Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
July 4, 2024
Cyber insurance rates are dropping as the market reaches maturity, according to a new report from Howden, a global insurance and risk advisor. The firm projects global premiums to reach $43 billion by 2030 through a greater uptake in international markets and growth across the SME sector (businesses with <250 employees or <$250M in revenue.)
“Favourable dynamics have persisted into 2024, with the cost of cyber insurance continuing to fall, despite ongoing attacks, heightened geopolitical instability and the proliferation of Gen AI,” Howden Head of Cyber Retail, Sarah Neild said. "At no other point has the market experienced the current mix of conditions: a heightened threat landscape combined with a stable insurance market underpinned by robust risk controls. The foundations for a mature cyber market, with innovation and exposure-led growth at its core, are now in place.”
Howden attributes the fall in prices to a market correction that became apparent in 2023 after ransomware claims backed off their 2020 and 2021 highs. Ransomware is still a significant threat that costs companies billions of dollars per year and Howden is tracking the frequency of these threats to be up 18% so far this year.
The ransomware ecosystem continues to have a major impact on cyber insurance premiums. Howden attributes the recent resurgence to the availability of accessible (and low cost) ransomware kits (RaaS) and the ongoing profitability of these attacks.
Cyber extortion demands skyrocketed in 2023 but fewer companies are paying ransoms. Howden’s report includes data from multiple sources that backs up this trend - while the dollar amount of ransoms is increasing, there is a clear trend away from payment.
Although the push to ban ransom payments appears to be gaining momentum, CISA Director Jen Easterly recently made it clear that the agency won’t be advocating for a ban anytime soon.
“I think within our system in the U.S. — just from a practical perspective — I don’t see it happening,” said Easterly said in an interview at the Oxford Cyber Forum.
“I do think we’ve made a difference, but I don’t think we’re going to make ransomware a shocking anomaly without successful implementation of a Secure-by-Design campaign,” she said. “We cannot expect businesses that don’t have huge security teams to be able to secure that infrastructure unless that technology comes to them with dramatically reduced numbers of vulnerabilities.”
These are the businesses where Howden projects major growth across the SME space, which they estimate accounts for approximately “half of GDP in advanced economies.” The company created a platform that will give SME’s a quote for up to $6M in cyber coverage with a small amount of basic information.
Howden’s report warns of the risks of attacks on “digital cornerstones,” citing widely-used open source libraries as a critical entry point for attacks with the potential to create catastrophic outcomes:
A successful attack on a digital cornerstone carries equivalent catastrophic potential impact to a global cloud outage. Such a scenario would see a malicious actor compromising the software that underpins global digital systems. Given most organisations rely on two operating systems – Windows and Linux – and these in turn rely on open-source libraries developed collaboratively by unknown contributors, a single compromise could have an enormous impact.
The report referenced the XZ Utils backdoor incident and the necessity to remain vigilant against criminals that are “known to be investing large amounts of cash into developing a wide-ranging compromise of this nature.” State-affiliated cyber attacks have increased dramatically over the past decade and this will continue to be a source of concern for companies investing in cyber insurance.
Other trends impacting premiums include the increasing professionalization of cyber crime, generative AI creating more precisely targeted threats and more sophisticated scams, and the increase in geopolitical tensions.
Howden concludes that although 2023 marked the slowest rate of growth since the market’s inception (up 5%), prospects remain strong. While prices for cyber insurance may still play a role in market dynamics, Howden projects they won't have as significant an impact on market growth as they did during the 2020 to 2022 correction.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.