2022 has been a tumultuous year in terms of geopolitics and global economics. Alongside the continued evolution of cyber threats, in particular ransomware, these changes have the potential to significantly alter the UK cyber security landscape. For 2023, JUMPSEC predicts that:
1. The number of organisations with cyber insurance will shrink, and insurers will fail to pay out on ransomware-related cyber attacks.
In a key bulletin published in August 2022, Tony Chaudhry, the Underwriting Director of Lloyds, addressed the risk posed by cyber security threats to the insurance industry, stating that “losses have the potential to greatly exceed what the insurance market is able to absorb”.
In response to the rising tide of cyber security incidents, particularly ransomware attacks (as we explored in our recent Ransomware Trends Report), cyber insurance providers are now seeking ways to reduce their exposure. This has led to insurance providers raising their premiums, more tightly controlling which costs and impacts are covered by insurance, and generally making insurance harder to acquire by mandating a growing list of prerequisite cyber security controls.
Insurers have also begun to adjust their policies in light of recent disputes, with Lloyds of London stating that it will stop covering losses from certain nation-state cyber attacks and those that happen during wars, declared or not, beginning April 1, 2023. Given the proliferation of ransomware attacks of reported Russian origin (as noted in the recent NCSC Annual Review) and the inherent complexity of attribution in cyber attacks, this could result in the vast proportion of attacks being categorised as ‘nation state’ perpetrated – and therefore outside the scope of many insurance policies.
2022 has seen two pivotal cyber insurance cases: Merck & Co and the recently resolved Mondelez vs Zurich Insurance dispute. Both disputes trace back to the 2017 NotPetya malware attack, which was attributed to Russia’s military intelligence agency and deployed as part of the conflict with Ukraine, with both cases based on the classification of the attack as an ‘act of war’. The former resulted in a $1.4b win for Merck, whilst the Mondelez case was settled behind closed doors – potentially suggesting a less favourable outcome which fell short of Mondelez’s demands.
There is also evidence that insurers have less appetite to support companies in highly targeted Critical National Infrastructure sectors due to their increased exposure – particularly in light of recent acts of sabotage through both cyber and traditional ‘kinetic’ methods – such as the attacks on the U.S. Colonial Pipeline company, Australian telecommunications infrastructure, and the NordStream pipeline.
The recent changes to policies and the lengthy dispute for the two landmark cases in 2022 call the reliability of insurance into question. Even where a payout is achieved, the time it has taken for the matters to be resolved and the resources required to dispute an insurer’s failure to pay out is beyond many smaller organisations – potentially leading them to fold before the dispute can be resolved and the policy can be activated.
In the face of these changes, there is a growing trend of organisations opting not to renew their cyber insurance policies for 2023. It is vital that these companies reinvest in their cyber defence capabilities instead, ensuring that the potential impact of a breach can be contained and that tested contingency plans are in place to enable business continuity and disaster recovery.
Organisations that presently rely upon insurance as the primary mechanism to mitigate cyber risk are likely to find themselves exposed as they transition to greater reliance on their cyber defences, which is a costly and time-consuming task. This period of transition may, in turn, create a window of opportunity for attackers looking to capitalise on a period of weakness.
2. Ransomware attacks will increase in severity to create increased pressure for victims to pay up.
Without protection from cyber insurance, victims may be less able to pay ransoms.
The philosophy behind cyber extortion is simple – it is cheaper and easier to pay a ransom than to rebuild. Ransom payment is also arguably the only method with a chance of preventing stolen data being leaked to the wider internet. There is no guarantee that an attacker will act on their word and issue a decryption key, or delete the stolen data, but it is typically in their interest to do so – as we explored in an article last year.
There is growing criticism of the decision to pay a ransom. Whilst this has never been encouraged, there is as yet no precedent of prosecution for paying a ransom. However, this may change in the future.
A 2020 ruling by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) states most cases of paying a ransom are illegal, whilst the EU NIS Directive states that EU member states can impose fines for paying a ransom.
In addition, the recent increase in ransom payments alongside rising numbers of attacks has seen the UK’s NCSC release a statement urging solicitors to remind its members of their advice on ransomware and emphasise that paying a ransom will not keep data safe or be viewed by the ICO as a mitigation in regulatory action. The first signs of ransom payment being outlawed are coming from Australia following the recent Medibank data breach and other attacks on critical communications infrastructure, with the Australian government suggesting that making ransomware payments illegal will decrease the profitability of data breaches for criminal organisations.
