Fitch Ratings (New York/Chicago): The recent proliferation of ransomware attacks underscores how cyber risk is cutting across sectors and becoming a growing global security and financial threat, Fitch Ratings says.
The volume, size and sophistication of ransomware attacks are expected to increase, as the risk of criminal prosecution remains low and profit incentives remain high. Fitch views the increase in attacks and severity as a credit negative; however, every incident will be evaluated within the context of each issuer’s credit profile.
Ransomware attacks increased 485% in 2020 globally, according to Bitfdefender, accounting for nearly one-quarter of all cyber incidents, with total global costs estimated at $20 billion, per Purple Sec. Ransomware attacks that threatened to release stolen data are rising and were 77% of total attacks in 1Q21.This has helped drive up the cost of ransomware attacks, with the average ransom payment in 1Q21 of $220,298, up 43% from 4Q19, according to Coveware.
Recent incidents may spur internationally coordinated public and private efforts to help prepare for and mitigate against ransomware attacks. The Institute for Security and Technology recently issued a Ransomware Taskforce report indicating that combating ransomware should be a global priority. The US Justice Department has established a ransomware taskforce with the FBI and federal prosecutors to increase coordination with the private sector and other agencies.
Issuers with less sophisticated networks, security systems and IT departments may be most vulnerable to attack, but downside risk potential is higher at larger and more strategically important entities. Ransomware targets every sector and geography, but certain sectors have proved more attractive targets than others.
Professional services firms, such as small law and financial services firms, are popular targets of ransomware attacks as they typically possess valuable personal identifiable information, payment data, or intellectual property. Cyberattacks against schools, local government healthcare providers more than doubled to 2,354 in 2020 from 966 in 2019, according to Emsisoft.
Payment of the ransomware does not guarantee that stolen files will be returned or undistributed or that a decryption device will be provided. Payment of ransomware can expose financial firms to increased financial and compliance risk, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws.
US cyber insurance direct written premiums increased approximately 22% in 2020 to almost $3 billion, and the direct loss ratio for standalone cyber rose to 73% in 2020, the highest level recorded in the six years data have been available. While specific loss cost drivers are not reported, the increase in ransomware is a factor behind the higher losses.
Cyber insurance typically covers payments for ransomware and forensics associated with cyber events. Beazley’s CEO recently stated that the insurer would not exclude extortion payments from polices but called on the governments to legislate whether such payouts align with public policy. However, Axa S.A, a leading writer of cyber insurance in France, recently announced it would no longer cover ransomware payments for cyber-insurance policies in France. This may lead other market participants and jurisdictions to follow suit.
Without the ability to transfer the risk, affected companies would face increase financial risk from a ransomware attack, which is a credit negative. Other credit considerations would be the impact on reputational, operational and regulatory risks. Excluding ransomware payments from policies would be a credit positive for insurance companies in the near term, as the ability to accurately price for ransomware remains elusive.