1. Managing Ransomware / Cyber Extortion     3/10

The upward trend in ransomware and extortion was clear from Q4 2022 and has continued its rapid rise. Professional Services has (for me anyway) unexpectedly seen fewer victims than in past years. This may well be attributable to the major investments professional service firms have made in cybersecurity. This is the one where I was most happy to be off the mark.

Nonetheless, while ransomware negotiation specialist Coveware reports that fewer victims than ever are paying ransoms, Chainalysis reports that 2023 payments to ransomware operator crypto-wallets are on track to be double those of 2022. This means there are some very well-funded and determined adversaries out there, so it is not a time for complacency.

2. Preparing for the Next Threat     7/10

The astonishing appearance and rise of “next generation Artificial Intelligence” has illustrated very clearly how quickly a new technology can take hold and change the dynamic of the threat environment.

Artificial Intelligence is enabling the threat actors, accelerating their workflow and equipping them with better tools. This further facilitates the existing trend of Big Game Fishing where threat actors trade a longer cycle time for a higher reward.

The threat environment is also showing signs of fragmenting. After having been dominated by ransomware for five years, other threats are on the rise. Preparing for the next threat is definitely a challenge, but to date professional services firms have demonstrably been well prepared for meeting new threats.

3. Social Engineering Fraud     10/10

This was a very safe bet. Artificial Intelligence is enabling more sophisticated attacks, pariah states are more urgently in need of cash and fewer victims than ever are paying ransoms. The smart money believes that social engineering fraud will continue to increase.

4. Bad Leavers and Insider Threat     7/10

This is a low-frequency event so, fortunately, we are not seeing too much of it, but a March 2023 Aon report and IBM’s Cost of a Data Breach 2023 Report highlight this as the event-type with the highest severity.

5. Supply Chain     10/10

The continued exploitation of software vulnerabilities, facilitated by AI, made supply chain a reasonable prediction, but I chose this expecting another major event. Sure enough, this is what happened. MOVEit has been the highest profile event of the year and potentially one of the largest and most damaging cyber-attacks to date.

An August 2023 article states that over 1,000 organizations were impacted and more than 60 million individuals’ data compromised. It isn’t known how many organizations are paying ransoms, but the Chainalysis report shows that, in 2023, the average payment to Cl0p (the MOVEit exploit perpetrator) was $1.9 million.

This report also states that some security researchers believe Cl0p may have been working on this exploit since 2021, showing a high level of patience and determination to achieve the most damaging results and the biggest economic payoff.

6. Cloud     8/10

There have been some notable cloud incidents in 2023, including a ransomware attack on a cloud host that resulted in the majority of clients losing all of their data.

A survey report from Thales found that 79% of respondents have more than one cloud provider and “with a larger number of platforms to secure, the opportunity for operational errors grows, increasing the attack surface with each error.” IBM’s Cost of a Data Breach 2023 Report states that “Security System Complexity” increases the average cost of a breach by $240,000.

The Professional Services Practice at Aon has seen several (varied) cloud-based cyber events with clients this year and as more applications and services move to the cloud this trend is likely to increase.

7. Regulation     10/10

This was another safe prediction. The legislative environment is getting more complex in both the U.S. and internationally. Courts are increasingly open to allowing class action lawsuits for breaches of personal information.

Regulation continues to increase costs for the victims of breaches and their insurers while events like MOVEit demonstrate that system security alone is not enough to address the risk. Data governance tools to enable granular management of PII and PHI are being developed and this is an area where Artificial Intelligence may help to manage risk.

Conclusion

I did have a high degree of confidence predicting the challenges for 2023 based on the trends and experience of the last few years, but I was caught out when the ransomware threat developed even more strongly than I anticipated, although not for professional service firms.

In the context of Cyber October2023, this exercise has, to me, shown that the broad trends of the cyber environment do not necessarily move as quickly as one might think, while the specifics of a particular issue can still surprise with a sudden shift.

Above all, it demonstrates that the threat environment is constantly in motion and like the Red Queen, we must run as fast as we can just to stay in the same place.

Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter of modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.

The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.

Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it.