Review of 2019
Ransomware Trojans were used in a much more targeted way in 2019 to cause as much damage as possible and extort correspondingly high amounts. In many cases, the attackers already have access to the victim’s system, and employ malware that encrypts data or computer systems, thereby blocking access to them. In return for decryption, they demand a ransom, usually in the form of crypto currency. As well as companies, attacks over the last year have increasingly targeted critical areas of public life, such as public authorities and health system institutes. Ransom demands ranged from USD 5,000 to USD 5m – often individually adjusted to the victim’s financial strength. Two Scandinavian companies suffered the largest known economic losses in 2019. A Norwegian aluminium manufacturer lost approximately USD 70m – primarily from business interruption. Another ransomware attack cost a Danish manufacturer of hearing aids roughly USD 95m. What drove the costs up, apart from the business interruption, was the effort required to restore IT systems.
The number of unidentified data thefts and unauthorised personal access to data in the last twelve months increased by roughly one third. Worldwide, some 8.5bn data sets were affected. From a global perspective, the average economic loss per data breach was almost USD 4m, which included the cost of notifying the authorities and the affected persons, investigating the incidents, taking measures to contain the damage and recover the data, as well as fines and court costs. At roughly USD 6.5m, the average costs in the health sector were the highest, as critical data are regularly collected and stored in this field. Data theft is also used for the purpose of blackmail. In the event of non-payment, there is the threat of sensitive corporate or customer data being published. Similar amounts are demanded as with ransomware attacks.
There was a surge over the last year in fraud featuring forged business e-mails, also known as business e-mail compromise. The attacker procures access to a company e-mail account, or creates an email account that looks very similar to a standard company address. They operate with a stolen or forged identity, with the aim of defrauding companies, customers or employees. Between May 2018 and July 2019, the number of incidents discovered worldwide doubled, while the average economic loss was roughly USD 270,000 according to figures published by the FBI. Small- and medium-sized enterprises are the particular targets of this type of fraudulent e-mail attack. The biggest individual loss that came to light in 2019 was of USD 37m and affected a company in the automotive sector. This trend is also reflected in the statistics for insured cyber losses. BEC scams are already responsible for the biggest losses in individual markets.
Outlook and trends 2020
Technology improves efficiency – including that of cybercrime
Ransomware remains a substantial threat – particularly in view of the potential for business interruption. Losses from BEC fraud and data theft can also be expected to remain at a high level. The cybercriminal world is increasingly operating in a targeted, networked and collaborative way. The latest technologies are being used in every phase of the attacks. Artificial intelligence, for example, is finding increasing use to identify targets, identify and exploit weaknesses, and to cover the criminals’ tracks. This allows attackers to increase the level of automation and efficiency, which in turn results in higher losses. What are known as deepfakes, where voices or individuals are mimicked almost to perfection, will also be used more and more in future phishing attacks and identity theft, and to blackmail companies and individuals.
Networking increases risks along the entire supply chain
Digital dependencies and the use of a constant range of new, networked devices and applications are on the rise, and not just in companies. Cloud-based services and the introduction of 5G as the mobile communications standard will drive this trend. The powerful technologies permit more intensive networking and automation of machines and devices in both industry and private households. Unfortunately, these are not always adequately protected. This will lead to an exponential increase in the continuous data stream, but will also expand the opportunities for substantial, automated attacks on infrastructure, devices and data. A modern supply chain with dependencies between many companies will be increasingly complex as a result. This will also substantially increase the requirements for risk management in light of the expectation of more frequent attacks.
Increased regulation worldwide
Legal data protection requirements are being tightened worldwide, in part in response to the growing threat from cyber risks. There are now laws protecting consumers against data loss or misuse in more than 100 states. The introduction of the EU General Data Protection Regulation (GDPR) in May 2018 has promoted an awareness of data security, both in Europe and beyond. In some cases, it is serving as a blueprint for other countries. As a result of increased regulation, which often contains detailed provisions on notifying attacks and data breaches, the extent and cost of cyber attacks are being made public more often. If a loss occurs, companies must also cope with a potential loss of reputation and fines that are sometimes in the hundreds of millions of dollars. The largest fine in 2019, of around USD 234m, was imposed on an airline in the United Kingdom. As of January 2020 it is not yet finally settled. Governance requirements in the area of data security are complex and binding. They are leading to a process of sensitisation within companies and to a growing demand for loss prevention measures and insurance protection.
Growth in the insurance market for cyber solutions
Overall, we are seeing a significant rise in global IT investment in cyber security. Experts estimate the figure will be approximately USD 400bn in 2025, which corresponds to a fourfold increase in the space of a decade. A portion of this will manifest itself as a demand for insurance solutions and services. Munich Re expects the global cyber insurance market to reach a value of more than USD 20bn by the year 2025, which will represent a fourfold increase on the figure in 2018. For 2020, Munich Re estimates that the global cyber insurance market is worth over USD 7bn. North America remains the strongest market with a value of USD 5.3bn. Munich Re anticipates strong growth in Asia and Europe. The value of the European cyber market in 2020 is estimated at more than USD 1bn.
The biggest demand for cyber insurance comes from the industries most affected by attacks: the health sector, manufacturing industries, and IT, finance and service companies. Risk awareness of cyber losses is increasing for reasons other than media reports. Stricter requirements under tighter regulation, and undertakings required by business partners, are assisting a steady increase in demand for risk covers and corresponding prevention measures. The range of quality solutions has also improved in recent years along with the continuous growth of the cyber insurance market. Covers in the commercial sector are becoming increasingly standardised, with individual solutions for large industrial enterprises predominating. Protection against business interruption and data theft remain key coverage elements. Awareness of their own exposure, which is often substantial, is also increasing at small- and medium-sized enterprises. These companies are increasingly purchasing insurance cover. Private demand for cyber products is also developing more strongly.
Expanding portfolio with cyber solutions at Munich Re
Cyber is a strategic growth field at Munich Re. In line with expectations, the cyber portfolio continued its profitable growth over the last year. Munich Re wants to maintain its market share of approximately 10% of the rapidly growing cyber market.
Munich Re supports its clients with a comprehensive approach to cyber risk management. This is based on understanding the risks, making transparent hidden cyber risks in existing policies (silent cyber), and on adequately assessing the risks, not just individually, but also in terms of their combined effect on the entire portfolio, thereby making them insurable. The accumulation models being used by insurers are rapidly improving. The complexity of the risks and the need for risk-adequate pricing also require top-class cyber teams cooperating across industries and markets. Munich Re continually invests in Group expertise, and develops new solutions in close collaboration with insurance industry experts and technology partners. Along with risk transfer by way of insurance, its range of offerings is rounded off with risk management services and security measures.