GDPR v CCPA regulatory spotlight
London, UK (Nov. 20, 2019) – Aon has published a new edition of its Cyber Insights for Insurers newsletter. The November 2019 issue equips readers with the details of relevant trends in cyber underwriting and portfolio management, based on the latest developments in the threat and claims/regulatory landscape.
The passage of GDPR was a watershed event and has inspired new regulation in other jurisdictions. Mostly notably, businesses in the US are now contemplating their compliance requirements under the California Consumer Privacy Act. Given this recent activity, we explore latest information on data privacy laws and what they mean for insurers.
“Under CCPA, statutory damages eliminate the difficult task of calculating actual damages caused by a breach, which could encourage an uptick in lawsuits by data breach plaintiffs,” said Dawn Kristy, cyber expert for Aon’s Reinsurance Solutions business. “Cyber claim frequency is likely to increase due to the expanded definition of personal information. Moreover, the private right of action also paves the way for greater litigation, if the courts do in fact tamp down on the ongoing ambiguity in the Article III standing to sue rulings. Cyber claim severity is also likely to increase due to non-compliance fines and penalties as well as actual damages or statutory damages soon to be in play under the private right of action. But with restrictions on class-action lawsuits, the impact to severity is likely to be moderated. Businesses may find it easier to demonstrate that they did not violate their “duty to maintain reasonable security procedures and practices.” Finally, while some reports have found that GDPR fines and penalties are not insurable, fines and penalties in California are more likely insurable.”
In addition, key findings include:
- Ransomware has increased significantly in both frequency and severity this year.
- Unfounded concerns have been raised about the potential linkage between having cyber insurance and being a ransomware target.
Read the full newsletter.
Cyber incident trends
Ransomware incident rates are up threefold since Q4 2018, largely due to the growth of Ransomware-as-a-Service (RaaS) and increased utilization by cybercriminals.
Reports indicate that sophisticated organized crime groups are increasingly turning to ransomware. And the costs of ransomware attacks continue to increase across all sectors, with payments tripling from an average of USD $12,762 to USD $36,295 during the second quarter alone. The total cost of ransomware to a company includes both recovery expenses (including ransom payments, forensic fees, and assistance rebuilding servers) and downtime costs. The average downtime increased from 7.3 days in Q1 to 9.6 days in Q3. Downtime costs are typically 5-10 times larger than the actual ransom amounts, due to lost productivity and revenue opportunities.
RaaS variants are playing a key role in raising downtimes as well as frequency. RaaS allows even novice hackers and black hat operatives to adopt traditional Software-as-a-Service (SaaS) models to enable criminal enterprise. Cybercriminals may write ransomware code and sell or rent it under an affiliate program for a quick profit to others intending to launch an attack. In addition, RaaS providers may offer an entire platform to manage ransomware campaigns. Various RaaS packages can be found in the market, reducing the need to code malware. This malicious franchise-like deployment model allows virtually anyone to become an “affiliate” of an established RaaS package or service.
The most prolific RaaS tool during the quarter was REvil. According to threat intelligence, REvil appears to have been developed by the same actors as the previous RaaS variant GandCrab. Due to the nature of RaaS,actors use a variety of attack methodologies. The method of initial compromise varies from phishing to watering hole attacks that compromise the popular content management system (CMS) WordPress. Based on these methodologies, victims of ransomware appear to be targets of opportunity.
RaaS has contributed to upward trends in both frequency and severity of claims due to less reliable data recovery and ransom payment success rates. These factors depend largely on the ransomware variant and threat actor group. Less reliable data recovery is symptomatic of novice hackers utilizing RaaS models, which can prompt longer and more costly ransomware attacks. As many as 96% of organizations that pay a ransom receive working decryption tools, but full data recovery is becoming less certain. Incident duration has increased for Phobos ransomware cases, where data recovery rates are as low as 85% due to the complex and unreliable decryption tools provided by its current criminal affiliates, who are typically less organized amateurs. This has led to protracted negotiations and complications that arise during decryption. Ransomware variant Sodinokibi uses an automated TOR site for payments, which provides victims with a decryption tool. Victims that paid for a decryptor lost 8% of encrypted data during recovery. Ryuk ransomware caused even greater damage with 13% of data lost during the recovery process.
For the rest of the Q3 Cyber Insights for Insurers newsletter, read or save the full issue at http://thoughtleadership.aon.com/documents/201911-cyber-insights-for-insurers-Q3.pdf.
About the Newsletter
Cyber Insights for Insurers, from the Cyber Practice Group of Aon’s Reinsurance Solutions business, aims to equip you with relevant trends and analysis to enhance your cyber insurance underwriting, portfolio management and claims handling, plus prepare you for changes in privacy law, the regulatory environment and the threat environment.
Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance. For more information, visit www.aon.com.
SOURCE: Aon UK LimitedTags: Aon, cyber attacks, cyber risk, cyber security, Privacy, Ransomware-as-a-service (RaaS), trends