Cyber Risks: Lessons from 2020 and what to expect in 2021

What were the key attack vendors in 2020 and how did the threat landscape evolve?

The big story of 2020 was the continued escalation of ransomware and business email compromise (BEC) as threat actors took advantage of organisations rapidly rolling out remote access. Our partners reported an uptick in opportunistic social engineering attacks and sophisticated attacks aimed at configuration weaknesses and zero days.

"We were involved in a number of incidents involving sophisticated ransomware groups such as Maze, who set realistic ransoms, have a strong track record of providing decryption keys, and offer to provide details of their network intrusion and data exfiltration upon payment of the ransom,” said Nicholas Blackmore of Kennedys in Australia: “This significantly changes the calculus when we are advising an insured on whether to pay a ransom or not.”  

Grant Thornton’s Justin James noted a rise in Trickbot banking trojan attacks, purported to be linked with threat actor Wizard Spider, on government and large businesses, and “fileless” attacks through “living of the land binaries and scripts (LOLBAS)” using OS native tools such as PowerShell, while Quentin Charluteau of Simmons & Simmons in France added tech support scams, sextortion, URL hacking and the overwhelming of telephone services to the list of prevalent forms of attack in 2020. Blackmore noted continued cases of identity fraud and attempts to find invoices to use for payment fraud, while Clyde & Co reported threat actors searching for insurance policies on insured’s systems and using them to gain leverage in ransom payment negotiations.

eCrime accounted for 85% of intrusions in 2020, up from 70% in 2019, Justin said, with RYUK malware from Wizard Spider, MAZE from FIN6/Magecart and REvil from Gold Southfield the main culprits.“Huge attacks like the Solar Winds campaign reminds us of the great sophistication of our cyber adversaries,” said Grant Thornton’s Vijay Rathour. Indeed, the capability of these eCrime groups continues to advance, while Ransomware as a Service (RAAS) is becoming “more refined and commoditised”, according to Anthony Hess of Asceris.

Keeping up remains a huge challenge, however, detection and response capabilities continue to improve. “Organisations need to - if they have not already - re-evaluate not only their security perimeter, but also review and revise incident management plans, staff training and investment in security,” said Robert Allen of Simmons & Simmons, while Justin added: “Ensuring that endpoint monitoring, network perimeter monitoring and patch management is at the forefront of our minds when considering security solutions”.

How did the Covid-19 pandemic/remote working affect the number, frequency or severity of claims? Were particular sectors more targeted than others?

Rapidly migrating to remote working at scale stretched many organisations’ IT resources and governance, meaning best practices were sometimes side-stepped. This significantly increased the attack surface, with assets outside of corporate infrastructures such as personal laptops and networks prime targets.

Against this backdrop, both the frequency and severity of claims rose in 2020. “Threat actors became more successful and the outcomes were more severe,” said Doyle, while Rathour said cyber claims had “at least doubled” during the pandemic. All demographics were affected, but the financial and manufacturing industries saw particularly big upticks, he said. According to Grant Thornton colleague Justin, attacks on the financial sector surged nine-fold between 1 February and 30 April while a Carbon Black report found 80% of financial firms saw an increase in cyberattacks in 2020. Clyde & Co also reported a big increase in targeted attacks in healthcare sector, where sensitive personal data is held but mitigation techniques usually offered for financial data, such as credit monitoring, are not available.

According to Olivia Darlington of Simmons & Simmons, the UAE has reportedly suffered a 250% rise in cyber incidents, with the establishment of formal ties with Israel increasing the country’s appeal as a target. In response, the UAE established a new National Cyber Security Council to combat what it called a “cyber pandemic”.

What were the biggest drivers of costs, and why?

“The biggest driver of claims costs is whether the personal data affected by the breach is of the insured’s own customers/employees, or its clients - the latter being significantly higher,” said Kennedys’ Blackmore. Notification review and legal costs can be more significant if a large data breach is uncovered, said Doyle, while Hess said remote working was making it more difficult to remediate, also driving up costs. Brexit may also push costs up as organisations consider UK and EU notification obligations in parallel, noted Clyde & Co.

Another factor was higher ransoms - though the ransom payment varies by country. According to Simmons & Simmons’ Eva Schothorst-Gransie and Sharon van Norden, Dutch companies’ cyber security is still inadequate compared to other countries and they pay ransom more often (16% vs 6%). Their colleagues in France and Italy said ransom payments are rarer in those countries as data is usually recovered or decrypted with the help of vendors, though Charluteau noted ransoms can now reach several millions euros. 

“From an indemnity perspective, business interruption (BI) is becoming the biggest loss given the rise in attacks against large corporates,” Doyle added. Reducing BI is key to cost control, but automation of technical incident response components can also bring claim costs down, said Hess. “Office 365 BECs investigations, for example, used to cost $20,000-30,000 just for the technical components, excluding data mining and eDiscovery, but due to cloud response automation we find these under $10,000 at a high level of quality.”

