Supply chain attacks are the next big threat in cyber-space: The attacks on Kaseya or Solarwinds have shown in a frightening way how profound and expensive the consequences can be for medium-sized businesses. Therefore, no company can avoid good cyber hygiene, says Michael Daum, Senior Cyber Underwriter at Allianz Global Corporate & Specialty in Central and Eastern Europe.
The employees of American IT company Kaseya just wanted to enjoy the weekend, on which this year Independence Day was also celebrated in the US. But then the holiday mood at the company’s US headquarters in Florida quickly came to an end. A cyberattack on the company, which claims to be the leading provider of information technology and IT security for small and medium-sized enterprises, not only hit the company hard. Kaseya’s software had also been manipulated by blackmail software in such a way that more than a thousand companies – mainly small and medium-sized enterprises – were affected. Among those who suffered was the Swedish supermarket chain Coop, which had to temporarily close 800 stores due to malfunctioning cash registers.
This example shows that even if you are not the direct victim of a cyber-attack, you can still feel the effects in your own company via the supply chain. Supply chain attacks are the next big trend in cyberspace, with experts at Allianz Global Corporate & Specialty (AGCS) observing two main types: First, we are seeing more attacks targeting software/IT service providers such as Kaseya and using them to spread the malware. Another example was the SolarWinds attack earlier this year, which affected tens of thousands of companies. All of the victims were using SolarWinds’s Orion software platform. Using a compromised update, the attackers were able to inject a backdoor, christened “Sunburst”, into the systems and networks of users of the listed US company. Such service providers or software vendors are likely to become prime targets for cybercriminals in the future, as they often supply hundreds or thousands of companies with software solutions and therefore offer criminals the opportunity for higher revenues.
Second, we are increasingly seeing attacks that target physical supply chains or critical infrastructure, such as the attack on the Colonial Pipeline, the largest oil pipeline in the US. Nearly half of all fuel consumed on the U.S. East Coast passes through the pipeline. As a result, parts of the country experienced gasoline shortages and airlines also felt the effects.
The attack pattern is similar in both cases. The attackers from cyberspace lock or encrypt the computer systems of their victims in order to extort a ransom (ransomware) from the users for the release. Not all attacks are targeted. Criminals also often take a shotgun approach to target those companies that are unconcerned about or unaware of their vulnerabilities and security holes. According to Accenture, the number of cyberattacks increased 125% globally in the first half of 2021 compared to the previous year, with ransomware and extortion attempts being one of the main reasons for this increase. According to the FBI and CISA, there was a 62% increase in ransomware incidents in the U.S. during the same period, following a 20% increase in the entire year of 2020. These trends in cyber risk are reflected in AGCS’ own claims experience. AGCS was involved in over a thousand cyber claims in total in 2020, up from around 80 in 2016; the number of ransomware claims increased by around half compared to 2019. In general, losses from external cyber incidents such as ransomware or distributed denial of service (DDoS) attacks account for the majority of the value of all cyber losses analyzed by AGCS over the past six years.
In view of these frightening figures, the understanding in large companies of the complex cyber risks and also of the possibilities of risk transfer has now increased significantly and is contributing to greater risk awareness. In small and medium-sized companies, on the other hand, there is still a clear need to catch up, as evidenced by our risk dialogues that are regularly conducted in the companies. For example, we found that multi-factor authentication (for remote access, privileged IT accounts or remote maintenance) is lacking in many cases or that employees have not been sufficiently trained against external attacks.
However, regular patching and two-factor authentication, as well as information security training, are just as important as good cyber hygiene in preventing ransomware attacks. Cybersecurity tools such as endpoint detection and response (EDR) services and anti-ransomware toolkits and services can also help prevent attacks, detect threats. Reliable response and business continuity plans are also key to mitigating the impact of a ransomware attack, with focused preparation and rapid response making all the difference in managing a crisis. Response plans should be regularly tested against ransomware scenarios, and roles, responsibilities and lines of communication should be clearly defined. Frequent backups, including of critical systems and data, are also critical to mitigating the impact and speeding recovery and operations. In the event of a ransomware or other cyber extortion incident, companies should follow their response plan and specifically inform senior management and the legal department. If the legal department is involved from the beginning, the risk of class action lawsuits or other legal claims that could be brought in the wake of the data breach can be reduced. If cyber insurance is in place, it is also recommended that the insurance carrier be informed from the outset to verify that the applicable cyber insurance policy provides coverage.
