Concentrate on controls

Ransomware

COVID-19 added fuel to an already burning fire, as the number and variety of ransomware attacks exploded in 2020. Cyber insurers reported a 336% jump in claims from the start of 2019 through to 20203.

Business costs associated with ransomware are expected to reach USD 20 billion in 20214. Ransomware is no longer confined to the simple model of ‘pay to decrypt’, and data may be extorted, breached, or even erased. Business interruption is highly likely. At the close of 2020, seven in ten ransomware attacks involved the threat to leak exfiltrated data5, and some variants threatened to auction stolen data. There was also an emergence of data destruction, in which servers or clusters of data are permanently wiped6. On top of ransomware, 2021 will present ongoing risk from criminals funded by foreign nation states in their private enterprise hacking that aligns with state-sponsored activities and interests. The most severe threat will continue to be Advanced Persistent Threats (APTs), which introduces yet another challenge and a substantial compliance burden: knowing the risks of payment when the attacker could be a potential ‘bad actor’ under government sanction. All of this complexity is not lost on insurers. Many cite ransomware as a major factor impacting their cyber insurance loss ratios7, and 62% of underwriters cite access control as a critical topic8.

So what should your organization do? It is critical to demonstrate concrete risk mitigation actions, or organizations might be subject to sky-high cyber premiums. Take steps to reduce your organization’s exposure footprint, and minimize the impact of data exfiltration. Retain only qualified cyber security professionals to identify vulnerabilities, establish business continuity plans, and assist with breach response.

-----------

2. “This Year in Ransomware Payments (2020 Edition),” December 2020. https://heimdalsecurity.com/blog/ransomware-payouts-of-2020/. 3. “2021 Errors and Omissions and Cyber Insurance Snapshot: A focused view of 2021 risk and insurance challenges,” Aon, https://www.aon.com/cyber-solutions/thinking/aons-errors-omission-cyber-insurance-snapshot-a-focused-view-of-2021-risk-insurance-challenges/. 4. “Cyber Security Ventures,” https://www.thesslstore.com/blog/ransomware-statistics/ https://www.sdxcentral.com/articles/news/ransomware-attacks-spike-148-amid-covid-19-scams/2020/04/. 5. “Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands,” Coveware Ransomware Marketplace Report, Q4 2020, https://www.coveware.com/blog. 6. Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands,” Coveware Ransomware Marketplace Report, Q4 2020, https://www.coveware.com/blog. 7. "2021 Errors and Omissions and Cyber Insurance Snapshot: A focused view of 2021 risk and insurance challenges,” Aon, https://www.aon.com/cyber-solutions/thinking/aons-errors-omission-cyber-insurance-snapshot-a-focused-view-of-2021-risk-insurance-challenges/. 8. “2021 Errors and Omissions and Cyber Insurance Snapshot: A focused view of 2021 risk and insurance challenges,” Aon, https://www.aon.com/cyber-solutions/thinking/aons-errors-omission-cyber-insurance-snapshot-a-focused-view-of-2021-risk-insurance-challenges/.


July 23, 20202

Multinational Technology Company

> worldwide outage

Ransom paid: USD 10M


July 27, 2020

Business Travel Management Company

> 30,000 computers taken down and confidential business files stolen.

Ransom paid: USD 4.5M


December 31, 2020

Worldwide Money Management Company

> accessed, copied and encrypted 5GB of data

Ransom paid: USD 2.3M

Explore key risks arising from ransomware, map them to key cyber security controls, and determine actions your organization can take to close cyber security gaps.


Click the security domains below to learn more.

*Aon's Cyber Quotient Evaluation (CyQu) is a comprehensive cyber risk assessment that evaluates cyber risk across 9 security domains and 35 critical control areas.

4 | Perfect the basics