THE recent proliferation of ransomware attacks underscores how cyber risk is cutting across sectors and becoming a growing global security and financial threat.
Moving forward, the volume, size and sophistication of ransomware attacks are expected to increase given the risk of criminal prosecution remains low while profit incentives remain high.
Viewing the increase in attacks and severity as a credit negative, Fitch Ratings said it will, however, evaluate every incident within the context of each issuer’s credit profile.
According to Bitdefender, ransomware attacks increased 485% globally in 2020, accounting for nearly one-quarter of all cyber incidents with total global costs estimated at US$20 bil
Ransomware attacks that threatened to release stolen data are rising and made up 77% of total attacks in 1Q 2021.This has helped drive up the cost of ransomware attacks – with the average ransom payment in 1Q 2021 of US$220,298 – up 43% from 4Q 2019, according to Coveware.
Cyberattacks against schools and local government healthcare providers have also more than doubled to 2,354 in 2020 from 966 in 2019, according to Emsisoft.
“Issuers with less sophisticated networks, security systems and IT departments may be most vulnerable to attack, but downside risk potential is higher at larger and more strategically important entities,” opined Fitch Ratings.
“Ransomware targets every sector and geography, but certain sectors have proven more attractive targets than others.”
Professional services firms such as small law and financial services firms are popular targets of ransomware attacks as they typically possess valuable personal identifiable information, payment data or intellectual property.
“Payment of the ransomware does not guarantee that stolen files will be returned or undistributed or that a decryption device will be provided,” revealed the rating agency.
“(In fact), payment of ransomware can expose financial firms to increased financial and compliance risk, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws.”
US cyber insurance direct written premiums increased about 22% in 2020 to almost US$3 bil while the direct loss ratio for stand-alone cyber rose to 73% in 2020, the highest level recorded in the six years data have been available.
While specific loss cost drivers are not reported, the increase in ransomware is a factor behind the higher losses.
Cyber insurance typically covers payments for ransomware and forensics associated with cyber events. Beazley’s CEO recently stated that the insurer would not exclude extortion payments from polices but called on the government to legislate whether such pay-outs align with public policy.
However, Axa S.A, a leading writer of cyber insurance in France, recently announced it would no longer cover ransomware payments for cyber-insurance policies in France. This may lead other market participants and jurisdictions to follow suit.
“Without the ability to transfer the risk, affected companies would face increase financial risk from a ransomware attack which is a credit negative,” opined Fitch Ratings.
“Other credit considerations would be the impact on reputational, operational and regulatory risks. Excluding ransomware payments from policies would be a credit positive for insurance companies in the near term as the ability to accurately price for ransomware remains elusive.” – May 19, 2021
