Zurich Canada, lead C-suite video productions and connected employees with corporate strategy through storytelling and engagement. In addition to hosting this podcast, she unabashedly admits to spending too much time on TikTok in the guise of “anthropological study.”

Episode transcript:

STEPHANI GORDON: Hi. Welcome to the Zurich North America Podcast, Future of Risk. Today we're going to explore the topic of cyber risk for businesses, trends in cyber threats, and the future of cyber insurability. My name is Stephani Gordon. I'm one of the Future of Risk podcast hosts, and I'm joined today by our North America Head of Professional Liability and Cyber, Michelle Chia and Stephen Moss, Zurich's Global Head of Financial Lines and Cyber from our London office. Stephen and Michelle, welcome.

MICHELLE CHIA: Hi, Stephani. Thanks for having us today.

STEPHEN MOSS: Hi, Stephani. Thanks very much having us. Pleasure to be here.

GORDON: Thank you. So, it's not news that the accelerated adoption of and reliance on digital technology has expanded cyber risk. We know that malicious actors are increasingly sophisticated in the techniques that they're using to launch cyber-attacks that can slow down or even shut off a critical business process, which disrupts our business. And we also see attacks that result in data theft or extortion against the publication of sensitive data. So, as a result, we saw actually cyber crime and cyber insecurity climb into the top 10 list in the Global Risks Report that we released earlier this year for the first time in 2023. So, Stephen, why don't we start by having you kind of lay the framework for us by defining cyberattacks and ransomware from a business perspective, so we're all kind of on the same page with what that means. What does that look like, and can you share some examples with us?

MOSS: I think it's probably worthwhile just tracking it right back to basics in terms of what is a cyberattack. You know, to me it's really looking at any attempt by an unauthorized party to gain access to a computer system or network with the intent to cause damage. And that damage could come through in numerous ways in terms of disabling or destroying access to that network or computer or stealing or at least threatening to steal some of the data that's stored within it. Once you kind of got over the definition of the cyberattack, you then start to look to categorize the different levels of cyberattacks. Really to me, that falls into two main categories: We have untied attacks, which are really indiscriminate in nature. It's what I'd call a scattergun approach through which attackers will look to kind of expose vulnerabilities across multiple different systems, across multiple different sectors. And ultimately, they're completely agnostic in terms of who the end victims are. That compares against targeted attacks, which by the very nature of its definition is much more targeted in nature. These attacks are looking to exploit specific vulnerabilities against a specific company or segment of the market. These tend to be much more complex and sophisticated in nature, largely because they're tailor made around the specific notion sort of attack.

GORDON: They know what they're going for.

MOSS: They completely know what they're going for. Okay. I think there's an element here of… because they're more complex in nature, the expected payout for instigating attack on that nature is that much greater. Ransomware, you mentioned, is one of the growing trends in the market and one that we've seen really drive a significant change in the cyber insurance market. But ransomware itself is no different to any other attack. I think the only difference with ransomware is the fact that it could be untargeted and it could be targeted. But the threat remains the same in terms of it is a threat to effectively instigate some form of malware against a company unless a specific ransomware payment is made. And that payment is usually demanded in some form of cryptocurrency, which as we all know, is pretty difficult to trace at the best of times.

