Cybercrime: economic cost and response of public authorities

In an unstable economic, health and geopolitical context, cyber threats are gaining in frequency, intensity and dangerousness, a trend of particular concern to the insurance market.

Cyber risks now rank number one in the Allianz 2022 Risk Barometer and represent the second most important emerging risk according to AXA's "Future Risk Report".

Numerous companies are victims of malware and ransomware intrusions on a daily basis. According to the AV-TEST Institute, a specialist in IT security, more than one billion pieces of malware are distributed every day and 560 000 new malicious programs are detected. Moreover, according to IBM Consulting, in one year, from 2020 to 2021, the average cost of a ransomware attack has increased from 3.86 million USD to 4.62 million USD.

Economic cost of cybercrime

According to the Allianz Barometer, the global cost of cybercrime is in the order of 1 trillion USD per year, or 1% of global GDP. Experts expect economic damages to increase by more than 15% per year. These damages concern:

• data deterioration and destruction,
• theft of cash,
• business interruption,
• theft of intellectual property, personal and financial data,
• embezzlement of funds,
• fraud,
• supply chain disruption,
• costs related to financial and legal investigations,
• restoration of hacked systems and server,
• deletion of hacked data,
• reputational damage.

Nowadays, a growing number of companies, often accompanied by specialists, are implementing cyber solutions (backup, server restoration, etc.) to avoid giving in to the demands of criminals.

According to an expert from the consulting firm Inquest, out of the 600 cyber incidents handled internally in 2021, only two of them ended in a ransom payment.

Key figures ⁽¹⁾: Cybercrimes in 2021 accounted for:

• 623 million ransomware attacks, a record figure for this type of event,
• an average cost of 4.62 million USD per cyber-attack,
• a global crime estimated at 1 000 billion USD, that is, 1% of the world GDP,
• a 15% annual increase in economic damage,
• an average downtime of 24 days per company,
• an amount of insurance premiums of 10.33 billion USD.

For 2022, specialists are expecting a worldwide premium amounting to 12.83 billion USD, that is, an increase of 11.5% compared to 2021.

⁽¹⁾ Coveware reports (Q2 2022), IBM Consulting (Cost of a Data Breach 2022 Report), Allianz (Risk Barometer 2022).

Response of public authorities to cybercrime

Faced with the damage caused by cyberattacks, often coupled with ransom demands, public authorities are adopting various strategies with a view to reducing the companies’ period of paralysis and diminishing financial losses.

In France, a bill would authorize the payment of cyber ransoms by insurers provided that the victim company files a complaint 24 hours after the incident. This bill, still under study, would legalize the payment of ransoms, which goes against the practices of the cyber market and the recommendations of the French National Agency for the Security of Information Systems (ANSSI).

In fact, the payment of a ransom does not always result in the recovery of stolen data. In addition, the rate of recovery of business activities after an attack is deteriorating significantly. This rate is currently 20% compared to 94% five years ago.

Still in France, this new regulatory framework is not unanimously supported as it may represent a source of pressure for the insurance market and companies. It may also increase the risk of recidivism of hackers towards companies characterized as "good payers" by cybercriminals.

On the other side of the Atlantic, the U.S. Treasury recommends that companies should not pay ransoms. However, payment remains a last resort. As elsewhere, U.S. companies that pay ransom can be targeted for further attacks. In fact, any ransom payment provides additional resources to hackers.