2021 Cyberrisk Landscape

Hilary Tuttle


February 1, 2021

Every year, it seems digitalization is more critical than ever, cybersecurity is the defining component of operational risk, and the ability to make safe, smooth online transactions is integral for staying in business. Then, COVID-19 struck and these proved to be real differentiators between companies that survived and those that failed. From health care to retail, guarding against cyberrisks and maintaining online operations have truly never been more vital.

Last year was rife with examples of how cyberattackers can leverage world events. The pandemic was a devastatingly compelling lure for phishing via email and SMS messages. The distributed workforce introduced myriad risks. The COVID-driven dependence on digital systems and online transactions amped up the threat of ransomware. And global health organizations and a range of companies involved in vaccine development, manufacturing and distribution became attractive targets for attackers. Unfortunately, this will only continue in 2021.

Many of the technologies keeping enterprises afloat are also introducing the biggest risks. Your supply chain is increasingly an extension of your digital ecosystem, and vendors’ cyber vulnerabilities can very quickly become your own. Indeed, in its State of Cyber Resilience 2020, Accenture reported 40% of cyberattacks are now indirect, coming through weak links in the supply chain. Communication platforms like those used for online learning and telemedicine introduce yet more targets for attack and exposure of sensitive data. Remote Desktop Protocol and other technology that facilitates remote access for distributed employees can provide that same access to attackers. Given the shift to cloud-based products amid the pandemic, expect to see a lot of cloud-based attacks in the news—and to get questions from the board and C-suite about any in use.

In 2021, we must also look inward to assess and mitigate cyberrisk moving forward. Business changed in 2020—as did your personal threat model. The line between business and personal cyberrisk is fading quickly, and while remote work may have eased some stresses, it introduced underappreciated burdens as well, such as preserving security when home becomes work, and ensuring we manage risks even as individuals out of the office.

Looking ahead, you can expect to see several other key risks make headlines in 2021, including: ransomware, 5G, mobile apps, SMS phishing (smishing), insider threats, nation-state attacks, the internet of things, new data privacy laws, remote workers, and both regulation and litigation regarding biometrics.

As you prepare to defend your organization on the digital battlefield, here is the risk recon on the top threats and trends that will define the cyberrisk landscape in 2021.

SolarWinds and the Software Supply Chain

Software supply chain attacks first made this list in 2018 after hackers injected a tweaked file into accounting software M.E.Doc, forming the basis for the crippling NotPetya attack. As Risk Management explained then, “Supply chain attacks shift the economics of cybercrime by enabling hacking at scale: Attackers can target one organization and, in the process, gain a foothold to compromise hundreds or thousands more. This can also be particularly useful with hard-to-reach targets, such as those within the defense industry, and because they usually include a backdoor to legitimate software, they are less likely to be detected by enterprise security tools.”

This risk recently became painfully clear again with the sprawling cyberattack launched via software provider SolarWinds. In December, news broke that hackers (believed to be Russian state-sponsored actors) penetrated the U.S. government and a range of public and private sector entities by inserting malicious code into the widely used Orion network monitoring software from Texas-based firm SolarWinds. Approximately 18,000 customers downloaded the code and were thus potentially affected, though it appears a much smaller number were actually targeted and compromised via this backdoor. These breached entities include the U.S. Departments of State, Treasury, Homeland Security and Energy, and some top private sector firms like Microsoft, Cisco, Intel and Deloitte.

According to Brad Smith, president of Microsoft, SolarWinds is not “espionage as usual.” He explained, “While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy.”

In January, cybersecurity ratings firm BitSight and cyberrisk modeling company Kovrr estimated the insured losses would total approximately $90 million, fueled by incident response and forensic services for impacted companies. The potential toll for insurers is somewhat reduced by the number of victims that were federal agencies, which typically do not buy cyber policies.

While headline-making, many previous nation-state attacks did not have a day-to-day impact on businesses—but that may be changing. Insurers appear to recognize the sheer scale of threat from software supply chain hacks and, as a result, SolarWinds is having more of a discrete effect on cyber insurance buyers than one might expect from past precedent. According to Stephanie Snyder, senior vice president and commercial strategy leader for cyber solutions at Aon, once the news broke, some insurers quickly grew concerned about loss aggregation. “As a result, certain insurers have made changes to their underwriting appetite, with the need for additional increases in rate and use of coinsurance for various coverage provisions, as well as adding SolarWinds exclusions,” she said.

