Global operators of ports and terminals will likely find a more competitive market for cyber insurance this year after a slowdown in ransomware attacks. Last year, the number of ransomware attacks caused premiums to increase and made capacity more difficult to find.
That was the welcome news delivered to delegates at the first event in the WTW Ports and Terminals Risk Forum Webinar Series, Pivot to proactivity: How ports and terminals can manage cyber risk.
The bad news? The number of cyberattacks against ports and terminals operators are likely to continue to rise this year as the sector is increasingly recognized by criminals for its critical role in the global supply chain.
105% jump in industry-wide ransomware attacks year on year.
The insurance market saw a marked increase in cyber losses, cyber claims and related notifications, particularly in 2021 – as the number of industry-wide ransomware attacks leapt 105% year on year to 623.3 million; premiums rose in response to the number of claims.
Specific attacks against ports and terminal operators appeared unrestricted by geographic boundaries with intrusions recorded from as far afield as Los Angeles and Mumbai and, in Europe, included London, Lisbon and Antwerp. It clearly became a global issue for the sector.
These events and others prompted Alejandro Mayorkas, the US Secretary for the Department of Homeland Security late last year to describe cyberattacks as a significant threat to U.S. ports.
While the number of ransomware attacks reportedly fell 23% in 2022 across all sectors, the European Union Agency for Cyber Security (ENISA) believes poor reporting transparency continues to hide the size of the problem.
“The fact that we were able to find publicly available information for 17% of the cases highlights that, when it comes to ransomware, only the tip of the iceberg is exposed and the impact is much higher than what is perceived,” the agency said in its latest report, published in July 2022.
While about 90% of ransomware attacks reportedly fail, or result in no losses to the victims, delegates at WTW’s webinar heard that the ransoms that are being paid appear to be giving both state and non-state actors the resources and incentive to expand their larceny.
And a continued expansion of the global damage being caused by ransomware each year is exactly what is being predicted by experts. Cybersecurity Ventures, a US-based leader of research into the global cyber economy, last year forecasted that ransomware attacks will cost their victims more than $265 billion annually by 2031, up from the $11.5 billion it previously forecast for 2019.
Expectations of exponential growth were echoed by speakers at the WTW webinar before discussion turned to the types of costs that companies could incur from a cyberattack.
Delegates were told that, following a cyberattack, ports and terminal businesses were likely to require IT forensic support to identify the source and depth of the incursion. For ransomware attacks, early costs could be associated with hiring extortion advisers to potentially shed light on the identity of the hacker, and subsequently advise on strategy and tactics.
If it is ultimately decided to pay a ransom – a position that may change as the scale of business disruptions or data exposures mount – that cost would be added to the list.
Next are the interim legal costs, as companies seek to understand their regulatory liabilities associated with the growing number of national, regional and industry standards adopted for cyber security and data protection. In Europe, this will include new standards such as those under the EU's new NIS2 directive, which member nations have until 17 October 2024 to adopt into law.
Legal costs also may be incurred when victimized companies look for help getting up to speed with the public and business notification requirements for exposed data protected by initiatives such as the EU’s General Data Protection Regulation.
Then there are the ‘increased costs of working’ if a company’s systems are interrupted to the extent that third parties need to be hired to support day-to-day activities, resulting in lower profits.
Longer term, there may be regulatory defense costs or fines and claimant costs resulting from data-protection or corporate confidentiality claims, depending on the types of data lost.
When it comes to designing organizational cyber defenses, delegates were told that there are as many definitions for best practice as there are cyber security standards; all had degrees of merit. But, for companies without a bottomless pit of money for cyber defense, it was important to build a system that is proportionate and responsive to the business interruption risks being faced.
Rather than focus on what security standards are literally saying or achieving, descriptions of best practice cyber strategies need to be designed to protect the systems that are most critical to business continuity, with specific focus on the known vulnerabilities within those systems. Most importantly because no strategy eliminates all risks, it must assume breaches, and thereby offer a strong emphasis on the response plan.
Delegates at the webinar were informed that insurance products were not meant to be holistic solutions. They work in tandem with a company’s front end cyber security strategies to absorb the residual risks that cannot be fully eliminated by those strategies.
Unlike property policies that seek to cover almost all potential perils, unless they are specifically excluded, cyber policies by design are named peril policies; and those perils can extend far beyond system attacks from criminal third parties.
While cyberattacks gain the most notoriety, and therefore public attention, cyber policies extend beyond malicious activities to help protect businesses and their owners against losses from technical malfunctions and human error.
If named, these policies can include cover for errors by contractors working on company networks, performing software and hardware upgrades, IT migrations and other malfunctions that can prove to be just as disruptive to ‘business as usual’ and organizational profits as cyberattacks. They also can help to mitigate losses from any technical breakdowns in increasingly automated and connected IT or operational technology networks.
Broadly focused on first- and third-party losses, today’s cyber policies are designed to indemnify, amongst other things, loss of profit and increased costs from business interruptions, ransom payments, the hiring of advisors and technical experts, crisis-management activities, and data restoration.
Whether business owners are looking to build or adapt front line cyber defense strategies or choose effective insurance products to cover the residual risks, knowledge is power.
To conclude the session, delegates were advised of the importance of utilizing analytics to aid decision making, for insight on cyber incidents to identify where losses come from and how to prepare, as a basis to quantify their own exposures, and as a peer benchmarking tool.
This article has been written by the WTW Ports and Terminals Forum – a unique community created by WTW to provide a platform for the debate on the sector’s current challenges.