Criminalising victims who feel there is no other option but to pay the ransom is just as likely to force payment underground and further obscure the real impact of ransomware, rather than the intended consequence of making ransomware a less profitable endeavour.
Reduced financial support combined with increased scrutiny from governments and regulators is likely to further reduce the willingness and ability of organisations to pay a ransom. This is likely to lead ransomware groups to double down as they seek to protect what is an incredibly lucrative criminal enterprise. An escalation in attack severity could include:
- Increased severity of attacks, such as by escalating beyond the encryption of systems and theft of data to the threat of more destructive attacks as an escalation following the initial ransom demand. Attackers have previously upped the ante by performing DDOS attacks on still-functioning parts of the victim’s network and personally targeting individual directors, stakeholders, employees, or customers directly, which is also likely to continue.
- Disruption of contingencies, such as backups. Whilst recovering from backups is not always reliable due to outdated backups, the absence of immutable backups stored in a segregated storage location, or unfeasible restoration times, they still present the best last option for organisations facing network-wide compromise. Attackers have a history of targeting backups, as exhibited by groups such as Conti and Yanluowang. This could be dialled up further by targeting known offsite backup facilities or third-party data centres as part of coordinated ransomware attacks. Whilst there has been no public report of a major attack affecting a cloud service provider to date, this should not be considered outside the realms of possibility.
Given the trend of organisations opting not to renew their insurance policies, this could create a finite window of opportunity early in 2023 for attackers looking to take advantage of existing policies while they last and maximise the chance of a payout.
Although unlikely, reduced means for victims to pay a ransom could also force attackers to compromise in some capacity. Issues such as the substandard decryption tooling provided by some ransomware operators (resulting in organisations having to rebuild despite also paying the ransom) could encourage attackers to work on the reliability of their ‘service’ to make ransom payment seem the more viable option. It could also see ransom values fall to increase the feasibility of ransom payment without insurance cover.
3. The number of fines issued by the Information Commissioner’s Office (ICO) in the wake of ransomware attacks will rise.
2022 saw the first fines issued by the ICO following data breaches as a result of cyber attacks, setting a clear precedent for 2023 and beyond. The fines issued by the ICO for Interserve Group and Tuckers Solicitors LLP are notable in that they penalise the absence of expected controls and negligent information security, not for falling victim.
In March, Tuckers Solicitors was fined £98,000 after a ransomware attack saw sensitive information, including medical and witness statements, published on the dark web. Tuckers patched five months after an NCSC alert flagged exploitation of a critical vulnerability affecting Citrix. While it was not conclusive that the vulnerability was how the attacker could access Tuckers’ network, its delay in patching was cited as contravening data protection regulation and contributing to an inadequate security posture that left Tuckers exposed to cyber threats. The ICO’s statement referenced the absence of fundamental security controls such as multi-factor authentication, poor patch management, and failure to encrypt personal data.
In October, Interserve Group was fined £4.4m for failing to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. An Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation. The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems. In particular, the ICO criticised Interserve’s failure to implement a range of best practice controls and countermeasures, which its own policy statements incorrectly and deceptively stated were in place.
In the wake of the fine, John Edwards, UK Information Commissioner, said: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”
The difference in the size of the fines issued is largely attributable to the disparity in company size and turnover but also potentially sends a message that the type of negligence exhibited by Interserve is deemed particularly serious in terms of non-compliance with its own policies. In any case, organisations that fail to keep up to date with the latest expected best practices will be increasingly penalised in the future.
4. Organisations will consolidate their stack of security products and tools in the face of economic pressures.
With the global economy struggling and the UK in particular heading for the “longest recession since records began”, it’s clear that cyber security budgets will inevitably feel the pinch.
Organisations will likely seek efficiencies by consolidating their security tools and technologies. The historical solution for many cyber security problems is to buy a tool which promises to solve said problem. The desire to purchase new, shiny products to solve a problem often ignores where existing tooling may be able to deliver the same advantages. Also ignored is what is required for the security team to make use of the information and capabilities presented by the tool. In reality, more tooling creates more noise and consequently more work for analysts, without necessarily delivering more value.
During a recession, the cyber security market may have to deviate from its largely product-driven economy. The venture funding pumped into many cyber security product areas far exceeds the Annual Recurring Revenue (ARR) of those areas. Many organisations and investors are bracing themselves for a market crash as a result.