SolarWinds will likely face intense scrutiny as well as legal and regulatory risks in the months to come. As details come to light we will gain a better understanding of the scale of the attack, but the news should also serve as a reminder of the severity and spread of risk possible from this threat vector. Expect to see the software supply chain leveraged more.

Yet Again, More Ransomware

Ransomware has made every iteration of this cyberrisk landscape report since the first in 2016, and as headlines make clear almost daily, the tidal wave of ransomware attacks shows no sign of ebbing any time soon.

“We continue to see data breaches, business interruption, system failure and social engineering losses, but ransomware has an explosive ability to generate a multimillion-dollar loss in the span of 24 hours,” said Adam Lantrip, cyber practice leader at CAC Specialty.

Some enterprises have not taken an active approach to ransomware risks, potentially even considering the incident response services available through a cyber insurance policy to be the only response plan needed. This is increasingly dangerous. In 2021, businesses may pay for it, whether in the direct costs from an attack or surging premiums that penalize inadequate preparation.

According to Snyder, the volume of losses in 2020 has led cyber insurance carriers to increase scrutiny when underwriting ransomware risk. “Carriers are requiring that clients answer specific, targeted questions around the security controls associated with ransomware. If clients cannot answer these questions in a satisfactory manner, they risk more significant rate increases and coverage restrictions, or even non-renewal,” she said.

In a relatively new development, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) released an October advisory in response to surging ransom demands. OFAC warned that companies that “facilitate ransomware payments to cyber actors” risk violating U.S. sanctions laws and could be subject to fines, whether or not they know who will ultimately receive the money. Companies that conduct business internationally likely already have an OFAC compliance program, but this warning highlights that domestic enterprises that may not have a rigorous compliance program as they seldom operate overseas are clearly still exposed to sanction compliance risk. Foreign-based businesses that operate in the United States or use U.S. commerce to transact business should also be aware of their compliance obligations. Additionally, this could also have significant implications for the incident response firms, insurers and law firms that get involved in ransom negotiation and payment.

Health Care Under Siege

As reported in the December issue of Risk Management, 2020 was a record year for cyberattacks on the health care sector. The industry had the largest share of breaches in 2020, with ransomware as the root cause in 46.4% of cases and email compromise causing 24.6%, according to Tenable’s 2020 Threat Landscape Retrospective.

Unfortunately, this appears unlikely to change in 2021. As COVID-19 continues to make the availability of care more critical than ever, criminals can be expected to deploy the potent threat of ransomware against a range of health care providers. The interruption and costs can be especially crippling for already resource-strapped facilities, and the road to recovery can be longer than many realize. For example, an October ransomware attack was still costing the University of Vermont Health Network $1.5 million a day in lost revenue and recovery expenses in December, according to CTO Dr. Stephen Leffler.

Health care records also remain up to 50 times more valuable than other privileged data on the black market, making unauthorized access and data exfiltration as significant a threat as ever. The increasing move to digital health records facilitates access for health care providers across physical locations, but as with all digital record systems, poses a risk. The growing adoption of telemedicine also creates new targets for data exposure or system disruption.

From Business Interruption to Blackmail

Data breaches and ransomware attacks got uglier last year, as hackers amped up extortion threats to compel payouts.  Some attackers have gained leverage by operating “name and shame” leak websites, finding particular success against financial companies, as publishing protected information would not only cause reputation damage but also trigger hefty fines.

“Emboldened by success and excellent media coverage, threat actors behind targeted ransomware attacks have systematically increased the amounts they demand in exchange for not publishing stolen information,” threat researchers from Kaspersky Labs reported. “This point is important because it is not about data encryption anymore, but about disclosing confidential information exfiltrated from the victim’s network. Due to payment card industry security and other regulations, leaks like this may result in significant financial losses.”

Stealing data before encrypting it in a ransomware attack is one route here, but “simple” data breach and exfiltration also applies. This fall, for example, a hacker attacked Finnish psychotherapy services provider Vastaamo and attempted to personally blackmail patients whose records were compromised. Ransomware was not involved—the attacker gained access to the firm’s records and leaked small amounts of data (about 300 patients) in an attempt to get the center to pay to prevent further exposure of up to 40,000 people. The hacker then shifted tactics and turned directly to patients, threatening to publish documents containing everything from personal identity codes to therapy session transcripts if they did not pay a few hundred euros’ worth of bitcoin.

