Lull in cyber attacks unlikely to last, experts say

It has not been a bad year so far for cyber insurers. After a spectacular boom in cyber attacks in 2020 and 2021 which drove insurance prices up to dizzy heights, this year has been relatively quiet, leaving underwriters to reap the benefit.

Cyber security specialists doubt that the current lull will last long - but there may still be a silver lining for insurers if attackers focus on the weakest targets, which may be the uninsured.

The focus will remain on ransom attacks, which tend to account for insurers' biggest payouts. After more than tripling from 2019 to 2021, the number of ransomware attacks globally seems to have dropped off in the first half of this year, according to Howden, an insurance broker.

As many as 74% of ransomware payments last year were to groups believed to be affiliated with Russia, according to data from Chainalysis, a company that provides data and services related to cryptocurrencies.

Since the war between Russia and Ukraine began in February, Russian hackers have likely focused their attention on Ukrainian targets, giving the West a short breather, but as the war drags on, other cyber criminals are all but certain to step in and fill the vacuum.

And even if profit-driven shakedowns remain at a relatively low level, cyber gurus are increasingly worried about state-sponsored attacks.

"State activity will get worse, primarily because we're not likely to see the Ukraine war come to a close in the next year," says William Altman, principal cybersecurity consultant at CyberCube, an analytics firm. "And as Russia becomes more desperate to gain ground in that war effort, they're going to continue to lash out against the governments that are supporting Ukraine."

Apart from government agencies, it is large, economically significant corporations plus firms in key areas like medicine and defence who have most to fear from state-sponsored hackers, Altman says.

A state-backed onslaught designed purely to cause chaos could be even more destructive than scams crafted by criminals looking for a paycheck. Ransomware victims can at least pay their way out.

In contrast so-called wiperware, like the infamous NotPetya attack that hit Ukraine in 2017, simply renders a computer unusable - although attackers are not above throwing in a spurious ransom demand for good measure.

Criminal syndicates, on the other hand, may be ideologically divided or straddle the border between two countries. The Conti group, one of the most notorious ransomware gangs of recent years, trumpeted its support for Russia at the outset of the war, but was promptly humiliated by a series of leaks from a disgruntled member.

The cache of highly confidential messages and ransomware source code - accompanied by slogans like "Glory for Ukraine!" - offered a rare insight into the world of online extortionists.

Even if Russian and Ukrainian racketeers remain focused on fighting each other, it is unlikely that western countries can expect much of a reprieve. Software developed in Russia for use against Ukraine may end up being sold off to others for profit.

"Ransomware developers have inevitably shifted their focus to the Russia-Ukraine conflict, where we have seen the creation of new types of malware utilised for battle," says Will Gow, head of cyber and financial lines at QuestGates, a loss adjusting company. "More likely than not, once that malware is no longer needed it will be re-purposed by the developers as states recover financially. And they'll probably do that by selling it to other threat actors in the market through the dark web."

There already seems to be an uptick in North Korean activity, Gow says, occupying the niche vacated by Russian gangs. He also flags up the theft of digital assets (cryptocurrency and non-fungible tokens, or NFTs) as something that we can expect to see a lot more of - and an increasingly interesting growth area for insurers.

Another factor behind the recent lull may be that cyber criminals are simply reorganizing. After a period of rapid expansion where gangs increasingly specialized in one element of the ransom process (developing malware, carrying out attacks or negotiating payments), the industry may now be consolidating.

The gangs' fragmented business model, as it turned out, had its drawbacks. In 2021 a wave of major, highly-publicized attacks on targets like the Irish health service and Colonial Pipeline, a major US oil transport system, put cyber security squarely in the sights of governments.

That came as a shock to cyber criminals, who have since focused their attention on less conspicuous targets. They may now be more reluctant to license out their knowledge to other hackers who might attract unwelcome attention.

One thing that keeps insurers up at night is the possibility of some major event affecting many customers at once and leading to a sudden flood of simultaneous claims.

"I think it is likely to get worse," says Dean Chapman, lead consultant (GB Cyber Risk Solutions, Global FINEX) at WTW, a large broker. "As a nation and from a global community standpoint more broadly, what we haven't experienced yet is that much-anticipated cyber Armageddon event."

That 'Armageddon' could take the form of a breach at one of the major cloud providers, like AWS or Microsoft's Azure, or a new vulnerability discovered in a ubiquitous product like Windows. It is even likely that Russia and other states have an arsenal of zero-day exploits (previously unknown weaknesses in a system) ready to deploy if geopolitical conflicts escalate further.

If that scenario is a potential nightmare for insurers, they still have one Get Out of Jail Free card in the form of war exclusion clauses. Wartime losses have traditionally not been covered by insurance, and cyber is no exception - the trouble in today's bewildering environment is deciding what counts as a war.

On August 16, Lloyd's of London sought to set expectations by defining the scope of war exclusions, but even so there may be room for disputes.

In January a New Jersey court ruled in favour of German pharma giant Merck, which estimated that it suffered more than $1.4 billion in losses from NotPetya. Merck's insurer, ACE American, had refused to pay out on the grounds that NotPetya was an instrument of war created by Russia as part of its intimidation campaign against Ukraine.

The court found that "Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare" - and even noted that "no court has ever applied a war (or hostile acts) exclusion to anything remotely close" to that situation. That will give other insurers pause for thought.

There is one other reason for the insurance industry to take comfort: cyber security measures have become vastly more widespread. These can range from basic steps like multi-factor authentication - now a prerequisite for any company hoping to get insured - to advanced threat response teams who deal with attacks in real time. Working with modellers and response teams to protect the insured from attacks is increasingly becoming one of cyber insurers' key functions.

"We're going to get to a stage where you're not going to be able to operate in this market unless you've got the capabilities required to try and prevent your insureds from having losses," says James Burns, head of cyber at CFC Underwriting.

Despite some grumbling from customers about onerous boxes to tick, the result is that firms with cyber insurance are now far better protected than they were even two or three years ago. If those measures are effective enough to deflect attacks onto softer targets, it may be uninsured businesses that bear the brunt of the next wave of attacks.

Insurers will be hoping that sends them running for cover.