The cybersecurity threat facing trade finance is multifaceted. Not only are attacks becoming more costly and harder to prevent, but industry efforts to digitalise processes and reconfigure supply chains are creating new areas of vulnerability. A growing number of institutions are turning to cyber insurance to mitigate the risks, but now face uncertainty over claims and soaring costs. John Basquill reports.

 

The World Economic Forum’s most recent Global Risk Reports, covering 2021 and 2022, have been dominated by the effects of the pandemic. Concerns over supply chain disruption, commodity price inflation and a delayed energy transition were cited as the top threats to trade in each of the last two years.

However, an emerging concern identified in this year’s report has attracted less attention, despite its seriousness. Technological risks, including cybersecurity failures, are seen as “critical short-term and medium-threats” to the world economy, the forum says. Despite that, there is a “possible blind spot in risk perceptions” among businesses.

According to the report, much of the risk stems from the deployment of increasingly sophisticated digital systems. Efforts to digitise documents and processes that have historically been paper-based – particularly within complex global supply chains – create a reliance on technology providers and other third parties.

The “contagious” nature of cyber threats means a weakness at one such third party could impact the whole supply chain, it says.

Speaking at the report’s launch event in January this year, Carolina Klint, risk management leader for continental Europe at insurance giant Marsh, warned that attempting to modernise too quickly – before the required technology is in place – could also intensify the risk of exposure to a cyber attack.

“Cyber threats are now growing faster than our ability to prevent and manage them effectively,” Klint warned. “Companies trying to survive the pandemic have been under more pressure than ever to digitise and automate, but too often this has been built on the backbone of ageing technology.”

Klint identified ransomware attacks – where malware is used to deny a company access to its own systems or data until a ransom is paid to the attacker, typically in cryptocurrency – as a quickly emerging threat. Others include attacks on critical infrastructure and identity theft, for instance by impersonating a senior executive in internal email communication.

 

The digital revolution

The disruption to working practices and supply chains caused by the pandemic has dramatically accelerated efforts to digitalise trade. Santander’s trade barometer for Spring 2022 found that around a third of UK banks surveyed have “embarked on digital transformation” since the initial outbreak, with just under half planning to continue remote or hybrid working for the foreseeable future.

There has also been an acceleration in efforts to digitise paper documentation at the heart of trade transactions. Notably, in February this year, three shipping industry associations announced an alliance with the International Chamber of Commerce (ICC) and financial messaging service Swift to agree a standardised approach to electronic bills of lading – long considered one of the key components to a fully digital trade ecosystem.

Banks, meanwhile, are expected to increase their technology spending substantially. In April, London-based supply chain finance provider Demica published the results of an industry survey that found nearly three quarters of respondents planned to move to new technology platforms within the next five years.

With full digitalisation across all trade transactions, the ICC estimates that trade across G7 nations would increase by as much as US$9tn over the next five years.

However, a report by Marsh and Microsoft published in April this year warns that businesses may be underestimating the cyber risks associated with the introduction of new tech.

Only 69% of companies surveyed for the report said assessing the risks from new technologies was considered important during exploration and testing stages, and that figure drops to 54% after implementation.

“Continuous assessment and monitoring of a new technology past the implementation phase is necessary given the fact that digitalisation and technological advancements increase exposure to new and more intense cyber vulnerabilities,” the report says.

California-based lawyer Jeff Dennis, a shareholder at Buchalter and member of its privacy and data security practice, says technology can act as a “double-edged sword”.

“On the one hand, it provides companies with the ability to do business much more efficiently. On the other hand, once that data is no longer in your control, or is accessed by a dangerous third party, there is a real risk there,” he tells GTR.

“The more you rely on the internet, and electronic data in general, the more companies have to build up a robust cybersecurity framework to protect this newly digitised data.”

 

Overhauling supply chains

On top of digitalisation efforts, corporates with a large global footprint are increasingly looking to reconfigure supply chains. During 2021, delays and costs associated with shipping goods prompted many large corporate buyers to reduce dependence on suppliers in distant markets, onshoring or nearshoring critical components.

More recently, many importers have had to adjust supply chains following sanctions on Russian-origin goods following the country’s invasion of Ukraine. Fearful of exposure to blocked sellers, companies are seeking alternative sourcing markets for commodities such as wheat, grain, sunflower oil, crude oil and natural gas.

In terms of cybersecurity, that places buyers in a difficult situation, says Buchalter’s Dennis. “Who are you replacing those companies with, and are those replacement entities secure? Are they as secure as the Russian entity may or may not have been?” he says.

