Cyber-attacks doubled since 2020 – QBE research

The number of disruptive and destructive global cyber-attacks taking place each year will increase by 105% to the end of 2024, according to a QBE research paper, headed “Connected Business: digital dependency fuelling risk”.

The trend shows strategically significant, disruptive and destructive global cyber-attacks will more than double this year to a projected 211, compared to 103 five years ago, in 2020, according to the report, launched today.

The chart below gives the headline number of annual disruptive and destructive global cyber-attacks.

The NotPetya mass cyber-attack is one such example, QBE noted. It resulted in infections across Europe, North America and Asia Pacific. The associated NotPetya malware caused an estimated US$10bn in damages.

These types of disruptive and destructive attacks are far rarer than data loss or simple device compromises type incidents that are in the 1,000s or 10,000s.

The forecast comes as the new Labour UK Government considers legislation to strengthen the UK’s cyber security, following a series of damaging cyber-attacks and events, outlining plans for a Cyber Security and Resilience Bill in the King’s Speech in July.

CrowdStrike’s Falcon Sensor failure on 19 July 2024 cost Fortune 500 companies US$5.4bn in damages and US$25bn in share value, excluding Microsoft.

Cybercriminals were quick to exploit the event, QBE noted, launching phishing campaigns with CrowdStrike-related lures, seeking to compromise systems, steal data and extort victims.

QBE’a analysis for the UK showed the majority (69%) of medium to large sized businesses were disrupted by cyber-events in the past 12 months.

QBE asked more than 300 IT decision makers their views on the cyber landscape and threats.

Alarmingly, the insurer said 78% of businesses are concerned about cyber threats they may face, with more than half (51%) expecting a cyber event in the next 12 months.

Despite these risks, a third (36%) of businesses said they do not have an incident response plan, and nearly half (43%) don’t have any form of cyber insurance.

In response to CrowdStrike, 57% of all businesses said they would look into purchasing or expand their insurance coverage.

“In some parts of the world, take-up for cyber insurance has been slow but as more businesses see their competitors making use of it and see the disruption caused by events, it is spurring them on to look for coverage themselves,” said David Warr QBE’s insurance portfolio manager for cyber.

“CrowdStrike has contributed to changing perceptions of cyber risk and cyber protection. It has raised awareness of the types of events covered under a cyber policy, with cover provided for both security incidents as well as operational issues,” Warr said.

Businesses consider artificial intelligence (AI) to be more useful for their cyber security with 32% of businesses saying it will improve their cyber protection compared to 15% of businesses thinking AI will increase cyber risks. QBE said there was a need for improved cyber contingencies in the economy.

“AI is both a hindrance and a help to the cyber landscape. As AI becomes more widely accessible, cybercriminals and cyber activists can launch larger-scale attacks at a faster pace. This increased capability in scale and speed brought on by AI could threaten the cyber domain. However, controlled and managed use of AI can also help detect cyber vulnerabilities,” he said.

“Companies in the UK and around the world both big and small should be building up their resilience to both mitigate against cyber threats and be prepared to act in the event of a cyber-attack,” Warr added.

Cost and frequency

• The number of ransomware attack victims will increase by 11% from 4,698 in 2023 to 5,200 in 2025 with manufacturing, healthcare, IT, education and government sectors particularly at risk.
• The average ransom payment in 2023 increased five-fold to USD$2m compared to USD$400,000 the previous year.
• The vast majority (78%) are concerned about cyber threats their business may face.[1]
• Nearly half (47%) of businesses say they suffered from a cyber event requiring corrective action in the past 12 months.
• Looking ahead, half (51%) of businesses expect a cyber event requiring corrective action in the coming 12 months.
• Nearly half (47%) of all businesses were disrupted by cyber events in the last 12 months.

10 tips for cyber hit firms

QBE said it has developed a range of tools and risk services for clients to help reduce their cyber risk and assist with recovery during a cyber event.

The insurer offered 10 tips for businesses hit by a cyber-attack.

1. Contain the issue: isolate affected parts of the network to reduce the impact

2. Evidence preservation: keep the network area running to retain critical evidence

3. Evidence handling: avoid deleting or altering any information that could aid in incident investigations

4. Notify your insurer’s breach response team

5. Activate your incident response plan: notifying the crisis management team to ensure decisions can be made swiftly

6. Think twice about paying ransoms: paying ransoms does not guarantee that data will be returned and can be illegal

7. Communicate carefully with stakeholders: Ensure that accurate information is provided to manage expectations

8. Identify the extent of the effect on suppliers, clients and other third parties

9. Identify any deadlines that may be affected by the incident, such as payroll

10. Regularly test your response plan against different breach scenarios.

Risk mitigation

• Despite the growing risk, more than two in five (43%) say their business does not have a cyber insurance policy and more than a third (36%) do not have an incident response plan to address a cyber event.
• A third (34%) of those without cyber insurance stated that it was ‘not a priority’ for their business, despite a significant increase in cyber events over the past few years.
• The recent CrowdStrike cyber outage has had a significant impact on businesses’ attitudes to cyber risk, with 61% saying they would increase their cyber insurance as a response, and 45% of those without insurance saying they would look at purchasing cyber insurance, and over one in 10 (12%) saying they would definitely purchase it.
• Asked why their business does not have currently have cyber insurance – they cited the top reasons are – it is not a priority, it is too expensive and they believe their business wouldn’t be a target.