Paying ransoms to online criminals increases the growing cyber threat
Just as paying kidnappers is widely outlawed, with people understanding that doing so encourages more crime of this nature, bending to the ransom demands of online criminals will also fuel bigger and more prevalent ransomware attacks in the future.
That is the view of Adrian Guttridge, general manager, global business process services (P&C, F&A), at Xchanging, who warns that insurers should also take steps to avoid becoming the victims of such attacks themselves.
“Insurers are on the front line protecting customers from cyber crime, but as hacking becomes more organised and widespread, the pressure grows to ensure insurance companies do not fall victim themselves,” he said.
“We are in an era of industrialised cyber attacks. The stereotypical computer geek in his basement breaking into companies to impress likeminded people has been replaced by criminal groups more likely to employ highly skilled, low-wage labour in countries such as Estonia, the Ukraine or China to commit large-scale cyber breaches.”
He added that the techniques used by cyber criminals have become increasingly sophisticated and difficult to detect, such as the use of ransomware to steal information, cause reputational damage or extort money.
He gave several examples of organisations that have found themselves in a difficult position when criminals have hacked into a computer system and demanded money in exchange for the return or decryption of the company’s files.
In February 2016, Hollywood Presbyterian Medical Center was the target of a ransomware attack when it was locked out of its electronic health record systems for a week while it negotiated with the criminals.
“Patients’ lives were at risk, and the centre ended up paying the attackers $17,000 in bitcoin,” Guttridge said.
Also earlier this year, cyber thieves targeted Bangladesh’s central bank and tried to steal $1 billion. The criminals used stolen credentials to make requests to transfer cash appear legitimate.
“If these requests had gone unchallenged, the bank would have lost around $1 billion,” he said.
“Nevertheless, the cyber thieves are believed to have got away with about $80 million—one of the largest known bank robberies in history.”
In 2015, the number of businesses across the globe that reported being the target of ransomware scams increased by almost 170 percent, according to some estimates, but Guttridge noted that many incidents go unreported. Ransom demands can be quite small since the hacker’s objective is to infect as many computers as possible and to be paid off quickly.
He notes that the use of bitcoin instead of traditional currency has supported the proliferation of these attacks as cyber criminals can extort funds through anonymised transactions without being traced.
“These developments make the challenge of understanding clients’ exposures to cyber risk more challenging. However, insurers and underwriters must prioritise their own cyber security, particularly given that the vast amounts of client data they hold makes them attractive targets to criminals,” he said.
