Businesses worldwide are fighting sophisticated data scientists as they battle to protect their data-rich computers from cyber crime – and the costly attacks are not going to stop, a top expert at insurer Sompo Holdings Inc said on Tuesday.
“It’s like the Terminator: They’re just going to keep coming at you” because it is profitable, Brad Gow, global cyber product leader at Sompo International, said on a panel at the Reuters Future of Insurance USA conference, referring to the dystopian movies.
Criminals are “extracting hundreds of millions from Western insurance companies and other Western companies,” he said. “I don’t see that relenting until the money flow stops.”
Companies are facing more attacks and the cost of each is rising. Ransomware criminals charged about $350 per attack in 2017 and 2018 and targeted companies with revenue up to about $1 billion, Gow said. Now they target bigger firms and “we’re seeing demands of $30, $40, $50 million with some regularity,” Gow said. “It has really shocked the insurance market.”
Beyond ransom, costs include computer network and data restoration, business interruption and liability, said Meredith Schnur, U.S. & Canada cyber brokerage leader at Marsh USA Inc, a unit of Marsh & McLennan Companies Inc.
Some companies are finding insurers are unable to write coverage, Schnur said, meaning this is a “hard market” – a term she resisted using until this year.
In response, companies are strengthening defenses, and insurers are raising the cost of coverage, trends expected to continue. Companies also want data on how each protective control will help, and by how much, Schnur said.
“We can’t stop these things from happening,” she said. “We can be more prepared.”
Success is driving cyber crime, along with “outsourcing” of hacking technology. Sophisticated groups write powerful hacking tools, then sell “ransomware kits” or “software as a service,” enabling small criminal gangs to launch attacks.
“It might be that one guy, the rogue guy in the apartment,” said Allyn Lynd, managing principal at Lodestone, a cyber security unit of insurer Beazley Plc, who spent more than two decades at the FBI.
Companies that pay ransom risk violating the U.S. ban on funding terrorist groups, but at the moment, FBI agents “are not going to come back a second time and victimize the organization,” Lynd said.