With the world’s second highest internet user base and a digital economy slated to cross $1 trillion by the end of the decade, India is fast emerging to be a financial and digital super-power. However, this fast-paced digitisation and reliance on data is rendering companies more vulnerable to a multitude of cyber threat vectors.
According to PCI Security Standards Council, 76% of the businesses in India have suffered at least 1 cyber-attack in the past 12 months making India the third most affected country. CERT-In reported 1.4 million cyber security incidents in 2021 and 2.12 lakh incidents as of February 2022 which suggests a growing trend. IBM’s ‘Cost of Data Breach report 2022’ indicates that Indian businesses suffered an average loss of INR 17.2 Crores from a data breach incident in 2022 which is the highest amount ever in India. Evidently, enterprises should brace for impact from more sophisticated exploits in the foreseeable future.
While the list of cyber threats is ever growing, here are some of the dominant threats that are expected to impact organisations and economies in 2023.
Ransomware has been the most dominant global cyber threat vector for the past three years with its heightened impact seen since the onset of pandemic. According to WTW’s Global Cyber Claims Analysis 2022, the global average cost of a ransomware attack for an organisation is US$ 1.8 Million with the largest single reported loss of US$ 70 Million. The global damages due to the ransomware threat have been estimated to be over of US$ 20 Billion as of 2021.
Besides being forced to pay a ransom to limit the level of business disruption and to protect reputation, ransomware attacks have resulted in major losses for organisations. Despite paying ransom, the slow decryption of data and ineffective revival of data sets to pre-attack levels have often led to an added business interruption loss and escalated costs to reconstitute data and systems.
‘Double Extortion’ events are recent developments where hackers are using data stolen during the encryption as a leverage for extorting more ransom from businesses.
Ransomware attacks are known to cause accumulated losses in the form of business interruption losses, ransom monies paid, system restoration and incident response costs, data breach liabilities, notification obligations and data privacy regulatory investigations and penalties. With a spurt in RaaS) and IABs business models, the distribution of ransomware is expected to grow steadily in 2023.
These are sophisticated exploits where the hackers target multiple organisations by targeting the vulnerabilities in the systems of suppliers and technology service providers. There was a flurry of supply chain attacks in 2020 and 2021 where hackers targeted vulnerabilities in technologies of reputed companies which impacted supply chains of thousands of dependent organisations.
Since threat actors are constantly exploiting zero-day vulnerabilities in the technologies and cloud systems, supply chain attacks are fast emerging to be a significant threat for organisations pushing them to invest significantly in vendor risk management strategies and control mechanisms. It is crucial to understand that the outsourcer will never assume full responsibility in the event of an incident.
BEC attacks continue to rise due to digitisation of businesses and a shift to remote working arrangements. Impersonation frauds also known as ‘Fake President frauds’ or ‘Whaling Attacks’ and ‘Vendor Invoicing frauds’ will continue to cause multi-million-dollar losses to organisations, globally. According to FBI’s estimates, BEC attacks caused a global loss of US$ 43 Billion between 2016-2021 with these scams growing by 65% between 2019 to 2021. Recent technological advancements like ‘Deep Face’ audio and video that can mimic senior executives are expected to further cause a spurt in BEC led financial fraud incidents in 2023.
State sponsored cyber acts are fast becoming a means to carry out espionage and causing maximum disruption between conflicting nations. Recent geo-political tensions are also causing a major reshaping of the cyber threat landscape globally. Cyber-attacks on critical infrastructure or target sectors are now a reality with an increased likelihood of organisations becoming collateral damage to a cyber warfare between rival countries arising from the spill over effect of an attack vector.
Given the imminent and ever-evolving nature of the risk, Indian businesses need to urgently realise that while enhancing cyber security investments are critical, it can only reduce the exposure but cannot eliminate the risk. Since the cyber security of an organisation is as strong as its weakest link, Boards should consider investing in bolstering the ‘Recovery’ aspect within their cyber risk management strategy.
While planning and testing efficient incident response plans and business continuity plans form a crucial part of the ‘Recover’ and ‘Respond’ strategies, organisations should invest in conducting ‘Impact Assessments’ not only from a customary operational and legal standpoint but also extend these assessments to include a Loss quantification exercise to estimate the likelihood and severity of losses from privacy breach and network outage incidents. This would help the Boards to not only prioritise spending on relevant cyber security controls but also consider solutions to transfer loss projections which fall beyond their risk appetite.
Cyber Risk Insurance is today a key component of cyber loss recovery and risk transfer considerations of organisations. Besides indemnifying costs associated with incident response (like forensic investigations, data reconstitution, notifications, credit monitoring and public relations etc. and covering damages legally payable due to data privacy breach, network security liability and data breach regulatory implications), cyber risk insurance programmes have proven to augment the incident response capability of insured organisations through the cyber claims know-how and relevant incident responder and legal advisory tie-ups that insurers and intermediaries are able to support within a timely manner during a cyber incident. These critical support areas help victim insured organisations make well-informed decisions to respond and recover from cyber incidents.
*First published in CXO Today on 21 January 2023.