CHIA: So Steven, that was actually quite funny. I've never heard the phrase scattergun. I think in the states we call it a shotgun approach as opposed to the sniper approach. And just to add a bit more visual to this…not that that's not visual already…so back in 2013, 2014 in the United States, we did see a lot of big box retailers get hit by bad actors. So that's an example of f, you asked for examples earlier where these criminals found security vulnerabilities in the payment card chain and lots of credit card numbers were stolen. We found some instances that these credit card numbers were sold on the dark web for pennies on the dollar. The other examples that Stephen had mentioned was the trend around using highly useful login credentials to shut down networks and systems. So, whether that was a shotgun approach or scatter gun approach, or the sniper approach — initially the ransomware situation started as a sniper approach to target organizations that were perceived as deep pockets. We've seen some of the ransom negotiation correspondence that actually it's quite wild. But there was a common theme back in the 2018, 2019 time period where these attacks would come in on a Friday night or during a holiday weekend. Not sure if that was an American thing or not, but it seemed like a lot of the American holidays that I observed in the states, whether it was July 4th — Independence Day — or otherwise were quite ruined unfortunately. But that was because it was commonplace, at the time, to have cybersecurity or systems monitoring that was more following the nine to five, five days a week rather than the 24 hours a day, seven days a week. And we'll talk about that from a resilience standpoint later on, but just wanted to add that American spin to it as well.

GORDON: That's interesting that they were preying on that vulnerability, actually. You know, I'm curious Stephen, did you see any kind of a similar trend where you are from either in the UK or from a global perspective?

MOSS: Yeah, certainly. I think the regulation was certainly led by the U.S. in the early days of cyber as it kind of evolved. That regulatory kind of intervention — particularly around some of the retailers and credit card information — that took a little bit of time to catch up elsewhere. But it's certainly very similar trends that we're seeing outside of the U.S. now on a worldwide basis from what we've routinely seen in the U.S. I think the other thing I would say is that unlike a lot of other insurance lines of business, cyber is very global in its nature. It tends not to target individual companies or individual countries as such. You know, the impact of a widespread untargeted cyber event is global in its nature. And to give you another example, WannaCry back in 2017 was probably one of the first truly widespread vulnerabilities that spread very, very quickly through our operating systems, and really spread down to very little human intervention as well. So, I think that's a really good example of something that can spread very, very quickly in that targeted way on a truly global scale.

GORDON: It's interesting when you think about they're preying on whatever is vulnerable, that it's not so much targeted, makes it almost feel like anyone is potentially a victim, which is unsettling. So, it's funny because the examples both of you gave are relatively recent and it reminds us that this is actually not that old of a threat. It's still an emerging threat and a developing threat. Can you talk a little bit about what you're seeing in terms of increases in this particular risk? You've both mentioned 2017, 18, 19 … it's not very many years ago. So, what's the exponential increase? And can you quantify that in any way?

MOSS: Yeah, I think from my perspective, certainly one of the big drivers of change in this market has been ransomware. Ransomware is nothing new. It's been around for many, many years. But I think the scale of ransomware attacks, both in terms of frequency and severity increased exponentially really starting in 2019, but probably peaking around 2021 with that ransomware side. We saw an increasing amount of average settlements and average payouts in terms of expectations of what those attacks were worth from an attacker's perspective. But also, I think we saw an interesting level of complexity in terms of how those attacks were actually perpetrated. Unfortunately, cyber is such a fast-moving market, the threat of yesterday isn't necessarily what we're going to see tomorrow. The only constant that we've seen is very much that the level of complexity in all of these attacks is increasing over time.

CHIA: Yeah, and to add to that, the monetization or the commercial viability of this type of risk has just continued to increase. As cyber risk evolves, it just creates that opportunity for better or for worse. We've seen the headlines, we've seen the statistics, and there's one that's quite bone-chilling that I'll add in here: Approximately 60% of small businesses — and this is based on a poll in the United States — approximately 60% of small businesses have gone out of business six months after being impacted by a cyber event.¹

GORDON: Wow.

CHIA: So cyber resilience is critical for organizations.

MOSS: Michelle, I'll just chip in with some of the stats that we've got from a global perspective as well. And I think, you know, the survey that you mentioned at the start, Stephani, made reference to the fact that over 70% of global companies experienced some form of ransomware attack through 2022.

GORDON: 70%?

MOSS: That gives you a sense of the scale of the problem that is potentially out there.

GORDON: Those were amazing statistics and to your point, Steven, I think I agree. How is the insurance industry responding? Are we able to keep pace with this or not?

