Cyber-attacks show no sign of abating. In the past week, global consultancy giant Accenture confirmed that ransomware operators stole proprietary information from its systems during an attack that hit the company’s systems in August 2021.
Meanwhile, suspected ransomware payments totalling $590 million were made in the first six months of this year, more than the $416 million reported for the whole of 2020, according to the US Treasury.
The US Treasury Department said the average amount of reported ransomware transactions per month in H1 2021 was $102.3 million, with REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos the most prevalent ransomware strains reported.
Of note here is that Washington also put the cryptocurrency industry on alert about its role in combating ransomware attacks: the US Treasury told members of the crypto community they are also responsible for making sure they do not “directly or indirectly” help facilitate deals prohibited by US sanctions.
This move is an interesting one because it clearly suggests a direct link between certain cryptocurrencies and ransomware payments- a link which the US government seems determined to break, and I for one applaud them.
But really, shining a spotlight on the cryptocurrency market here is only looking at a very small part of a really huge problem. And problem it is: according to a recent report by rating agency Fitch, the continued growth in cyber intrusions and ransomware events may pressure the durability and long-term profitability of the cyber insurance market.
Meanwhile, it adds, the growth of risk exposure and rising claims losses have elevated the P&C sector’s standalone cyber direct loss and defence and cost-containment expense ratio to 73% in 2020 from an average of 42% for the previous five years (2015–2019).
To date, the (re)insurance market’s response to the growing frequency and severity of cyber claims has been understandable: tighter T&Cs and a substantive increase in rates.
Yet as we all appreciate, this is a far bigger problem than one which can be dealt with by insurers, reinsurers and the capital markets.
I tend to agree with Tom Johansmeyer at PCS, who says in our interview with him this week that we need to start thinking seriously about diplomatic solutions. To date, no institution has been off limits, and we have seen hospitals and even state health sectors targeted by cyber criminals.
This indiscriminate targeting cannot be allowed to continue. The United Nations needs to come up with some sort of cyber charter which lays out the rules of engagement. After all, this is a war, and for that we have the Geneva Convention, which seeks to protect people who are not or are no longer taking part in hostilities.
Surely, we need something similar for the cyber arena?
Editor, Emerging Risks