Attacks involving such blackmail attempts will likely increase, targeting either the immediate victims or the organization. This is a key risk in health care, as well as in industries or geographies with added regulatory requirements and fines. Attackers may also target proprietary data that would cede an advantage to corporate competitors.

Recent Regulation Translates into Fines

Regulators around the world are ratcheting up enforcement activity under data protection laws implemented over the past few years. According to the Allianz Risk Barometer 2021, “Under the General Data Protection Regulations (GDPR) the number of fines have been growing in Europe—almost 200 were issued by authorities between March 2019 and May 2020—while jurisdictions around the world have been introducing stricter data laws, most recently California, Canada and Brazil. Increasingly, breaches and regulatory actions are followed by litigation, with a number of group actions now pending in the United Kingdom as well as the United States.”

Worldwide, more new data security regulation is on the agenda for many local and national lawmakers again in 2021. In the United States, many expect the Biden administration to focus more on consumer protection in regulation and enforcement actions across the business landscape, and this will likely extend to cybersecurity and data protection practices as well.

In addition to the compliance efforts these developments should trigger, companies may want to consult their brokers about shifts in the value of their risk exposure. While one cannot dismiss the lofty financial implications of compliance failures and should not look to risk transfer as a substitute for risk management, cyber insurance markets are offering some new regulatory risk transfer options. According to Willis  Towers Watson’s Insurance Market Realities 2021, “Since the E.U. General Data Protection Regulation went into effect in May of 2018 and the subsequent trove of data privacy legislation introduced across the U.S., most notably the California Consumer Privacy Act, we have seen cyber markets affirmatively address coverage for claims stemming from these regulations. Markets are also offering expanded wrongful collection and compliance coverage largely in response to the new regulatory landscape.”

The Hard Market Hits Cyber Insurance

In past years, competition among insurers to make inroads in the cyber market helped keep rates lower than the mushrooming value of the risk being transferred. While less dramatically than in other lines, the hard market has now hit cyber and rates are firming considerably for many buyers. This trend is likely to escalate this year as policyholders continue filing hefty claims from increased hacking and ransomware incidents and as insurers feel the pressure of pandemic-related losses in other lines across their books.

“We have entered a hard market as of Q4 2020, and anticipate continued acceleration of hard market conditions throughout 2021,” Snyder said, noting both policy terms and rates were hardening, primarily driven by the increase in ransomware cases. “From a rate standpoint, insurer feedback in Q1 suggests the need for greater than 30% increases in the large enterprise segment, and 20% to 40% in the middle market segment.”

Aggregation risk will be another key issue this year as insurers grapple with the increasing volume and cost of attacks, the increasing number of widespread attacks and the trickle-down impacts of cybersecurity incidents in the supply chain. “There may be a renewed focus on aggregation risk and an emphasis on infrastructure, government action, war and other exclusions to limit carriers’ exposure to systemic risks,” Lantrip predicted. “Creating new solutions and tapping into alternative sources of risk transfer capital will be critical to helping clients secure coverage for their most significant risks.”

Companies that have complex towers for cyber or are looking to build them have begun to experience more difficulty obtaining coverage in certain tiers as some insurers look to limit aggregation risk by limiting capacity. “As incidents and losses mount, carriers have been reevaluating their positions in large towers and looking more closely at rates in perceived burn layers,” Willis Towers Watson reported. “Carrier strategy regarding excess layers revolves around obtaining adequate premium for perceived risk. There is less competition to get on excess towers, especially if pricing is considered too thin.”

Misinformation, Disinformation and Deep Fakes

Misinformation and disinformation became key problems and discussion topics in 2020, particularly around the U.S. presidential election. These issues are here to stay, especially fueled by social media and advances artificial intelligence and machine learning that are generating ever more realistic deep fake videos.

In Social Engineering: Blurring Reality and Fake, analytics firm CyberCube predicted deep fake audio and video technology will pose a major cyberthreat to businesses in the next two years. The firm noted that increasing use of video technologies in business adds to the rising risk. “Because of the increasing number of video and audio samples of businesspeople now accessible online—in part due to the pandemic—cybercriminals have a large supply of data from which to build photo-realistic simulations of individuals, which can then be used to influence and manipulate people,” the report explained.