CHIA: Given our reliance on technology as a society, Stephani, and how interconnected we are today, cyber resilience is a must. Risk mitigation, methods organizations can use to avoid, minimize or recover swiftly from a cyber event is first and foremost. Cyber insurance is one part of risk management, but it should be used when all else fails.

GORDON: Okay, can you talk a little more about what that means?

CHIA: Sure. We're going to be talking about the NIST framework in a little bit and the NIST framework helps us think through the best practices an organization can employ. There are five pillars in the NIST framework: identify, detect, protect, respond and recover. These five pillars are equally important. I can explain what each one of these pillars means, but before I do that, Stephen, did you want to chime in as well?

MOSS: Yeah, sure. I think it's probably worthwhile just tracking back in terms of looking at some of the market dynamics, you know, looking at how the cyber market has evolved in terms of the demand for the product and the market. We're seeing a huge influx in terms of not just the level of interest in cyber insurance, but also the amount of new customers that are looking to purchase cyber insurance for the first time. And as Michelle says, I think a lot of that is down to the adoption of technology in the global business market that we all operate in. I think remote working has a certain element to that, the increased use of cloud computing, digital transformation, and the hot topic on everyone's lips is data at every juncture we look at. But also, I think there's growing demands as a result of some of the increased awareness. You know, we've touched on some of the regulatory developments around the globe. But also, very rarely do you get to open a newspaper these days without some horror story of the latest cyberattack or ransomware payment that's going through. So, I think that awareness in terms of not just regulatory developments, technology developments, but also the fear factor of the threat actors that are out there now is really helping fuel that demand. And to answer the question, “Has the market kept up?” I think the market has done a pretty good job of keeping up, considering the exponential increase in demand for these products. The insurance market for cyber has been around for 20-plus years and during that time, we've offered some really good valuable protection for clients and customers at a time when they've needed it most. I think the recent challenges around ransomware has marked a change in the cyber insurance market, not least in terms of some of the capacity availability and pricing that the market is looking to charge, given the change in underlying risk that the market seen as a whole. But also, I think it would drive some pretty fundamental change in terms of using some of the data that we've collected over the last 20 years to really start to drive minimum standards and raise the bar in terms of insurability of customers. And I think that really lends into what Michelle's just said around cyber resilience. The market is really going to look to differentiate their risk appetite and look to give greater credit for cyber resilience as we look to price cyber risk going forward. And I think more in the medium term, it opens up a grown-up debate around systemic risk in the market. How do we assess systemic risk? And also, how do we start to define systemic risk, which is inherent in all cyber insurance that's written at the moment.

GORDON: I appreciate that clarification and let me tie a couple things together and ask another question. You mentioned the statistic about 70% of businesses have experienced a cyberattack that we're seeing an exponential increase, for instance, in ransomware, that the nature of cyber risk is really evolving and the pace is evolving. So, do we reach a point where cyber becomes uninsurable?

CHIA: I guess that question is directed at me, and you gave Stephen all the easy questions to start with [laughter], but the answer is “no, but yes, but no.” So let me clarify. Okay. So yes, cyber risk is evolving. We've come a very long way, too, if anyone remembers ICQ or AOL, Yahoo Messenger … we are more connected today than we ever were. And as cyber risk evolves, we are able to identify and differentiate between quantifiable and unquantifiable risk, particularly unquantifiable systemic cyber risk. You're going to hear me slow down my speech because there are some tongue twisters here and I'm a little bit nervous about this whole “Peter Piper picked a peck of pickled peppers.” But, let me give you an example of quantifiable cyber risk, because I believe that's probably going to be the next question you throw at me. So, credit card data that was not encrypted and was shared with the public — as simple as that — kind of pointing back to one of the examples we shared earlier on. Then the next question is, what is quantifiable systemic cyber risk? So, something like malware or a widespread virus that can be defended against commercially, and that is key. Commercial cybersecurity tools exist; organizations can invest in protecting themselves using commercially available cybersecurity tools to avoid, minimize or recover swiftly from cyber events. Then the tongue twister here: what is an unquantifiable systemic cyber risk? I'm going to get better at this each time I say it. So, events where perhaps military-grade tools are used to perpetrate acts to cause economic or social disruption with very little or no means of remediation. For example, cyber warfare, cyber terrorism, linked to nation-state actors and certain types of critical infrastructure failure. One of the things that we are talking about quite robustly these days is that unquantifiable systemic risk will not be insurable in the traditional cyber risk transfer market.

