Issue - September/October 2021


Current Cyber Risk Trends

By Robert H. Rosenzweig, RPLU, National Cyber Risk Practice Leader, Risk Strategies Company
and Boris Populoh,SVP Mobility & Relocation Risk, UNIRISC - a Division of Risk Strategies Company

While cyber-attacks have gotten more mainstream media attention over the last five years, public perception is still that cyber criminals are primarily targeting large multinational organizations and companies that have significant amounts of personally-identifiable information. While that was once true, the data now tells a different story as ransomware has emerged as the preferred attack methodology for criminals. Ransomware allows attackers to monetize their access to any business, regardless of size, because all industries are increasingly reliant on interconnected systems. Since smaller businesses typically invest significantly less in information security, this has very much become a mainstream issue.

In an effort to better understand how the moving and forwarding industry is managing cyber risk threats, IAM recently conducted a survey of key issues businesses are grappling with today. The complete results will be published separately, but some of the concerning findings from the survey will be addressed throughout this article.

Since 2018, we have seen a 150% increase in frequency of ransomware attacks with the average ransom demands peaking at just under $250k by Q3 2020. As indicated above, this is very much a small- and middle-market issue with 83% of incidents impacting businesses under $300m in annual revenues. Even though the threat landscape is heightened, many businesses are still without adequate, standalone insurance to specifically address cyber risks. Industry analysts estimate that less than 50% of small- and middle-market businesses carry cyber Insurance, and this held true amongst IAM members surveyed.

This perfect storm of frequency and severity is hitting underwriting profitability for insurers, with industry-wide loss ratios up to 67.8% and the average paid loss up by 150% to $350k in 2020. As a result, insurers are trying to price for the new environment. They are increasingly placing importance on controls standardization. The number one control of concern is the use of multi-factor authentication for remote access and key systems. This concern is being driven by an analysis of historical claims showing that the absence of multi-factor authentication has allowed cyber criminals to gain access in an overwhelming percentage of claims.

If a new or existing buyer of cyber insurance cannot attest to enterprise-wide implementation of multi-factor authentication, it is difficult to find coverage in the marketplace. Amongst IAM members surveyed, fully 50% still do not have multi-factor authentication implemented enterprise-wide.

The need for cyber insurance aside, it is imperative for safe operations that all businesses implement multi-factor authentication for remote access and for access to key applications that have sensitive data or are crucial systems.

The other area driving carrier concern is the threat of systemic risk—an incident where a single cyber-attack targeting one business has a downstream impact on all of their customers and related industries. Examples of systemic attacks include the recent Colonial Pipeline incident and the Solarwinds incident. While we did not see significant financial fallout in these two examples, the potential for loss is very clear.

As all industries rely on outsourced IT service providers, cloud storage, and cloud-based software applications, there is the benefit of increased efficiencies and levels of security. However, nothing completely removes the potential for risk. It is important to carry out due diligence on prospective vendors, confirm both that the proper insurance is in place, and that there is a strong indemnity in effect in the event that they are the entry point for a cyber-attack where your data is accessed and your business is impacted.

In outsourcing key systems, IAM members seem to be trailing other industries, according to the survey results. Those same survey results, however, indicate that the industry may be ill-prepared to do proper due diligence when they do outsource. Over 70% of survey respondents indicated they had no formal process in place to assess vendor risk.

As attacks become more disruptive, they inevitably incite calls for solutions and new, tighter regulations. Regulatory requirements around technology security will become more stringent even as the use of technology becomes more prevalent in the moving and forwarding industry, and cyber risk will necessarily become an even greater consideration. Given the pace of the change, it is important to be working with a specialty-focused risk advisor who can partner on developing a risk management strategy, an incident response plan, and the right insurance solution to transfer risk.

If interested in more information on these topics, let UNIRISC know—find us in IAM Mobility Exchange.