“Imagine a scenario in which a video of Elon Musk giving insider trading tips goes viral—only it’s not the real Elon Musk. Or a politician announces a new policy in a video clip, but once again, it’s not real,” said Darren Thomson, CyberCube’s head of cybersecurity strategy. “We’ve already seen these deep fake videos used in political campaigns; it’s only a matter of time before criminals apply the same technique to businesses and wealthy private individuals. It could be as simple as a faked voicemail from a senior manager instructing staff to make a fraudulent payment or move funds to an account set up by a hacker.”

Indeed, this technology can be used to enhance other social engineering attacks like business email compromise or wire funds transfer, and such attacks have already been seen in the wild. In a widely cited 2019 case, AI-based software was used to impersonate a chief executive and authorize the fraudulent transfer of $243,000. It is highly possible we will see this added to more fraudsters’ toolkits in the year to come.

Home Networks and IoT Devices Become Enterprise Risks

When was the last time you changed your home Wi-Fi password? Exactly.

In 2020, your personal threat model fundamentally changed. Home networks are now work networks. In 2021, the time has come for everyone to ask some occasionally uncomfortable questions about our cyber hygiene practices at home. This is not only an imperative for your personal security, but an increasingly critical business threat.

Whether as the primary source of loss or the foothold to launch other attacks, security compromise among remote workers has proven a tremendously successful vector for attackers. Sweatpants are not the only way workers get lax at home—research shows many ease up on security best practices when at home or on mobile devices. As early as April 2020, Forrester reported 41% of organizations had already suffered a business-impacting cyber event caused by COVID-related phishing or malware, 67% were extremely concerned pandemic workforce changes increased the organization’s risk exposure, and 48% reported moderate to no visibility into work-from-home environments.

“Home networks will become launching points for threat actors,” Trend Micro threat researchers warned in Turning the Tide: Trend Micro Security Predictions for 2021. “These individuals want to hijack machines and jump from one device to another in an attempt to gain a foothold in a corporate network. Routers have long been viewed as sitting ducks for remote attacks on connected devices, and we predict that cybercriminals will offer access to hacked routers as a new service for threat actors aiming to break into home networks."

Any devices connected to the home network can pose a risk to the organization, including the phones, tablets and laptops of other household members and IoT or “smart” technology. It is always worth remembering that IoT may as well stand for “internet of threats”—every connected device is a potential exposure point. This has been a risk in enterprise environments, but may have been dismissed due to the impression fewer connected devices were used in offices. Again, the threat model has changed with remote work. Increasingly ubiquitous in homes, voice-activated devices such as Amazon’s Echo products and Google Home are always listening, have somewhat opaque data collection and retention practices, and are vulnerable to hacking, as are other smart-home devices like baby monitors and security cameras. Exploitation scenarios range from compromising the home network to eavesdropping on discussions that include confidential information or business strategy. In 2021, we will likely either see this be leveraged by attackers or cause accidental exposure, fines in regulated industries, and breach of client trust.

The Kids Aren’t Alright…On Your Work Machines

In addition to the networks they connect to, the lines between business and personal devices are also blurring. Work is done on personal machines and work phones and laptops are used for personal tasks. To a certain extent, that is suboptimal but also somewhat inevitable. However, the employee is increasingly not the only user for enterprise security teams to worry about. Significant others, roommates and children may have access to work machines, business accounts, sensitive data or email left on the screen as people work from home.

Indeed, according to 1Password’s report The Family Password Paradigm, almost half of parents working from home let their children access devices with stored passwords on them, and 14% give their children access to work devices. As a result, 51% of parents working from home admit their child has accessed their work accounts, and 14% admit their child has caused them trouble by accessing an account on a device with saved passwords. One respondent illustrated a worst-case scenario, noting, “my child got into my bank accounts and wired money to a random account.” Others shared stories of children damaging work products, including accidentally deleting a key presentation or erasing critical emails. These cases can certainly be personally embarrassing or even costly, but they also threaten enterprise reputation, accidental exposure of business-critical data or confidential client information, exposure of legally protected information, and regulatory risk in industries with strict requirements and penalties. In 2021, we may see such cases translate into damaging PR, successful phishing-related attacks, and financial losses or fines.

Hilary Tuttle is managing editor of Risk Management.