GORDON: Can you define unquantifiable? When you use that, what do you mean?

CHIA: Unquantifiable, at its core, means something that cannot be calculated, something that cannot be quantified. And when you attach that to a systemic risk, basically it's an event that cannot be determined, that cannot be calculated, and then the scale is even more catastrophic because it's hitting so many organizations, so many entities and individuals all at the same time that it's like a super-catastrophic event, basically, in layman's terms, and so this type of risk will not be insurable in the traditional cyber risk-transfer market, but we are encouraging and engaging in discussions to build solutions. And I want to focus on the solution aspect of this.

GORDON: Okay. Let me ask a follow up question. Oh, I'm sorry, Steven, please go ahead.

MOSS: I was just really going to build on Michelle's comments. I like her reference to a super CAT event and this is effectively what we're talking around in terms of unquantifiable risks here. Cyber is systemically exposed, inherently by virtue of what protection we provide, but there's a very, very big difference in terms of the protection we provide around data breach, around outsource service providers, compared to a state-sponsored attack against the society as a whole. And that's really the nature of differentiation that we are looking to make, and indeed the rest of the market is looking to make. I'm really trying to give some clarity around what we mean by systemic risks and how insurance policies should respond to them and equally perhaps how they shouldn't respond to them in the long term.

GORDON: Okay, thank you. So, that makes me think there are other types of risks that have been determined to be uninsurable for instance, and a lot of times then we see government step in. Where's the government in this conversation on cyber risk?

CHIA: A few months ago — October, 2022 — the Federal Insurance Office, which is part of the United States Department of Treasury, issued a broad request for information about the need and the challenges around building a cyber backstop. There are other governments, including the United Kingdom, that are holding talks with Pool Re and industry representatives to explore extending the UK terrorism backstop agreement to cover state-sponsored and war-related cyberattacks. The French Treasury is also engaging in similar discussions. These are just a few examples of this discussions happening on a federal level or a nation-state level across the globe to better understand what the challenges, what the needs are, for filling this gap between what is quantifiable and what is unquantifiable systemic cyber risk.

GORDON: So, it's kind of a public-private partnership?

CHIA: Kind of. Yes, there's a question whether this will shape the way companies insure themselves against cyber threats and instead of answering that question, I'm going to just pose more questions around that question. But first a statement: I think that we on this podcast and perhaps the audience and perhaps even society at large … maybe we can agree and maybe we believe that it's not the private individual or a private organization's responsibility to defend and protect itself — ourselves — against physical acts committed by other nation-states or terrorists. Nor do we actually believe that it's the private sector's responsibility to recoup financially or to rebuild on our own after these types of physical events. So, then here are my questions for the audience … for all of you: How about when military-grade cyber weapons are used to perpetrate acts against individuals or private companies, private organizations? Do I, as an individual, have access? Do private organizations, do companies have access to military-grade defense tools in the commercial market? How are we expected to defend, protect, rebuild after these types of events? I think that the challenge around cyber is unique. There is this intangible, this invisibility component that makes it really hard for all of us to visualize one when these events are actually occurring or that it's even a possibility at all. And I think that's why I'm posing these questions. Is there a parallel here?

