Recent cyber attack in the Issuing Bank is one of dozens of incidents recorded annually, many of which will not see the light of day, unless they are large organizations or enterprises. Similar reported incidents have been linked to the 2022 cyberattack on ELTA and DESFA at Hellenic Armed Defense Systems, as well as the attack on a major food company and a major tech company that occurred in the recent past but has become less well known.

According to official data from the Association of Insurance Companies of Greece (EAEE), cases of cyber attacks on Greek businesses that were insured in 2021 accounted for 26 out of a total of 707 businesses covered by IT cyber insurance (for 2022, there is no official record yet). But this is a small part of the real number of cyber attacks that took place and were recorded.. This is because the vast majority of Greek businesses are not immune from cyber risks. According to Kostas Voulgaris, member of the Property Liability Committee and head of the EAEE Cyber ​​Working Group, the number of insured businesses did not exceed approximately 1,000 in 2022. The low percentage in all businesses “is due to the lack of low awareness about insurance that characterizes Greek society and entrepreneurship in the country” , – says Mr. Voulgaris.

Cyber ​​attacks are one of the fastest growing risks worldwide, with damage estimated by Cybersecurity Ventures to be as high as $10.5 trillion. dollars in 2025, causing experts to compare the turnover of this modern threat with the proceeds from illegal activities such as drug sales. Munich Re is raising insurance premiums for global cyberthreats to $9.2 billion (early 2022) and estimates the cost to be around $22 billion by 2025. The threat landscape focuses on ransomware in cyberspace (ransomware), supply chains, and critical infrastructure.

Weak links

According to Mr Voulgaris, would-be hackers target not only large government organizations or large private companies, but also small businesses such as small tourism units or even freelancers such as doctors and accountants who store sensitive personal data in their database. their clients. The common denominator of the attacks is usually the extortion of liters, and against this threat, according to the words “no one is invulnerable”, he emphasizes. Among the businesses that are vulnerable, in addition to large financial institutions such as banks or infrastructure companies, most of which are insured, are hospitality units that deal with foreign residents and which are sensitive and more “suspicious” in matters of personal data protection. . In addition to financial data, such as card data for online or in-store payments, targeting includes health data. A typical example would be a small hotel offering wellness services, spas, etc., for which the visitor fills out a small medical information sheet to use. Accordingly, physicians or lawyers may be targeted for access to their clients’ personal data, with the ultimate goal of blackmailing known clients, as well as accountants who have access to their clients’ financial information, even while maintaining access codes to government tax authority databases.

“Small businesses are more vulnerable because they have logically more limited means of protecting their data and infrastructure, so they need more protection system. For the same reason that the rich can pay for the hospital if they get sick, unlike the poor who can’t pay for it,” notes Mr. Voulgaris. The damage done to a small hotel whose systems were damaged and shut down for 2 weeks can have many times more damage than the damage done to a large group that can repair the damage in a short time for the obvious reason that for a small business the resulting loss income may be irreversible.

Most of the incidents that have been recorded in the Greek market ended without the payment of particularly large ransoms, however, as Mr. Voulgaris explains, without ignoring the fact that “many among hackers can only do this to prove that they can kind of like a trophy.” In many cases, the attacks are not so targeted, and there are many cases where hackers find a security hole in a program and “hit” any company that has this program on their systems. The case of WannaCry Want Cry, which became one of the biggest attacks in Europe in 2017, was just a security hole that affected 250,000 businesses, from banks to the NHS, indiscriminately.. Blind attacks are quite common, which means that no company has done anything to explain their goals.

international experience

Ransomware operations are attracting more and more cybercriminals, and according to Chainalysis, ransomware received an average of $118,000 in ransom for a successful attack in 2021 (compared to $88,000 in 2020). CNA Financial alone paid members of the Phoenix hacker group a record $40 million. Ransomware attacks occurred every 11 seconds in 2021, according to Cybersecurity Ventures, and ransomware will remain a major source of damage in 2023. The numbers are significant. According to Cybersecurity Ventures, ransomware is costing its victims an estimated $265 billion a year by 2031. The situation is made even more worrisome by some emerging trends as experts see a data destruction trend masquerading as data theft as a new successful form of ransomware and a concentration of ransomware attacks on cloud infrastructure.