Is underreporting of claims still an issue?

In a word: yes.

“We feel perhaps one in five potential clients resolve to deal with the issue themselves,” said Rathour. This is hindering organisations’ and cyber security vendors’ ability to identify commonalities among threat actors’ tactics, techniques and procedures and secure systems accordingly. Insurers will generally pay, notification or not, but many insureds don’t think of the insurer as being on their side, argued Hess, who said insurers and TPAs could do better at advertising the benefits of their claim response services in helping manage incidents and reducing costs. 

Leo Giani of Simmons & Simmons in Italy commented that many Italian insureds are still not very familiar with cyber policies and therefore tend to notify either nothing or everything. They also tend to use their own IT vendors instead of those recommended by the insurers which can lead to issues if proper consent is not obtained.

Were there more or less regulator notifications in 2020?

Partners in multiple regions reported an increase in regulator notifications, linked to the move to non-secure remote environments and increasing pressure from regulators

Allen said significant fines levied by the ICO on British Airways, Marriott and Ticketmaster have caught the attention of UK companies. However, “this may be diluted by the scale of the cybersecurity incidents that provoked them, the ICO’s relative inaction compared to European supervisory authorities and the reduction in penalty faced by these companies.”

According to Allen’s colleagues in the Netherlands, the Dutch DPA - understaffed and struggling with the workload - has not yet published data on notifications in 2020, but with notifications having risen 27% in 2019, they expect another rise in 2020’s figures. 

“Insureds are generally becoming more aware of the breach notification requirement,” said Australia-based Blackmore. Many insureds, he said, still do not put basic cybersecurity protections in place until they face the threat of regulatory action, but Clyde & Co reported others notifying proactively and voluntarily to abolish any potential risk of non-compliance. New Zealand’s new Privacy Act, introduced in December, brings New Zealand’s requirements for breach notification very closely into line with Australia.

Did you see an increase in privacy class actions in 2020?

Privacy class actions are in their infancy but gathering momentum. 

In Australia, privacy regulator, OAIC, recently handed down its first decision in a data breach class action, noted Doyle, who predicted more filings in 2021, and Blackmore said Australian Securities and Investments Commission commenced proceedings against a financial planner whose authorised representatives have suffered multiple recent breaches. 

In the UK, the case of Lloyd v Google is due to be heard in the Supreme Court. “The UK courts appear to have relaxed the restrictions that previously prevented ‘opt-out’ style class actions from progressing successfully in the UK,” noted Allen. According to Clyde & Co, the number of UK claimant law firms advertising after data breaches is rising, however, the cost of litigation is still relatively high given the low damages seen so far in English courts.

In the Netherlands, a foundation of privacy experts called the Privacy Collective (TPC) has filed a GDPR-related class-action lawsuit against tech giants Salesforce and Oracle, claiming €500 damages for every internet user whose data was misused, according to Simmons & Simmons’ van Norden. Clyde & Co predicted more large tech companies possessing large quantities of personal data could face actions in 2021. 

What coverage issues are emerging and how have these been impacted by recent OFAC guidance on ransomware payments?

Guidance by the Office of Foreign Asset Control (OFAC) to not pay ransoms is a hot topic. 

Under some policies, cover is excluded if sanctions have not been complied with, so policyholders could find themselves uncovered if they do not adhere to OFAC ransomware guidance, warned Alex Gabriel of Simmons & Simmons. Sanction compliance could be a big problem in 2021 for those with stakeholders in different parts of the world that might fall foul of sanctions if ransoms are paid, said Doyle, and Clyde & Co suggested this is one reason the focus of cyber extortion cover is shifting to reputational damage and third party claims should data be published (ie. as ransoms are not paid). 

Exclusions relating to ‘weaknesses’ in IT infrastructure - excluding, for example, losses arising from use of unencrypted portable devices - have also taken on a new significance due to remote working, Gabriel added. Meanwhile, Clyde & Co report a shift away from larger business interruption (BI) sub-limits as the increasing frequency and severity of ransomware claims drives up the cost of cover.

Felix Zimmermann of Simmons & Simmons suggested the FCA test case on Covid-related BI claims in the UK could also have implications for cyber. With courts straining to hold that BI policies ostensibly covering local outbreaks of a virus also extend cover to pandemics, he asks whether “cyber policies designed to cover attacks targeted at the policyholder might be interpreted as extending to cover a large-scale cyber attack or blackout not aimed specifically at the insured, and its BI consequences”. 

Meanwhile, tackling silent cyber exposure remains a key focus of the insurance industry, with cyber risk increasingly being written affirmatively or specifically excluded from traditional non-cyber policies. Careful consideration must be given to the scope of cyber exclusions as they may exclude losses that ought properly to be covered, warned Gabriel. “An exclusion that removes from cover claims involving any use of IT, for example, is likely to have over-reaching effects if included in a non-cyber policy.”