In the same week of the Colonial Pipeline hack, one of the most disruptive digital ransom schemes ever reported, a new report has suggested that the estimated economic cost of cyber-crime now exceeds $1 trillion.
The report, from Bloomberg Intelligence (BI), highlights the growing need for cyber insurance, adding that the sophisticated attack on the Colonial Pipeline in the US – forcing one of the nation’s biggest gasoline pipelines to shut down for several days – is a timely reminder of the vulnerability of the nations’ energy infrastructure.
The BI report, US Pipeline Cyberattack Implications for Insurers, says a cyberattack on US energy infrastructure has long been flagged as a major risk by insurers with a report by Lloyd’s and the University of Cambridge warning in 2015 that the cost of an attack could rise to more than $1 trillion in the most extreme scenario.
BI also cites a recent report by the Center for Strategic and International Studies in partnership with McAfee which estimates the annual monetary cost of cyber-crime at $945 billion which when added to global spending on cybersecurity of around $145 billion puts the economic cost of cyber-crime at more than $1 trillion.
Part of the reason for the cost is better reporting but the bill is also growing because of the increasing use of ransomware and phishing-related ploys with criminals targeting organisations including healthcare bodies, pharmaceutical companies, academia, medical research groups and local governments.
Just 4% of 1,500 companies surveyed in 2019 said they had not faced a cyber incident.
“The Colonial Pipeline attack isn’t the first on a US energy facility. Aging US energy and power infrastructure makes it particularly vulnerable to cyberattack threats in our view” said BI Senior Industry Analyst Charles Graham.
Speaking to Emerging Risks, Professor Dror Fixler, CEO of FirstPoint Mobile Guard and an expert on cyber security, said he was “definitely not surprised” by the attack on the Colonial Pipeline.
“It’s very easy to get into an organisation if you are not keeping all corners closed,” he said, adding that cyber criminals are trying to hack the weak elements in any chain, and that organisations, both public and private, need to take security precautions extremely seriously, especially with regard to remote interception of cellular networks.
“National utility providers, like Colonial Pipeline, are not only under attack by criminals and lone hackers, but state-sponsored attackers as well,” Fixler added. “This means that nearly every type of cyber-attack is a relevant threat, and security needs to be as airtight as possible – from the device, through the connectivity, the cloud, the network, and the people.”
According to a note from rating agency AM Best, as the Colonial Pipeline attack has shown, cyber is a very complex risk, with far-reaching impacts to clients and insurers alike:
“The classifications of these events as terrorism, criminal activity, or acts of war have different implications for insurance, as will require guidance from government entities (such as Treasury and the FBI) as clients and insurers navigate these cases.”
Crucially, according to the rating agency, the cyber market is now at an important inflexion point:
“The escalation in ransomware attacks has forced insurers to re-think globally, as evidenced by the decision of AXA Insurance in France to halt ransomware crime reimbursements. Insurers that lack the appropriate expertise, ability, and controls for cyber insurance risks, having a well-defined risk appetite and stress-testing to ensure compliance within a risk appetite could be subject to losses outside of risk tolerance that may have ratings implications.”