Marek Stanislawski: As far as cyberattacks go, malicious actors are being far more targeted and specialized in their actions. The ransomware attack on Norsk Hydro, for example, was combined with an attack on its user- and log-in systems. And, they don’t stop getting ever more creative: Recently, there was a campaign of malware injection into LinkedIn invites! Social engineering and phishing scams are getting more bold. Luckily, there hasn’t been a major global campaign since WannaCry and NotPetya in 2017. But, that doesn’t mean the next one isn’t around the corner.
Another trend, especially in Europe, is disclosure. Many companies used to be highly secretive about their cyber exposures and try to avoid going public when they suffer an incident. However, the Danish shipping company Maersk, for example, was extremely forthcoming with information in 2017 about its problems following the NotPetya attack. Norsk Hydro also handled the crisis pro-actively with regular updates on their website. These companies put themselves in the spotlight and really set the standard for disclosure—to the benefit of all, because information sharing is a key strategy to combat cyber risks.
Emy Donavan: A further trend we’re seeing is the recognition of the importance of both business interruption and data breaches as key cyber risks—not just one or the other. Up until the last few years, the US focused almost exclusively on data breaches. Given that most cyber-insurance is written in the US that really influenced the direction of the industry. Europe had been more focused on business interruption, but since the run-up to and introduction of the EU’s General Data Protection Regulation (GDPR), data breaches have become more relevant, because the financial stakes are now much higher in the event of an incident. Just look at the £183 million ($220 million) fine for British Airways which suffered a breach that resulted in the personal data of 500,000 customers being stolen. Similarly, the US has begun to recognize the issue of business interruption, due to some significant losses like the estimated $300 million that NotPetya cost FedEx by disrupting its operations. So, we’re seeing increased recognition on both sides of the Atlantic that BI and data breach are key cyber risks.