Regardless of the final confirmation of cover, cyber policyholders at AGCS benefit from 24/7 access to emergency services. These services typically include the services of a professional crisis manager, forensic IT support and legal advice. Another service offered is the free creation of a cyber crisis management plan. Our estimates suggest that the losses in around 80% of ransomware incidents could have been avoided if companies had followed basic security measures.
These figures show why, above all, a reliable response plan is so crucial: Business interruption damage and recovery costs are the biggest driver of ransomware damage. The average downtime after a ransomware attack is now 23 days, with total recovery and downtime costs also more than doubling in the past year. They have risen from around €700,000 in 2020 to €1.6 million in 2021. So when it comes to cyber business disruption, timing is everything. By the time a company pays a ransom demand after two weeks to obtain the decryption key, the business interruption loss has already manifested itself and the handsome cost of trying to restore systems and data has already been incurred. The cost of hiring forensic experts and legal advisors, for example, can be as high as €2,500 per day per head and easily reach a seven-figure sum.
We try to encourage our policyholders to avoid paying ransoms – especially as this only creates further incentives for the hackers’ criminal business model. The decision whether or not to pay a ransom is always made by the company in question. The better prepared the company is, the easier it will be to do without. In any case, the police authorities should be strongly involved from the very beginning. In Germany, the Federal Criminal Police Office is in charge, with which AGCS cooperates. The central office of the police continuously analyses current cybercrime trends and derives conclusions for the fight against cybercrime. This is important because cybercrime can only be successfully prevented and fought in close cooperation between businesses and security authorities. It cannot be done alone.
PREVIOUS POST
Cybersecurity Awareness Month
NEXT POST
Contribution to the EU Commission Public Consultation on the revision of the Cybersecurity Act
You may also like
External Engagement
Contribution to the EU Commission Public Consultation on the revision of the Cybersecurity Act
The Charter of Trust welcomes the opportunity to participate in the European Commission’s public consultation on the revision of the Cybersecurity Act. As a coalition united by the goal of strengthening digital trust, we are pleased to share our consolidated response and recommendations.
We support Policy Option 2, which focuses on targeted regulatory measures that address key challenges without creating unnecessary complexity. In this context, we emphasize the need to enhance the role and resources of ENISA, to ensure effective implementation of both current legislation and the European Cybersecurity Certification Framework (ECCF).
Our recommendations aim to improve transparency, collaboration, and efficiency across the EU’s cybersecurity landscape. These include:
- Introducing clear timelines for the development of certification schemes.
- Enhancing stakeholder engagement throughout the process.
- Establishing more structured communication channels between ENISA, the Stakeholder Cybersecurity Certification Group (SCCG), and sectoral ISACs (Information Sharing and Analysis Centers).
We call for a stronger ECCF, one that is transparent, inclusive, and aligned with international standards to foster global interoperability and ease compliance for organizations across borders. Equally critical is the harmonization of certification practices across EU member states and the mutual recognition of certifications to minimize regulatory fragmentation.
The Charter of Trust advocates for technically robust, standards-based certification schemes, with well-defined roles and responsibilities. We also stress the need for clarity on the interplay between voluntary and mandatory certifications, particularly in relation to the upcoming Cyber Resilience Act (CRA).
To streamline compliance and reduce administrative burden, we propose a unified, risk-based incident reporting regime that consolidates requirements under regulations such as NIS2, CRA, GDPR, and DORA. This would not only simplify reporting for organizations but also enhance the EU’s overall cyber resilience. In addition, we recommend incorporating liability protections and grace periods for incident disclosure.
Finally, we urge the Commission to strengthen supply chain security by adopting a risk-based classification approach and establishing baseline cybersecurity requirements for ICT suppliers.
The Charter of Trust remains fully committed to supporting the European Commission in shaping a secure, resilient, and trusted digital future for Europe. We look forward to continued collaboration in building a cybersecurity framework that meets the needs of all stakeholders, today and in the years to come.