MOSS: I agree entirely with that, Michelle, as well. I think it's good that we're raising these questions in conjunction with our other peers in the market to kind of proactively address some of this now, before an event happens — let's hope it never happens — but at least we're being proactive about it now. And equally, I think it refocuses the conversation on what we can do in the market … going back to the quantifiable risk and how we work with customers and clients in terms of improving that cyber resilience such that it's not just a risk-transfer product, but it's a whole suite of risk-management services and risk transfer that we're selling. So, I think to have the conversation I've mentioned earlier … the grownup conversations around unquantifiable risk now is the right one to have. I'm not too sure anyone's got the right answer as it stands now.

GORDON: I appreciate both your perspectives and thank you for posing those questions. And like you said, it's an ongoing conversation that merits a lot of attention and open conversation —dialogue, grown-up conversation. I want to go back for a second. Michelle, you started to talk about mitigating strategies and a framework. So, let's talk about what can companies do to protect themselves a little bit? I'm curious whether that depends on the size of the company, where they're domiciled. The two of you potentially have different perspectives on that. I think we want to talk about the National Institute of Standards and Technology Cybersecurity Framework. Did I say that right? It's my own tongue twister.

CHIA: You got it. I referenced it as the NIST framework earlier but thank you for clarifying the acronym. It's the National Institutes of Standards and Technology. Okay, the cybersecurity framework in particular, this is a framework that was put together in the United States, but surely it transcends the local component, the regional component. It can be used globally. There are five pillars. I'm raising my hand right now for those listening in. You can't see me, but you can certainly hear me. And every time I reference the NIST framework, I identify by the five pillars: identify, protect, detect, respond, recover. And each of these pillars are equally important for a company's resilience. Each of these measures an organization's maturity. It doesn't matter what size, what industry you're in, it's more a framework by which you can measure your sophistication, your maturity. And they are fairly simple to follow. They go by the name and the names are very descriptive. With “identify,” what parts of your system, your networks are critical to your organization's operations … what data can you not operate with? So, that's just identifying what the critical highly important, and also going down the variation all the way to you. It it's data that you hold at your care, custody and control. Then you have “protect.” How are you protecting those critical aspects that you've previously identified and all the other levels of criticality or less critical systems, networks, data. “Detect.” How are you monitoring the activity impacting the aspects of the system that you've identified? I've previously mentioned that 24 hours-a-day, seven-days-a-week, monitoring. It's important. We all know that is important because there is no time component to cyber events. Then “respond.” If you've detected anomalous activity because you're monitoring your systems, your data, 24-7 … if you see something that you don't expect or that looks like it's unauthorized or out of the norm. How quickly can you isolate, minimize, mitigate that intended activity? Is it four minutes? Perhaps it's four hours. Perhaps it's four days, four weeks, four months. This may determine your organization's ability to “recover,” which is the fifth pillar. What processes and procedures are in place to remediate against or after the damage has been done? Data shows that organizations with cyber incident response plans, disaster recovery plans — those who practice these plans, who follow these plans when something happens — are more likely to continue business operations and recover more swiftly. So, all these five pillars speak to resilience, not just for cyber, but it's been developed for cyber in particular to help organizations regardless of their cyber resilience journeys despite their size — for them to be able to be resilient and march towards that cyber resilience maturity,

GORDON: That framework helps a lot. Steven?

MOSS: Yeah, I think transparency around those guidelines in terms of how companies are actually executing on that as well — being transparent with us as insurers and others in the market — will certainly help in that journey that I mentioned earlier around positive risk differentiation, particularly around that cyber resilience piece. And proactively giving credit for those companies that can demonstrate their risk management techniques and you know, how they would respond in the event of a cyber incident. I think the other aspect I'd add to that is, once there is an instance, it's really important to learn from it as well … post-event looking backwards. There's always lessons to be learned and that kind of ongoing risk management review of best practice, patching, security, et cetera, is really vital in addition to training employees, which is quite often a source of attacks of this nature as well.