Investors are showing signs of pulling back from their investments – with startups being hit particularly hard. Cybersecurity seed deal volume fell in Q3 by 19.5% year-over-year, and in particular, Cybersecurity Series A deals plunged 43%, with a 10% drop in median valuation. At the same time, organisations are slashing their ARR outlook and announcing significant layoffs to compensate – companies such as Snyk and Cybereason separately announced significant layoffs during the last week of October, cutting their workforces by 198 and 200 workers and representing 14% and 17% of their workforces, respectively. In total, 32 cybersecurity firms have announced layoffs or restructuring since early May, indicating a focus on profitability over growth across the industry for arguably the first time.
After unprecedented growth that continued throughout the COVID-19 pandemic, security providers are now being forced to adapt to economic pressures. This change will also impact key security stakeholders in many organisations, with incoming CISO’s having previously used a shakeup of security tools and services as an important lever when joining a new company, who may instead have to “mend and make do”.
There remains a demand for cyber security expertise, as highlighted in the NCSC Annual Report, with an annual shortfall of over 14,000 people in the UK cybersecurity workforce and over half of businesses lacking basic technical cyber skills. Providing continuous support as-a-service is likely vital for many organisations struggling with a lack of in-house skills and knowledge – particularly SME organisations that do not have the resources to fund a permanent cyber security team.
While cyber security firms have historically relied on the development of their own proprietary tooling (driven by the availability of investment even where a crowded market already exists), managed service providers can deliver the most value for clients by working with the tooling and products they have already invested in – helping them to untangle and de-duplicate the stack, and extract more value from their historical investment.
In such times of crisis, we can expect security product vendors to double down with wildly exaggerated marketing messaging. Organisations should learn from the lessons of recent years that such silver bullet solutions are a fallacy and instead invest in the knowledge and support needed to fully utilise their existing tooling and technologies.
5. Cyber risks will receive greater visibility at an executive level and be better integrated with functional risk management across the business.
The escalation of ransomware attacks in recent years has encouraged non-security professionals to think differently about the risk that cyber threats pose to businesses.
Businesses are coming around to the realisation that all modern companies are also technology businesses, irrespective of their industry sector or the nature of their product or service. A study by Gartner earlier this year found that 89% of board directors say that digital business is now embedded in all business growth strategies. Notably, directors cited CEOs as the primary leader responsible for driving digital business initiatives within the enterprise ahead of the CTO and CIO. This paradigm shift in responsibility for digital transformation means that non-security stakeholders are beginning to acknowledge the inherent risks associated with the digital technologies that underpin enterprise.
The lessons of the COVID-19 pandemic have also taught businesses that anything can happen and that single events can have a systemic impact on all areas of the business. It is almost guaranteed that no organisation had pre-prepared contingencies for such an event in their crisis management playbook. The pandemic also illustrated the importance of digital infrastructure for businesses to continue to operate remotely.
As a result, figures such as the CISO are becoming more involved in the company’s overall risk management and mitigation. According to a recent study, 80% of surveyed companies said they had made moderate or significant progress in increasing their CEO’s engagement in cyber security matters in 2022. The CISO is now closely aligned with C-level executives to keep them informed about cybersecurity risks and initiatives to mitigate the threat. The board of directors has become increasingly cyber aware and expects the CISO to present the organisation’s cybersecurity posture to them more frequently than ever.
Similarly, a 2021 Gartner study found that 88% of Boards of Directors viewed cybersecurity as a business risk, not solely a technology risk. However, only 12% had a dedicated board-level cybersecurity committee. Further, a 2022 study found that only 30% of surveyed organisations had a ransomware-specific playbook despite increasing recognition of the threat.
We expect responsibility for managing cyber risk to become more distributed across the functional areas of a business and as a mechanism for which different business risks can be realised as opposed to isolated cyber or IT problems. Cross-departmental cyber security committees and working groups should become more common, and both operations and senior management boards will have to become more cyber conscious and literate. Equally, crisis simulation exercises and disaster recovery planning for cyber attacks with a systemic impact (such as ransomware) will become more frequent and receive greater acknowledgement from non-security stakeholders.
Dan Green
Head of Enablement
As Head of Enablement at JUMPSEC, Dan is responsible for shaping the solutions that JUMPSEC offer, working with our clients to ensure we deliver the outcomes they need.