Can Cyber Criminals Break the Bank?

By Catherine Powell

Image courtesy Microsoft Image Creator

If you're a Rat Pack fan like I am, you'll never forget the 1960 caper flick Oceans 11, where Frank, Dean, Sammie, Peter & Joey take down five Las Vegas casinos on New Year's Eve.  While a work of fiction, it proved to be more a case of life imitating art when several hacking collectives pooled their resources to take down a pair of Vegas casinos last year.  While the hack didn't break the bank at either the MGM or Caesars, it did cost the two companies more than $100 million collectively.  What's worse is that even though the FBI knows the groups responsible for the ransomware attacks, the odds are low that the feds will be able to prosecute many of those involved, since the perpetrators are scattered around the globe.  The repercussions of this brazen cyberattack and the lackluster law enforcement response has not only gotten many corporate CEO's to start quaking in their boots, it's also caused the insurance industry to take a long hard look at whether if can cover the bets of businesses who are likely to be targeted by hacking collectives that can operate with impunity.

What the Hack?

What started out as a nuisance at the turn of the century and the cost of doing business a decade ago has ballooned into a runaway freight train that could soon derail everything from businesses and local governments to banks, hospitals, and utilities.  That's because what was once created by individual bad actors has transmogrified into hacking collectives and foreign government-backed cyberwarfare divisions that can be nearly impossible to defeat.  Here are a few examples of hacks that made the headlines in the past few years:

Top-10 costliest hacks since 2020:

1. 2023 Progress Software     - $10 billion in losses from a breach of MOVEit file transfer tool
2. 2024 UnitedHealth Group - $ 870 million in losses, including a $22 million ransom
3. 2023 MGM/Caesars         - $130 million in damages & MGM shutdown for 10 days
4. 2021 CNA Financial          - $40 million ransom paid
5. 2022 Crypto.com               - $35 million in cryptocurrency stolen
6. 2023 Johnson Controls       - $27 million in losses
7. 2022 Acer Computer          - $10 million ransom reportedly paid
8. 2021 JBS Foods                 - $11 million ransom paid
9. 2022 Rackspace                 - $10 million loss reported after 2022 attack
10. 2021 Colonial Pipeline       - Fuel pipeline shut down for 5 days until $4.4 million paid

Bear in mind that the initial costs to restore service to a hacked company is only the tip of the iceberg.  If data was stolen, the costs of damages associated with lawsuits can be many times the cost of initial remediation.  The loss of faith in a company following an attack can also affect its profitability in a big way.  In some cases, companies were forced to declare bankruptcy or even shut their doors permanently after a major hack or data breach. 

Image courtesy Microsoft Image Creator

According to the FBI's Internet Crime Complaint Center, in 2023 the reported cost of corporate cybercrime in the US was $12.5 billion, up 22% from the year previous.  More than a billion of that was cyber ransom payments made to hackers.  That's only the tip of the cyber iceberg, since more than 2,600 companies in more than 30 countries worldwide reported being hacked.  

This is one of the reasons that the cost of cyber insurance has been escalating in the past few years.  The average cost of a cyberattack in the US in 2023 amounted to $9.48 million, which is more than twice the average in other parts of the globe.  The Covid-19 pandemic was like the perfect storm for hackers who capitalized on the fact that most Americans went from working in an office to telecommuting to work.  In 2020 and 2021, data breaches and ransomware surged to record heights.  As a result, cyber insurers saw their defense and cost containment ratio surge by 70% in those two years alone.  When the amount of cyberattacks surged, so too did premiums. it wasn't until the third quarter of 2023 that rates began to decline.  Companies looking to rein in cyber insurance costs were forced to either beef up their security and retrain their staff, or reduce the amount of coverage they received.

As the MGM hack proved, the tail most certainly can wag the dog when it comes to hackers bringing most any company to its knees.  That's because hackers have gotten just as organized and distributed as many of the companies they target.  Some hacking collectives operate much like franchises.  They offer hacking-as-a-service that allows low level hackers to utilize some of the most powerful hacking tools on the planet, provided they cut the franchisor in on the action.  They offer to assist, train, and in some circumstances supervise hackers-in-training.  In this way the masterminds behind the scenes can turn a tidy profit while insulating themselves from law enforcement scrutiny.  Hacker managers have learned that it's more profitable and less risky to let others do their nefarious bidding than it is to get their hands dirty.

It's also led them to recruit top talent from around the globe to pull off more brazen hacks that can bring businesses, banks, healthcare companies, municipalities, and utilities to their knees for fun and profit. The advent of artificial intelligence is helping these hacking collectives up their game and expand their ability to disrupt the operation of most any connected entity they choose.  When you consider the profits are high and the risks of being prosecuted are low, it's not a matter of if cybercriminals can break the bank.  It's more a matter of how long will it be before they can bring society to its knees?

Catherine Powell is the owner of A Plus All Florida, Insurance in Orange Park, Florida.  To find out more ways to save on flood insurance, check out her website at http://aplusallfloridainsuranceinc.com/