We support Policy Option 2, which focuses on targeted regulatory measures that address key challenges without creating unnecessary complexity. In this context, we emphasize the need to enhance the role and resources of ENISA, to ensure effective implementation of both current legislation and the European Cybersecurity Certification Framework (ECCF).
Our recommendations aim to improve transparency, collaboration, and efficiency across the EU’s cybersecurity landscape. These include:
- Introducing clear timelines for the development of certification schemes.
- Enhancing stakeholder engagement throughout the process.
- Establishing more structured communication channels between ENISA, the Stakeholder Cybersecurity Certification Group (SCCG), and sectoral ISACs (Information Sharing and Analysis Centers).
We call for a stronger ECCF, one that is transparent, inclusive, and aligned with international standards to foster global interoperability and ease compliance for organizations across borders. Equally critical is the harmonization of certification practices across EU member states and the mutual recognition of certifications to minimize regulatory fragmentation.
The Charter of Trust advocates for technically robust, standards-based certification schemes, with well-defined roles and responsibilities. We also stress the need for clarity on the interplay between voluntary and mandatory certifications, particularly in relation to the upcoming Cyber Resilience Act (CRA).
To streamline compliance and reduce administrative burden, we propose a unified, risk-based incident reporting regime that consolidates requirements under regulations such as NIS2, CRA, GDPR, and DORA. This would not only simplify reporting for organizations but also enhance the EU’s overall cyber resilience. In addition, we recommend incorporating liability protections and grace periods for incident disclosure.
Finally, we urge the Commission to strengthen supply chain security by adopting a risk-based classification approach and establishing baseline cybersecurity requirements for ICT suppliers.
The Charter of Trust remains fully committed to supporting the European Commission in shaping a secure, resilient, and trusted digital future for Europe. We look forward to continued collaboration in building a cybersecurity framework that meets the needs of all stakeholders, today and in the years to come.
Read more
June 19, 2025
•
External Engagement
Advancing Regulatory Alignment at RSA Conference 2025
In the face of rising global cyber threats, over 50 CISOs have called for greater international alignment of cybersecurity regulations to strengthen defenses and reduce fragmentation. This message was echoed at RSAC 2025, where experts from the OECD, European Commission, academia, and industry emphasized the need for principle-based collaboration. The Charter of Trust, a long-time advocate for regulatory harmonization, continues to support coordinated, effective approaches that prioritize clarity over complexity.
Read more
May 01, 2025
•
External Engagement
Richards Skalt takes over the Advocacy Workstream
We are delighted to welcome Richard Skalt, Advocacy Manager at TÜV SÜD, as the new Leader of the Advocacy Workstream at the Charter of Trust. Richard steps into the role following María del Pino González-Junco, who recently assumed the position of Chair of the Global External Engagement Working Group.
With a strong background in advocacy and a forward-looking vision, Richard brings renewed energy to our mission of shaping a secure digital future. As he puts it:
“My motivation is to preserve and build upon the strong foundation of advocacy activities we’ve developed over the past years. At the same time, I’m committed to ensuring we’re in a position to shape the policies that will define how our business model and operations evolve in the future – including the cybersecurity of products and systems, the use, deployment, and distribution of robust AI solutions, as well as cloud security and secure datacenters.”
In a world defined by accelerating digital transformation and increasingly complex regulatory challenges, principled leadership and effective collaboration are more vital than ever. Under Richard’s leadership, the Advocacy Workstream will continue to engage policymakers, raise public awareness, and strengthen education around key issues such as cybersecurity, AI governance, and secure digital infrastructures.
With a strong background in advocacy and a forward-looking vision, Richard brings renewed energy to our mission of shaping a secure digital future. As he puts it:
“My motivation is to preserve and build upon the strong foundation of advocacy activities we’ve developed over the past years. At the same time, I’m committed to ensuring we’re in a position to shape the policies that will define how our business model and operations evolve in the future – including the cybersecurity of products and systems, the use, deployment, and distribution of robust AI solutions, as well as cloud security and secure datacenters.”
In a world defined by accelerating digital transformation and increasingly complex regulatory challenges, principled leadership and effective collaboration are more vital than ever. Under Richard’s leadership, the Advocacy Workstream will continue to engage policymakers, raise public awareness, and strengthen education around key issues such as cybersecurity, AI governance, and secure digital infrastructures.
Read more
April 29, 2025
•
