The Cyber Red Queen Effect

Gareth Cottam, Senior Adjuster

Since the 1990s, a digital arms race has been underway, with each side developing in sophistication and refinement. Today, cyber criminals have honed their business models into well-oiled machines that run like legitimate businesses, with office space and 24hr
telephone lines manned by call centre staff. However, their end-goal of receiving a significant ransomware pay-out is unchanged. Similarly, law enforcement and cybersecurity professionals continue to improve their techniques. In the case of the Colonial Pipeline attack in the USA in May 2021, the FBI was able, for the first time, to track down the recipients of cryptocurrency (Bitcoin) ransom payments.

In recent years, victim organisations have suffered the inconvenience and reputational damage of having their entire company taken offline. Often, they are unable to access files, issue invoices, or use their emails for several days and sometimes weeks, which can result in considerable business interruption losses. In other instances, weakness in their supply chain is responsible for triggering contingent business interruption losses.

Supply Chain Attacks

By hitting a supplier downstream in the supply chain, attackers give themselves the option of extorting multiple companies. This was demonstrated by several high-profile ransomware attacks in early 2021.

A prime example is Quanta’s data breach, which allegedly involved the key intellectual property of Apple. This incident also showed how the tech industry can face significant risks when it relies on a few key suppliers. As well as Apple, Quanta supplies Dell, HP and other large tech companies, so any

breach of Quanta’s customer data would be highly valuable for attackers. Another example occurred earlier in the year
(Feb 2022), when Toyota Motor suspended 14 Japanese factory operations and lost the output of around 13,000 cars, after a supplier of plastic parts and electronic components was hit by a suspected cyber-attack.

More recent instances, in the latter half of 2022, included the Optus and Medibank cyber-attacks in Australia. These

very public attacks caused ripples throughout the Asia Pacific region. They highlighted that, even if an attack happens in another country, the parent company may suddenly have regional or global exposure. This is especially important to consider where companies have subsidiaries in particularly litigious jurisdictions.
Therefore, for Risk Managers, it is no longer simply about ensuring the robustness of their own company’s cybersecurity policies and measures. They must also make certain their

suppliers maintain equally high standards of cybersecurity.
Cyber-attacks continue to evolve as hackers look for new ways to extort monies from victim organisations. As the Covid-19 pandemic compelled employees in many largely unprepared organisations to work from home, 2020 saw a shift towards stolen data and ever-increasing psychological pressures on victim organisations to pay ransoms.

A New Era of Cyber Threat

Looking ahead to 2023, as geopolitical tensions continue to rise and globalisation starts to wane as a direct result of the pandemic and Russia’s invasion of Ukraine, it is likely that countries will adopt increasingly different and localised IT systems and IT regimes. These trends set the stage for an unprecedented era of cyber-attack.

Inevitably, systemic risk is at the forefront of everyone’s mind. Chief Information & Security Officers (CISOs) and IT security professionals are already ‘putting out fires’ in a responsive manner and their ability to access strategic business partners will vary depending on the maturity of their company’s cybersecurity strategy. CFOs are trying to wrap their heads around the enterprise risk that a multi-jurisdictional cyber event and subsequent business interruption loss could have on their EBITDA. Risk Managers are trying to comprehend the technical complexity of threats which they often have limited exposure to and experience of.

Key Challenges for CISOs

• Hybrid/home workforce
• Growing frequency and sophistication of attacks
• Increasing prominence of IoT (Internet of Things)
• Emerging technologies like quantum computing and AI
• Phishing emails
• Skills gaps and talent shortages
• Lack of business buy-in, budget constraints
• Human error

The focus of any victim organisation’s response to cyber incidents should be on three core elements: containment, mitigation and recovery.

Speed of response is critical, particularly at the outset of a cyber incident, as is the fast-moving engagement of experts to ensure containment and facilitate fast rectification. This helps to reduce BI losses. Based on the losses on which Integra is appointed, we can testify that these costs can be considerable, even if the timeframe involved seems relatively minor.

Moreover, it is important to measure these costs and quantify the period of outage. But this demands technical experts who can support the measurement of BI and incident response costs. With our in-house technical expertise, Gerard Ward, and my background in forensic accounting, Integra can assist throughout the process to ensure a smoothe claim management is achieved.

The key question for insurers is whether their policies are keeping pace as the risk they are covering continues to evolve. Are they able to modify their policies at the same speed as the threat actors are evolving their tactics to extort monies from victim organisations?