Cyber attack on high society jeweller
Multiple news outlets reported a cyber attack on high-end jewellery firm Graff. Cyber criminals are said to have leaked up to 69,000 confidential documents including the details of David Beckham, Donald Trump, Oprah Winfrey and Sir Philip Green. It is thought that the criminals have demanded tens of thousands of pounds in ransom to stop the release of further private information. In light of this attack, we outline the scale of the risk of cyber attacks in recent years and how this can be managed.
Ransomware attacks are increasingly hitting the headlines, with companies such as Colonial Pipeline, Toshiba and JBS all the victims of cyber crime earlier in the year. Colonial Pipeline in particular faced significant disruption through the US East Coast energy infrastructure network, resulting in having to pay a $4.4 million ransom. Unfortunately, ransomware demands up to £1 million are no longer unusual.
Lindsey Nelson, Cyber Development Leader at market leader CfC Underwriting, says she is not surprised that blue-chip companies have been targeted in this way.
“Criminals are going to go after companies who are vulnerable, providing them with the path of least resistance, rather than companies who are valuable,” she says. “But the large Fortune 500 or FTSE companies typically have the perfect combination of being both extremely lucrative, while unfortunately having limited barriers of entry for criminals to penetrate their networks.”
“There can be several motivations behind criminal activity ranging from political state actors to hacktivists to rogue employee scenarios, but largely what’s fuelling crime is financial gain, and blue-chip companies are often targeted either directly or through smaller subcontractors and suppliers to gain access to their systems.”
Equally, she says, as ransomware is becoming increasingly sophisticated and now largely involves an element of data exfiltration, this allows criminals access to financial information including the net profits of a company; it easily enables them to ask for a larger monetary demand by way of extortion.
“Larger companies also tend to be incentivised to pay the ransom demands quickly due to the fear instilled by either strict fines or penalties under privacy legislation and to avoid subsequent negative publicity from the media resulting in customer attrition.”
Are attacks on the rise?
Often heard in the wider media are the whisperings that both the frequency and severity of a cyber attack (not limited to ransomware demands) is on the rise, however as far as Nelson is concerned, this is not necessarily accurate.
“Everyone in the insurance industry will have a vested interest in keeping both frequency and severity of cyber claims down, however, unlike some of the headlines, the frequency of cyber claims hasn’t increased in a significant way relative to the increase in the number of policyholders,” she says.
“What we are concerned about is the severity of cyber claims due to proliferation of ransomware attacks against businesses, and the extraordinary extortion demands making the headlines which, in a relatively young line of insurance, can easily overtake the profitability of cyber as a line of business. Long gone are the days of Wannacry where the average demand was £300 per victim; it’s not unusual these days to see extortion demands of up to £1M per victim, and that’s true across any industry, territory or size of business.”
Managing cyber risk
However, Nelson does add that while it’s not possible to stop cyber-crime in the foreseeable future, there are ways to appropriately manage it across client, broker and insurer channels. “Cyber insurers are increasingly seeing the benefit of providing continuous scanning services on behalf of their policyholders to find vulnerabilities specific to their business, driving the frequency of claims down and helping shut a company’s digital windows and doors closed. Providing an experienced, multi-disciplinary – and crucially – in-house incident response team will also help.”