What cyber attacks pose the biggest threats to insurtech?
The global threat of cyber attacks on companies, organisations, and state institutions is increasing sharply - both in terms of quality, quantity and damage caused. In this context, economic damages amounted to EUR 103 billion in 2018/19, for example, and have more than doubled to EUR 223 billion in 2020/21, according to BITKOM.
In addition, the contact and mobility restrictions in the wake of the Corona pandemic "improved" the framework conditions for cybercriminals. In addition to the BSI, the Federal Office for the Protection of the Constitution and BaFin are warning of an increased danger of cyber attacks on German companies and financial service providers in view of the war in Ukraine. They are increasingly defenseless and helpless in the face of this enormous danger. This is because insurers are not only excluding more and more risk factors such as "cyberwarfare" and limiting their coverage amounts. Claims for operational IT security are also being increased or they are withdrawing completely from cyber business. The fact is that the damage caused annually by cyberattacks is growing more and more - and with it the demands on insurers.
Boom of cryptocurrencies called criminals on the scene
A sad peak of the last few days: The US crypto platform Beanstalk lost US$182mn through a single hacker attack that lasted only 13 seconds. In the first quarter of 2022, according to Atlas VPN, the equivalent of around $1.3bn was captured by blockchain hackers worldwide alone. However, the number of unreported cases may be much higher, as the figures published by the Slowmist platform are based on information about attacks that have already been documented. At the same time, DDoS attacks have skyrocketed in recent years. DDoS attacks documented in the Link11 DDoS Report have increased by 149% from 2019 to 2021.
DDoS extortion waves in particular are on the rise, according to the Federal Criminal Police Office's "Bundeslagebild Cybercrime 2021". Companies and organisations are either directly confronted with concrete ransom demands under the threat of DDoS attacks, or these appear as so-called "double extortion" or "triple extortion". In this way, they often flank ransomware attacks in order to lend further emphasis to the ransom demands. At the same time, the damage rate grew disproportionately. This not only includes financial losses due to business interruptions, productivity losses, loss of earnings, or ransom demands. Significant damage is also caused across all sectors by recovery costs, reputational damage, and the costs of legal prosecution and defence in the event of data protection breaches.
Not only critical infrastructure is targeted by hackers
Even before the attack by Russian troops on Ukraine, attacks in cyberspace on operators of critical infrastructure in various countries were on the rise. Among others, financial and energy companies, public authorities, systems for controlling supply networks or industrial companies that manufacture defense-related products were and are in the crosshairs. Nevertheless, the threat is also growing beyond sectoral and national borders. The insurance companies are either reacting to the growing damage amounts and cases with premium increases (experts expect an average increase of 30 to 40% in 2022 for companies that have an adequate level of IT security), or they are categorically excluding risks such as business interruption losses after cyber extortion. This is equally true for cyber warfare, which usually leads to insurers' exclusion of liability.
Moreover, they prefer to leave the less lucrative market to their competitors right away. The available coverage amounts will probably only be in the range of 5 to 15 million euros. Those who do not achieve an acceptable level of security will, in the worst case, find themselves without any insurance cover at all.
IT stress test: Extents of cyberattacks call into question the effectiveness of cyber policies
For some parties, a lot of money is at stake. Therefore, the probability is relatively high that such questions will ultimately be decided legally. Much remains vague and a matter of interpretation. In the best case, the money is at least partially returned - but the trust is not. It is a difficult and lengthy process to regain the lost trust. The internet, for example, does not forget anything and if payment is made first, the attackers may come back again.
Logically, insurance cannot prevent all this. On the contrary: in the worst case, a cyber insurance policy may even make the company feel falsely secure and thus negligent with its own IT security. The requirements profile for the entire insurance market has become much more demanding because cyber criminals now act in a much more sophisticated manner. This is a challenge for everyone, and there is no doubt that only good cybersecurity can provide real security. IT security is always kept up to date and recognises even the smallest signs of cyber attacks. The goal must be to make it as difficult as possible for the hackers.
Companies must protect their IT even more comprehensively
Those responsible for cyber security in companies and organisations now face the great challenge of raising IT security to a level that is still accepted as an absolute minimum by the sensitised insurers. On the other hand, the level of protection should also prevent damage that exceeds the coverage of the insurance policies. Otherwise, there is a risk of existentially critical damage that threatens the future of the company. In order to set up an appropriately robust IT infrastructure, the first step is to identify business-critical assets such as networks, servers, middleware, APIs, and applications.
IT landscapes are becoming increasingly complex and fragmented due to hybrid infrastructures and multi-cloud applications. The resulting risks in the digital value chain need holistic protection. This applies to every asset - regardless of which OSI layer it is affected or operated on. Isolated solutions and patchwork protection per provider can neither be administered with existing resources nor with onboard resources within the various cloud services. The SLAs are as thin as can be and often do not cover business requirements. In regulated industries, there are also extended logging and reporting requirements, where even simple tools and onboard resources reach their limits.
Especially in times of intensive cloud use and mobile working, the data line becomes the eye of the needle: if it is not available, literally nothing works. APIs are also coming more into focus in DDoS attacks. Unlike attacks on networks and servers, a breeze is enough to bring APIs to their knees. Even attacks with small bandwidths have an enormous impact. This makes it all the more important to take a holistic view of the entire OSI architecture and to use intelligent solutions that work completely automatically. In this way, human error can be excluded as a source of error and employees can be relieved.
About the author: Marc Wilczek is the COO of Link11, which is a leading IT security provider in the field of protecting web services and digital infrastructures against cyber-attacks. With its North American headquarters in Vancouver, the company offers fully automated, cloud-based anti-DDoS protection with the fastest Time to Mitigate (TTM) available on the market. Link11 utilizes AI and machine learning to ensure that its TTM accurately recognizes malicious traffic as fast as possible.
Wilczek has more than two decades of leadership and management experience. At Link11, he is responsible for strategic business development, growth initiatives as well as marketing and sales. In addition to management functions within the Deutsche Telekom Group, he was previously Senior Vice President Asia-Pacific/Latin America/Middle East and Africa at the eHealth group CompuGroup Medical and headed the Asian business at the IT security expert Utimaco Safeware (now Sophos), among others. Wilczek has a Master of Science in Management from London Business School and attended as a Sloan Fellow.
