On June 30, the NetDiligence Virtual Cyber Risk Summit kicked off with a perennial favorite panel, Claims and Losses. Moderator Simon Oddy (Baker Tilly) was joined by Mark Greisiger (NetDiligence), Joe Niemcyzk (Markel), Marissa Olsen (Aspen Insurance) and Jennifer Coughlin (Mullen Coughlin) to discuss recent developments and trends in claims and losses resulting from cyber events.
Greisiger began with a preview of the forthcoming 2020 NetDiligence Cyber Claims Study. In 2019, ransomware continued to lead incidents and losses, with both ransoms demanded and overall incident costs rising dramatically. Health and professional services sectors continue to be the most heavily hit, with the manufacturing sector experiencing more losses due to their sensitivity to business interruption.
The panel emphasized a growing sophistication and creativity on the part of ransomware threat actors. Niemcyzk stressed that new methods are constantly being devised to increase coercive power. Coughlin echoed these remarks, noting that threat actors are also tending to spend greater amounts of time after an initial breach gathering data and planning an attack. She theorized that minor decreases in claims since the COVID-19 shutdowns began may be due to threat actors merely biding their time after a breach rather than a representing a true downtick in incidents.
Olsen noted that business email compromise remains another major threat, one that has been exacerbated by recent events. As workers have moved to remote access, they may be more prone to the types of human error that lead to BEC. Coughlin concurred, adding that the rapid transition to remote work has increased the likelihood that older, less secure devices have been brought back into use; furthermore, remote work has problematized employers’ ability to reclaim devices from employees and end their data access when they are furloughed or laid off. Niemcyzk followed up, noting that phishing emails have increased dramatically, often tailored to the new landscape, with messages concerning COVID-19 testing, public health notifications, or small business support.
All the panelists agreed that new complexities had the potential to increase downtime after an incident. They emphasized that SMEs often underestimate the length of time needed to restore data, regardless of whether they choose to pay a ransom for decryption or whether they are able to restore systems with data backups.
Even as the trends remain clear with regards to threat actors, the legal and regulatory picture brings other challenges. July 1, 2020 marked the beginning of enforcement of the CCPA, but the industry will have to wait to see how courts will rule and how other states might follow California’s lead. At the same time, COVID-19 does not seem to have slowed down regulatory investigations, though regulators have eased some deadlines in response to current events.
The panel concluded with some predictions for future: affirmative cyber, IoT, wrongful collection/wrongful use, and the potential for increased industry efficiencies were the topics seen on the 2021 horizon. Viewers will undoubtedly wait with interest to hear these speakers again and to find out how their predictions play out.
Watch the Webinar here.