From the beginning of 2020 to March 31, 2023, the Munich Re Data Analytics team observed that ransomware is by far the leading cause of cyber losses. While business and professional services were the industry with the most total claims, the financial impact of market loss was greatest in the financial industry.

Supply chain attacks have also been widespread and, according to ENISA (European Union Cyber ​​Security Agency), supply chain attacks quadrupled in 2021 compared to 2020, while digital attacks on energy suppliers, suppliers food, hospitals, administrative bodies and other critical infrastructure sectors peaked in 2021-2022. The supply chain will remain the preferred vehicle for cyberattacks, especially as critical bottlenecks and systemic risk targets (such as cloud services) increase due to the rapid development of digital products, services and connectivity. According to Gartner, by 2025, 45% of organizations worldwide will be attacked in their software supply chains, three times more than in 2021.

Attackers often plan their attacks for the long term and maximize impact by targeting supply chains and industrial or automated processes, Munich Re’s analysis points out. Examples include the attack on the colonial pipeline, when fuel shortages and market panic temporarily paralyzed regional infrastructure on the US East Coast and made world headlines. What received less media attention was an attack – but thwarted in time – in the U.S. state of Florida, in which a hacker attempted to disrupt the supply of chemicals to a water treatment plant and poison water sources.

A ransom demand is not the only motivation for attackers using critical infrastructure. Such actors are often politically or otherwise motivated to cause maximum disruption or even disruption of processes and systems in order to provoke economic and political instability. Some criminals also work with government agencies.

Awareness

Insurance experts compare companies’ awareness of the risk of cyberattacks to the time it took in the analog world to make seat belts mandatory in cars, which took 15 years or more to realize their value. Currently, despite the high level of cyber threat awareness, there is still a gap when it comes to actual risk insurance. Munich Re’s Global Cyber ​​Risk and Insurance Survey shows that the percentage of decision makers who are seriously concerned about possible cyber attacks on their companies has increased significantly to 38% in 2022, compared to 30% the previous year.

Future cyberattacks will accelerate in line with key technology trends such as artificial intelligence such as ChatGPT, the so-called “metaverse” and the expanding worlds of IT, Internet of Things (IoT) and enterprise technology (OT). In addition to the growing sophistication of cybercriminal activities, organizations around the world are facing greater exposure than ever before to geopolitical conflicts, which are already beginning to have an unprecedented impact on cybersecurity.

Currently, 4.7 million experts around the world are working in the field of cybersecurity, trying to limit the global cost of cybercrime. Over the next five years, they are expected to grow from $8.44 trillion in 2022 to about $11 trillion in 2023, and potentially reach $24 trillion by 2027. there is a shortage, with a gap of 3.4 million cybersecurity workers needed to adequately protect organizations, and this gap will not be filled in the near future. In particular, there is a lack of specialized specialists – for example, to ensure the security of cloud or OT environments. Munich Re’s cybersecurity and risk management experts predict that this talent shortage, increasingly complex systems and digital infrastructure, the growing influence of geopolitics, and entrenched cyber risks will result in a turbulent threat landscape from 2023 onwards.

The degree to which cyber risks will increase due to geopolitical tensions is exacerbated not only by the Russian invasion of Ukraine, but also by tensions in other parts of the planet. In the future, this conflict and the global forces in position will be a key factor in cyber (in)security and make a systemic, catastrophic cyber event more likely. Munich Re expects that part of these cyber-geopolitical risks will be the targeting of critical infrastructure, intellectual property, or processes such as government elections, which will take place in some 70 countries in 2023 alone.