In Depth: New dimensions in cyber risk

It was a major cyber attack that broker Stephen King would not forget.

His client, a pub operator with around 200 sites, had suffered a severe ransomware attack where substantial amounts of data had been compromised.

King and his team at broker James Hallam swung into action, working with the insurer and their forensic experts to recover all the data within 48 hours.

No-one, regardless of their size, is spending enough on cyber security and I think that’s got to change.

Stephen King, James Hallam

Thanks to the quick response, the firm steered clear of business interruption losses and avoided ransom payments. However, the information technology forensic work and replacement of potentially corrupted equipment meant total costs ran close to a million pounds.

The lesson was clear: even with a good outcome, cyber-attacked companies can pick up a large bill.

King, James Hallam’s divisional manager of cyber, South West corporate, says: “No-one, regardless of their size, is spending enough on cyber security and I think that’s got to change.”

UK cyber attacks

The pub operator isn’t alone. Across the UK, cyber criminals are relentlessly attacking companies, and the problem is getting worse.

Aviva research carried out in 2023 across UK companies found 20% admitted suffering a cyber attack or online fraud in the past year.

The research found that businesses are 67% more likely to have experienced a cyber incident than a physical theft, and almost five times as likely to have experienced a cyber attack as a fire.

It’s the number one risk facing firms, the research concluded, but according to Aviva head of cyber, Stephen Ridley, it’s also one of the most underinsured.

Herein lies the great challenge facing insurance brokers: many businesses are failing to take up cyber insurance and strengthen their risk management at a time when criminals are finding ever-more sophisticated ways to penetrate company defences.

Ransomware attacks in particular, in which cyber criminals disrupt a firm’s IT and stop interfering only once a ransom is paid, are on the rise.

Control Risks, a global risk consultant, says there has been a 100% increase in named ransomware victims between 2022 and 2023.

A Control Risks spokesperson said: “The relentless evolution of capabilities by financially motivated actors, especially those targeting companies in developed Western economies, means that ransomware remains a top digital threat for many.”

International gangs lead the ransomware threat, including notorious groups such as BlackCat and Lockbit. And the insurance industry is no stranger to their activities. In 2022, Lockbit claimed responsibility for disrupting the systems of insurance broking software group SSP.

The relentless evolution of capabilities by financially motivated actors means that ransomware remains a top digital threat for many.

Control Risks spokesperson

Ridley says: “Anyone can make a really good-looking website now using the likes of Wix or Wordpress.

“The same is happening with the criminal side of things, where you don’t need to know the coding ability at all. There are services you can just plug into and use.”

Another type of attack on the rise is phishing, in which fake emails, texts and phone calls are sent to potential victims. Artificial intelligence is creating highly sophisticated scams, targeting people’s emotional vulnerabilities.

“Cyber criminals try to exploit human emotions such as trust, curiosity, and fear,” explains Oliver Osei-Ofosu, Aviva senior cyber security risk management consultant.

“They use very sophisticated email phishing tactics. They sometimes use fake websites as well. They trick people into clicking malicious links and try to get them to share their information.”

Aviva says criminals are using phishing as a gateway to unleash even greater damage and disruption.

Osei-Ofosu recalls a phishing attack on a fashion retailer which tricked one of its employees. This in turn led to hackers getting hold of unencrypted data and using it for a ransomware attack.

Another case was a sophisticated phishing campaign targeting staff at a hospital trust. Malicious malware was deployed, disrupting appointments, and shutting off patient records.

Osei-Ofosu believes the hospital trust was “not vigilant enough”, resulting in attackers using social engineering tactics to get passwords from the employees and changing these passwords on the system.

Security weakness

UK firms' weak security and lack of awareness makes it easier for cyber criminals to successfully attack. This is especially true for smaller businesses that under-estimate the threat. 

“I get asked many times 'Why would a cyber criminal target me? Surely I'm not on their radar?'” King says:

“They don't understand that it’s not about them. It's about the criminals using AI, scanning the internet, looking for vulnerabilities and weaknesses, and then just chancing their arm.”

The main lesson to be learned is that all businesses, of all sizes, are vulnerable to the impact of cyber attacks, and they must place a focus on protecting themselves from these risks.

Sam Cheshire, AJ Gallagher

Partners& cyber director Matthew Clark says larger firms typically have the cyber threat on their radar, meaning brokers’ key role is to help assess the risk. Small firms however, are frequently “blissfully unaware of the damage cyber attacks can do to their business”.

Adding to the complexity is the risk of companies’ important third-party suppliers coming under attack.

Sam Cheshire, head of cyber, UK retail at AJ Gallagher, says: “When a supplier suffers an attack, this can have a large negative impact on a business including financial loss and business interruption.

“The main lesson to be learned is that all businesses, of all sizes, are vulnerable to the impact of cyber attacks, and they must place a focus on protecting themselves from these risks.”

Education

The problem may be vast and complex, but the good news is that the insurance industry is working hard on finding ways to protect businesses.

The first step is pressing clients to embrace cyber education and training for staff.

The broker, insurer or one of their cyber partners can help set up education programmes, or at the very least, point them in the right direction.

Cheshire explains: “Businesses that fail to educate their employees on the tactics used by cyber-criminals are leaving themselves vulnerable to attack.

“Employees who are not trained in cyber awareness are more likely to fall for phishing scams, click on malicious links or mishandle sensitive data.”

Cyber security tools

Gallagher recommends starting with the basics: training the staff, implementing multifactor authentication, and ensuring firms have back-ups and vulnerability scans.

As one of the larger brokers, the firm also provides access to a range of more sophisticated services, helping identify companies’ weak spots and mitigate threats.

Advanced tools are not exclusive to larger brokers. King says insurers are developing powerful cyber security tools to help brokers and their customers.

For example, insurers offer tools that scan for cyber attacks and continuously monitor threats. They also produce easily digestible information that clients understand.

Most of the security information comes from the attack surface scan that the insurer carries out.

Stephen King, James Hallam

He says: “It means we don’t have to send the client a 20-page proposal anymore. Most of the security information comes from the attack surface scan that the insurer carries out.”

Elsewhere, Aviva, as part of a growing cyber and risk management proposition, has partnered with San Francisco-based insurtech CyberCube, which uses a sophisticated scoring system to assess the risk profile of a company.

CyberCube can model financial losses an organisation or company might be exposed to, helping quantify risk.

When it comes to purchasing insurance, Clark believes it is a ‘marathon, not a sprint’. As such, Partners& focuses on helping firms become more resilient, rather than just selling cyber policies.

Clark stresses that before any insurance is purchased, there must be detailed discussions on cyber security, and vulnerabilities must be addressed with cyber tools and risk mitigation action.

He says: “It’s making them more insurable and more attractive to a cyber insurer. That’s the way we would help the client in getting into that smarter position.”

Ridley is optimistic about the cyber landscape, predicting that companies like Aviva will continue raising awareness and investing in cyber tools to help manage customer risk.

New tools such as parametric cyber insurance – which offer guaranteed and instant payout based on pre-agreed datapoints – are growing. Meanwhile, capacity can come from the growing insurance-linked securities cyber market.

The cyber threat may be growing, but so is defensive technology and the sophistication of insurance companies.

Now, more than ever, businesses need brokers and insurers to step forward and help. 

Look out for Part 2 of this InDepth on cyber tomorrow

Sponsored content