It’s almost the time of year when the Australian Cyber Security Centre (ACSC) publishes its annual cyber threat report, so it’s a great opportunity to reflect on cybercrime and what the new report may highlight. The 2020–2021 report was published last September and is based on data sets of cybercrime reports and cyber security incidents in Australia that were reported to the ACSC. The report noted that there was a 13% increase over the previous year in both cybercrime activity and severity and impact, with almost 50% rated as “substantial.”
I guess it’s unsurprising that there were also many reports related to the coronavirus pandemic — approximately four reports per day. Healthcare and vaccine organisations (and individuals) received a barrage of malicious email and text messages. In addition, ransomware attacks increased to 500 compared to previous years, up by 15% from the previous year. This increase in ransomware was highlighted in our March 2021 blog post, “Ransomware: Addressing the Change to Cyber Insurance,” where a 10% increase in cyber insurance loss ratios was largely attributed to an increase in ransomware attacks. Despite the increase in ransomware attacks, the top reported types of cybercrime were fraud and online banking and shopping scams.
Cybercrime incidents accounted for losses of more than $33 billion dollars, with many of the attacks (25%) targeting Australia’s critical infrastructure. Medium-sized businesses suffered the largest average losses at over $33,000 per loss.
I’m hypothesising that this spread of loss may be because smaller organisations have less turnover, and larger organisations are better equipped through technology and training against cyber attacks. The human risk of cyber is explored in Guidewire’s blog post “Why Insurers Should View Cyber as a Human Risk, Not an IT Risk.” An exploration of how behavioural analytics can be used to enable powerful predictions at an individual, organisational, and portfolio level can be found in the post “Debunking the Top Four Cyber Myths Through Behavioral Analytics.”
Ransomware is coming under increasing focus, with increasing coverage in the news media and the ACSC highlighting some high-profile events as case studies. ABC News identifies the increasing costs associated with ransomware, with two-thirds of Australian companies being targeted. Outside of Australia, Guidewire’s Paul Mang wrote about the high-profile ransomware attack that occurred at Colonial Pipeline in the United States. The incident enabled Guidewire to help our customers navigate the fallout from the attack by leveraging the advanced capabilities of the Cyence platform.
Paying the ransom does not always bring an end to an incident. Cybereason reported that 80% of victims who pay a ransom are attacked again — with more than two-thirds of them experiencing another attack within a month! In the recent “Taming the Uncertainty of Ransomware Risk” white paper and blog post series, Guidewire advances both a new mindset and a practical means to tame ransomware risk uncertainty with an innovative approach.
When it comes to cyber insurance products in the Australian market, most are sold through brokers, even if they originate from one of the major insurers. I think this is probably a sign of both a developing market and the perception that anything cyber-related is complex and requires assistance when navigating all of the options. An example of an innovative approach to personal cyber insurance is where the cover is included in a standard home policy. Many brokers also provide risk assessment services. One broker, AON, has implemented Cyence and collaborated with Guidewire on the analysis of cyber attack scenarios.
If you want to learn more about Guidewire’s cyber insurance capabilities, visit the Cyence page for information on cyber underwriting, cyber portfolio management, and quantifying cyber risk with Cyence models.
In part 2, I’ll investigate the difference a year can make when the ACSC publishes its Annual Cyber Threat Report 2021–22, which should be available next month.