Hacker attacks on supply chains

Supply chain attacks are the next big threat in cyber-space: The attacks on Kaseya or Solarwinds have shown in a frightening way how profound and expensive the consequences can be for medium-sized businesses. Therefore, no company can avoid good cyber hygiene, says Michael Daum, Senior Cyber Underwriter at Allianz Global Corporate & Specialty in Central and Eastern Europe.

The employees of American IT company Kaseya just wanted to enjoy the weekend, on which this year Independence Day was also celebrated in the US. But then the holiday mood at the company’s US headquarters in Florida quickly came to an end. A cyberattack on the company, which claims to be the leading provider of information technology and IT security for small and medium-sized enterprises, not only hit the company hard. Kaseya’s software had also been manipulated by blackmail software in such a way that more than a thousand companies – mainly small and medium-sized enterprises – were affected. Among those who suffered was the Swedish supermarket chain Coop, which had to temporarily close 800 stores due to malfunctioning cash registers.

This example shows that even if you are not the direct victim of a cyber-attack, you can still feel the effects in your own company via the supply chain. Supply chain attacks are the next big trend in cyberspace, with experts at Allianz Global Corporate & Specialty (AGCS) observing two main types: First, we are seeing more attacks targeting software/IT service providers such as Kaseya and using them to spread the malware. Another example was the SolarWinds attack earlier this year, which affected tens of thousands of companies. All of the victims were using SolarWinds’s Orion software platform. Using a compromised update, the attackers were able to inject a backdoor, christened “Sunburst”, into the systems and networks of users of the listed US company. Such service providers or software vendors are likely to become prime targets for cybercriminals in the future, as they often supply hundreds or thousands of companies with software solutions and therefore offer criminals the opportunity for higher revenues.

Second, we are increasingly seeing attacks that target physical supply chains or critical infrastructure, such as the attack on the Colonial Pipeline, the largest oil pipeline in the US. Nearly half of all fuel consumed on the U.S. East Coast passes through the pipeline. As a result, parts of the country experienced gasoline shortages and airlines also felt the effects.

The attack pattern is similar in both cases. The attackers from cyberspace lock or encrypt the computer systems of their victims in order to extort a ransom (ransomware) from the users for the release. Not all attacks are targeted. Criminals also often take a shotgun approach to target those companies that are unconcerned about or unaware of their vulnerabilities and security holes. According to Accenture, the number of cyberattacks increased 125% globally in the first half of 2021 compared to the previous year, with ransomware and extortion attempts being one of the main reasons for this increase. According to the FBI and CISA, there was a 62% increase in ransomware incidents in the U.S. during the same period, following a 20% increase in the entire year of 2020. These trends in cyber risk are reflected in AGCS’ own claims experience. AGCS was involved in over a thousand cyber claims in total in 2020, up from around 80 in 2016; the number of ransomware claims increased by around half compared to 2019. In general, losses from external cyber incidents such as ransomware or distributed denial of service (DDoS) attacks account for the majority of the value of all cyber losses analyzed by AGCS over the past six years.

In view of these frightening figures, the understanding in large companies of the complex cyber risks and also of the possibilities of risk transfer has now increased significantly and is contributing to greater risk awareness. In small and medium-sized companies, on the other hand, there is still a clear need to catch up, as evidenced by our risk dialogues that are regularly conducted in the companies. For example, we found that multi-factor authentication (for remote access, privileged IT accounts or remote maintenance) is lacking in many cases or that employees have not been sufficiently trained against external attacks.

However, regular patching and two-factor authentication, as well as information security training, are just as important as good cyber hygiene in preventing ransomware attacks. Cybersecurity tools such as endpoint detection and response (EDR) services and anti-ransomware toolkits and services can also help prevent attacks, detect threats. Reliable response and business continuity plans are also key to mitigating the impact of a ransomware attack, with focused preparation and rapid response making all the difference in managing a crisis. Response plans should be regularly tested against ransomware scenarios, and roles, responsibilities and lines of communication should be clearly defined. Frequent backups, including of critical systems and data, are also critical to mitigating the impact and speeding recovery and operations. In the event of a ransomware or other cyber extortion incident, companies should follow their response plan and specifically inform senior management and the legal department. If the legal department is involved from the beginning, the risk of class action lawsuits or other legal claims that could be brought in the wake of the data breach can be reduced. If cyber insurance is in place, it is also recommended that the insurance carrier be informed from the outset to verify that the applicable cyber insurance policy provides coverage.

Regardless of the final confirmation of cover, cyber policyholders at AGCS benefit from 24/7 access to emergency services. These services typically include the services of a professional crisis manager, forensic IT support and legal advice. Another service offered is the free creation of a cyber crisis management plan. Our estimates suggest that the losses in around 80% of ransomware incidents could have been avoided if companies had followed basic security measures.

These figures show why, above all, a reliable response plan is so crucial: Business interruption damage and recovery costs are the biggest driver of ransomware damage. The average downtime after a ransomware attack is now 23 days, with total recovery and downtime costs also more than doubling in the past year. They have risen from around €700,000 in 2020 to €1.6 million in 2021. So when it comes to cyber business disruption, timing is everything. By the time a company pays a ransom demand after two weeks to obtain the decryption key, the business interruption loss has already manifested itself and the handsome cost of trying to restore systems and data has already been incurred. The cost of hiring forensic experts and legal advisors, for example, can be as high as €2,500 per day per head and easily reach a seven-figure sum.

We try to encourage our policyholders to avoid paying ransoms – especially as this only creates further incentives for the hackers’ criminal business model. The decision whether or not to pay a ransom is always made by the company in question. The better prepared the company is, the easier it will be to do without. In any case, the police authorities should be strongly involved from the very beginning. In Germany, the Federal Criminal Police Office is in charge, with which AGCS cooperates. The central office of the police continuously analyses current cybercrime trends and derives conclusions for the fight against cybercrime. This is important because cybercrime can only be successfully prevented and fought in close cooperation between businesses and security authorities. It cannot be done alone.