“There is a trade-off. Companies do not want to be seen to be supporting Russian companies, which will appear as support for the war in Ukraine, but do not want to replace them with other entities that may lack cybersecurity controls and may put their own business in danger.”

Dennis adds companies can largely mitigate those concerns with an established third-party risk management programme. Larger firms are likely to dedicate significant resources to reviewing external suppliers, including by carrying out cybersecurity audits, he says.

Marsh and Microsoft find that relative to other sectors, financial services firms are more likely to conduct risk assessments of third-party vendors or suppliers.

However, auditing or verifying supply chains is identified as the area least likely to have been addressed by larger corporates. Smaller companies “are even less likely to have taken actions around supply chains”, the duo’s report adds.

 

The cost of cover

Cyber insurance has emerged as a widely used means of protection in the event of an attack. Research by UK-based cybersecurity company Sophos finds that nearly 90% of energy companies, including oil and gas providers, have insurance cover for cyber attacks – more than any other sector.

86% of financial services firms also have cyber insurance and are the most likely type of company to take out additional cover for ransomware attacks, the company says in a report published in September last year.

In part, high demand for insurance cover is driven by the financial sector’s perception as a “lucrative target” for criminal activity – though Sophos adds that generally, take-up is attributed mainly to two factors: suffering financial losses as a result of a cyber attack, or hearing news of losses at other similar companies.

Insurance cover is not a perfect solution to the cyber threat, however. According to Marsh, cyber insurance pricing increased 110% in the US and 102% in the UK during the first quarter of this year – far outstripping the average price increase of 11% for all commercial insurance.

Marsh says the price hike follows efforts to re-underwrite cyber risks, following heightened frequency and severity of claims activity. The majority of clients have taken higher retentions to help offset the impact of higher premiums, it adds.

Marsh also suggests the war in Ukraine has “exacerbated concerns surrounding systemic exposures and accumulation risk”, it says.

According to Buchalter’s Dennis, many clients are fearful of being targeted by a cyber attack linked to entities operating in Russia – particularly since the outbreak of the war in Ukraine. One issue is whether policies would still be valid in such a case.

“The concern is whether the war exclusion in a cyber liability policy would preclude a company from coverage, should they experience some kind of cyber attack from Russian authorities, or from a group backed by the government,” he says.

“I think that’s a very valid concern. Clients are asking us to re-examine the language in their cyber liability policies to see how broadly or narrowly drawn the war exclusion may be, and whether there are exceptions for cyber attacks. The last thing you want is to suffer an attack, then find out after the fact you don’t have valid coverage.”

One complication is how closely an attacking entity can be tied to the Russian government, the lawyer says.

For instance, a high-profile ransomware called Conti, which has targeted public and private sector institutions in western countries, is widely believed to have been distributed by a Russian group and has come out in support of the country’s invasion of Ukraine, yet there is no evidence of a direct link to the Kremlin.

Whether such attacks are covered also depends on the precise wording of policies, as there is not yet a standardised approach to cyber risk in the insurance industry, Dennis adds.

“With general liability policies or property policies, those forms are widely standardised,” he says. “Cyber insurance is different. It’s unsettled. In the US it’s still sometimes called the Wild West.”

 

It has never been more costly to suffer a cyber attack

Research by IBM finds that in 2021, the average cost of a data breach rose from US$3.9mn to US$4.2mn – the highest total since it started recording such data nearly two decades ago.

The World Economic Forum suggests that malware and ransomware has proliferated because there are few barriers to entry for attackers, and “little risk of extradition, prosecution or sanction”.

The volume of malware and ransomware circulating increased by over 350% and 435% respectively in 2020, it says. There has also been a four-fold rise in the funds received by ransomware addressed from businesses they have attacked.

Businesses are being “forced to pay increasingly high ransoms or suffer the reputational, financial, regulatory and legal consequences of cyberattacks”, it warns.

Critical infrastructure services are among the most likely targets. In May 2021, the US-based Colonial Pipeline – a 8,850km system that transports oil from Texas across the southeastern states, as well as to Washington, DC and New York – suffered a ransomware attack that led to all operations being halted.

The pipeline’s closure soon led to fuel shortages, price spikes and panic buying, with President Joe Biden declaring a state of emergency two days after the attack began.

The pipeline’s operator, the Colonial Pipeline Company, paid a ransom of 75 bitcoin, at the time equivalent to nearly US$4.5mn, though the US Department of Justice has since recovered the bulk of those funds.