The cyber threat landscape in 2023: insights for the (re)insurance industry

The cyber threat landscape in 2023: insights for the (re)insurance industry

It is clear that 2022 was a year of big breaches, from the Lapsus$ gang targeting giants such as Microsoft, NVIDIA and Okta, to the breach of LastPass. The landscape is constantly evolving, with threat actors using more advanced techniques that organizations must fight off with better security tactics.

Although the cyber insurance market is stabilizing, it is still critical that the players in the industry are able to keep up with cyber threat trends. Understanding these trends is the vital first step (re)insurers should be taking to ensure they maintain profitability. 

This blog will cover how the volume of attacks will likely change, the ways in which risk management is changing and how the market should react.  

1. Ransomware

Ransomware remains one of the most significant threats in 2023 — but it will undoubtedly change and evolve as threat actors and security defenses become more advanced. While we see a steady increase in the volume of attacks, including the number of attacks asking for ransom, we also see a decrease in the ransom revenue as a result of improved security and law enforcement efforts.

This threat is so pervasive that businesses are now in a better place to ask for security, legal or negotiation expertise than they were five years ago. Some responses to ransomware include: 

1. Security community/researchers in some cases provide decryption (even though these are not the majority of cases).
2. Law enforcement sometimes steps in to help the affected organizations. They were also occasionally successful in obtaining the decryption keys (for example, the Dutch Police).
3, The insurance industry and other important business stakeholders like regulators understand this issue and are more keen to take initiatives that address this threat.

Despite these improvements in the overall approach to tackle ransomware, the defenders in the security teams worldwide still need to remain vigilant. We see that established ransomware groups will further perfect their malware. One of those groups, LockBit — which we detail in our Global Threat Briefing H2 2022 — issued version 3.0 of their malware, which then leaked due to conflict within the group. We will also see new dangerous groups emerge, for example Play ransomware compromising the Rackspace company, which disrupted the company’s customers in a supply-chain-effect.

With many organizations reluctant to pay ransoms, attackers will deploy different extortion techniques. These include reaching downstream customers, PII owners, key business partners or suppliers, resorting to double or triple extortion and reinfections for those who restored their network without ransom payment. Businesses will have to come to terms with those and prepare accordingly. 

What it means for insurance

As ransomware changes, insurance companies must be able to recognise which companies are at risk, how they can mitigate the risk and what losses they could face. The relevant data analytics can help to identify which common security weaknesses may be exploited by the threat actors and increase the probability of the breach.

2. DDoS attacks

In 2022, distributed denial-of-service (DDoS) attacks peaked in the number of attacks and their strength. It is likely this threat will remain a disturbance in the upcoming year, so (re)insurers will need to be aware of this.

Network protection mechanisms allow us to mitigate DDoS attacks. However, this type of attack continues to grow either as a nuisance to businesses (the outage these attacks cause rarely exceeds 4 hours), or as a political statement over the conflict in Europe (Russian hacktivist groups like Killnet are using this type of attack on public and private entities across the EU and the US). The DDoS attack technique tends to be more frequently accompanied with a ransom, and incident responders and insurers assume this trend could continue into 2023.

What it means for insurance

The outage of services caused by DDoS attacks should be considered by (re)insurers, especially for publicly available services (local or national government websites, news websites, NGOs, rail or other transport systems, etc.). Insurers should verify that DDoS protection services are applied and that organizations are prepared to deal with these outages and downtime.

3. Nation-state activity

Nation-state activity and its intended or unintended damage represent a substantial challenge for insurers. The aim for nation-state threat actors is often to dissuade a country’s or regime’s opponents by attacking organizations in the public or private sectors. Motivations for these attacks range from swaying public opinion, to silencing groups of activists or crippling critical national infrastructure.

The groups sponsored by Russia will continue using their cyber capabilities (ransomware, wiper malware and disinformation campaigns, to name a few) to support the strategic objectives in the regime’s war against Ukraine. However, Ukraine’s focus on resilience allowed the country to successfully block over 4,500 cyber attacks in 2022. Ukraine and the country’s allies should nonetheless expect destructive attacks on critical infrastructure as well as influence operations.

Hacktivism grew in 2022 and many groups joined sides as the Ukraine-Russia war developed. The next year will likely bring more disruptive attacks as a result of the proliferation of destructive malware by various hacktivist groups (be it DDoS or other malware). The victims of these attacks could range from public services and suppliers to critical infrastructure to operators of industrial control systems.

Nation-state groups may be incentivised to carry out espionage or bring home more revenue via extortion. We have never seen so much variety in cyber espionage — including the techniques used, the type of targets attacked, and the geographic scale of attacks that are deployed — and this is likely to continue.

What it means for insurance

There is no reason to expect fewer disruptive attacks in the coming year. On the contrary, national authorities urge critical infrastructure operators and other industries to increase readiness for handling incidents and large spillover events. 

Each year, more cases of cyber attacks linked to foreign military groups are opened by the authorities, and with the help of researchers and law enforcement, we see more indictments. We saw a positive step in attribution of a cyber attack to Russia not long after the attack on Viasat KA-SAT and its spillover beyond Ukraine (resulting in statements from the EU, UK, and US). This recognition can help the insurers to better tailor their policies in a chaotic environment.

Insurers are also encouraged to seek clarity on what happens in the case of a cat event caused by a nation-state group. The discussions around the war clauses in cyber insurance policy are ongoing and necessary. Organizations should also pay attention to devices used by high-profile personas, phishing and email compromise, and keep track of the new methods applied by anyone with a motivation for espionage.

Continuous advancements in cyber threat trends

Many of the trends that we saw last year will continue — with further advancements in ransomware and DDoS attacks, making cyber risk more impactful than ever. Nation states will continue to be on the offensive, meaning cyber catastrophe risk is likely to increase. 

As these threats evolve, the (re)insurance industry needs to be cognisant of what this means for their clients and how they can make profitable underwriting and portfolio management decisions. 

CyberCube has published their Global Threat Briefing H1 2023, which provides a comprehensive update of cyber threat activity and what the (re)insurance industry needs to look out for. Using CyberCube’s leading cyber risk analytics, the report shines a light on the rise of ransomware, exposed industries to watch, and a geographical analysis of vulnerable regions. 

Global Threat Briefing H1 2023