With ransomware incidents having shot up by 205% in the third quarter of last year compared to 2022, it hardly comes as a surprise that Aon South Africa’s 2024 Insurance State of the Market Report identified cyber risk as a key trend to watch in the year ahead.
Released this month, the report unpacks the economic, geopolitical, and humanitarian events that shaped 2023 and are expected to continue to evolve in 2024.
According to the report, insurers experienced an uptick in ransomware losses in 2023 compared to 2022, with ransomware events increasing in each quarter.
Justin Westcott, the chief technology officer at DataGr8, a leading cyber and data security company, says the 205% increase in ransomware incidents is consistent with trends DataGr8 has observed across the industry.
“Indeed, this figure might understate the issue, as many attempts are successfully repelled and thus not reported,” says Westcott.
In the report, AON states that in addition to an increased frequency of events, a number of high-severity ransomware incidents hit insurers’ books in 2023.
According to Westcott, in a recent incident that involved a major insurance firm, attackers demanded a ransom in the high seven figures to release sensitive customer data.
“Such high-severity attacks typically involve ransom demands ranging from hundreds of thousands to several million dollars. These operations are not the work of isolated individuals but are carried out by sophisticated cybercriminal syndicates with extensive resources and networks,” he adds.
Aon states that delays in cyberattack recognition were also common in 2023. This, the firm says, is partly due to the focus on preparing for an “average” ransomware attacker, using trends from several years of data on ransomware skills and tactics to guide risk modeling and defense strategies.
“But defenders can be slow to catch on to new attack processes that do not fit into the ‘average’ ransomware threat actor profile, especially if the defenders do not have a broad view of the attack landscape. This often resulted in delayed recognition of an attack,” the report reads.
Westcott warns that delays in detecting cyberattacks can severely impact both companies and their clients. He explains that some companies without modern cyber monitoring systems or those using outdated security measures often discover breaches months after they happen.
“Immediate detection is crucial because it minimises financial losses, preserves customer trust, and complies with regulatory requirements that mandate timely breach notifications,” he says.
According to the report, many cyberattacks in recent years have sidestepped cyber controls because attackers leveraged basic and sophisticated attack methods to take control of systems and information, causing many business disruptions and brand damage.
Westcott confirms that attack processes evolve rapidly, often outpacing standard updates to defensive protocols.
“With the adoption of AI and other new technologies, cybersecurity frameworks will need to evolve rapidly to address new vulnerabilities. Staying ahead requires continuous monitoring of threat landscapes, investing in adaptive technologies, and frequent training of cybersecurity teams,” he says.
Read: Cyber threats meet AI: navigating the landscape of evolving cybersecurity
AON identifies five important developing trends:
- Ransom and extortion pressure strategies will intensify
According to AON, threat actors will innovate and utilise asynchronous (not simultaneous or concurrent in time) paths to apply extortion pressure, to encourage victim companies to pay ransom and extortion demands, including aggression and targeted harassment of employees, customers, and board members. The report states that companies need to be prepared for what may be an “unruly situation”.
Westcott advises that companies must be proactive in creating incident response plans that consider the psychological and legal ramifications of such pressures.
- Insider risk may increase
The report states that companies may experience increased insider risk as employers enforce return-to-office requirements and as economic challenges and layoffs in the information technology security industry continue to impact staff.
“Ransomware threat actors have and will continue to recruit company staff and pay for their credentials for remote access to facilitate an attack,” the report reads.
As the risk from insiders increases, Westcott says this will require a dual approach of monitoring and maintaining robust access controls while fostering a culture of security awareness.
- Accountability requirements will drive investments
Westcott notes that regulatory landscapes are tightening globally, necessitating more stringent cyber defences and transparent protocols.
According to AON, cyber accountability, including regulation and representation of security controls/response, may require increased investment in cyber security.
- New technologies will demand new risk management measures
Aon states that as companies start using AI and other new technologies, they will face fresh challenges in cybersecurity, data privacy, and governance. To manage risks effectively, businesses will need to invest in and stay committed to managing these new technologies safely.
The financial industry in South Africa is already in the process of adopting stricter governance in line with this.
In January last year, the FSCA and the Prudential Authority (PA) issued a revised version of their draft joint standard on cybersecurity and cyber resilience for public comment.
The revised version proposes to extend the scope of the standard to Category I FSPs that provide investment fund administration services, retirement fund administrators, and credit rating agencies.
The goal is to ensure financial institutions create strong cyber risk management processes, adopt cybersecurity best practices, systematically test security controls, establish cyber resilience, and report major cyber incidents to the authorities.
Read: Small FSPs concerned about cost implications of proposed cybersecurity joint standard
In addition, the FSCA and the PA released new guidelines in November requiring financial institutions to follow strong IT risk management practices.
Joint Standard 1 of 2023: Information Technology Governance and Risk Management calls on institutions to establish IT controls matching their risk levels based on the size and type of their business. They were given 12 months to comply with the standard, which includes creating robust IT service management policies and processes to support IT systems and operations, manage incidents, and ensure stable IT environments.
Read: Joint standard on how financial institutions should manage their risks
- Litigation related to data privacy will increase
In addition to the cyber events themselves, AON says the resulting litigation, specifically relating to data protection and privacy, will continue to increase.
Moonstone reported on four cases last year where entities were found liable for client losses that arose because of business email compromise.
Read: FSP ordered to compensate client for R3.1m following cybercrime loss
Westcott says firms can expect an uptick in litigation as breaches continue.
“This will require companies to not only enhance their security measures but also ensure they are well documented and in compliance with evolving legal standards.”
He adds that cyber resilience is now a critical component of operational strategy and that investment in this area will be essential for maintaining business continuity and compliance.
“Given the current trajectory of cyber threats, it’s crucial that companies not only adopt advanced cybersecurity measures but also engage in continuous evaluation of their risk profiles and adjust their strategies accordingly,” he says.