GORDON: Those who do not learn from their mistakes are doomed to repeat them, right?

MOSS: There's a habit, unfortunately, of history repeating itself.

GORDON: I appreciate your perspectives on that and, like I said, I think the framework is really a helpful visual, even if we can't see it on your fingers, Michelle. But one final question we'd be remiss if we didn't ask: If a company does experience a cyberattack or a ransomware attack or something … what should they do? And probably most importantly, what's the first thing they should do?

CHIA: I'll jump in here, even though my response might sound like a copout, but just bear with me for like five seconds and hear me out. So, the first thing I would say is, check your analog incident response plan/disaster recovery plan. There are different types of events and hopefully you have planned for all these types of events — maybe not all, but at least a couple of different scenarios. And the response that you engage in will depend on the nature of the event. Law enforcement may be needed in certain circumstances. So, in those specific circumstances, definitely engage with law enforcement, connecting with your cyber breach coach in the United States, at least. Because they are typically attorneys, law firms … it's important to engage earlier on in the process in the United States to help with maintaining that privilege. But this is a good time for a plug. You need to print out your incident response plan and or the phone numbers you need for the individuals you must call immediately and put that on your bookshelf. If your systems go down, you might not be able to access the documents on your laptop, your network, your cell phone, et cetera. We are so reliant on technology, but if your systems are down, you won't be able to access any of these plans. No matter how well put together they are, no matter how much you've practiced them, unless it's printed, you won't have access to it. So please, please, number one thing to do: print it out.

GORDON: That's interesting. We are so reliant on our technology, we take it for granted … that it will always be there, but if it's the target of the attack, then that’s not going to be an option. Can you define … you mentioned a phrase I've never heard before. I think you said, “your breach coach.”

CHIA: Yes. So, a cyber breach coach.

GORDON: Does everybody have one of those?

CHIA: Everyone should definitely have one. It's like a life coach, but a breach coach, right? So cyber events, they are a dime a dozen and breach coaches — they go by varying names —they're basically individual [in] organizations that can help you step by step. Sometimes they get involved with helping you to develop that incident response plan or the disaster recovery plans in advance of that event actually impacting you. They can also help you practice through tabletop exercises. But at the end of the day, they are like a coach. They help you through the situation. There are going to be different variations of events. You could have a data breach or you could have a ransomware event or you'd have “insert name” of any other type of cyberattack. And because these breach coaches have been through thousands of events, they are prepared to help you through the unique circumstances. It might be your first time or your second time through a single type of cyber event, but they've been through thousands and can help you through those events.

GORDON: Is that unique, Stephen, to the U.S. or is that something that you would see from a global perspective as well?

MOSS: Yeah, I mean certainly in terms of accessing incident response services, that's very much a global phenomenon and something Zurich offers, in addition to the risk transfer, but also on the Zurich resilience services that we put out there. But going back to Michelle's point, I certainly think having a plan of action and executing on that plan — thinking of every eventuality, knowing everything normal is cut off at that point, practice runs and everything else like that — adds up to so much value. And when the time comes and — given the loss trends that we're seeing, that time will come — and those that are more prepared and have more security measures on there — they're [experiencing] less of an impact that has on the business, and the quicker you can get back up and running without any long-term detrimental impacts.

GORDON: Very good. Well, thank you so much for the discussion today and for taking the time to share your expertise on a topic that I'll say is unsettling at best, but important — as you've reiterated — to have conversations about. So, thank you so much for being part of the conversation.

CHIA: Thanks for the opportunity, Stephani.

MOSS: Thanks very much.

GORDON: And to our listeners, thanks so much for joining us. We'll look forward to serving up the next edition of Zurich's Future of Risk podcast soon.

 

References

1. Johnson III, Robert. “60 percent of Small Companies Close Within 6 Months of Being Hacked.” Cybercrime Magazine. 2 January 2019.