How Cyber Threats Are Changing - And What Your Clients Can Do About It

(DESCRIPTION)
A presentation with four participant videos on the right. In the background of the slide, people gather around a laptop. Red umbrella Logo: Travelers. Text: Evolving Cyber Threats and Trends: What Brokers need to know.

(SPEECH)
MATT WALLER: Hey. Welcome everybody. Thank you for attending this webinar. We have a number of speakers today, which we'll do introductions in a second. But what we're looking to cover off today is the evolving cyber threats and trends that we're seeing within Travelers in Europe and our partners globally.

Just a housekeeping item, we will be recording this webinar for circulation after the fact. So if you missed anything or you want to take a look at the slides, we'll be recording that. Only the slides and the speakers will be on the recording, so don't worry about being on camera. And then there's a Q&A tab at the top. So we're going to save some time at the end to answer any questions. Feel free to put in questions in the Q&A throughout the course of the presentation today, and then we'll address those at the end if we have time. Hoping that we do. Love engagement on that side as much as possible.

So with that, we'll kick off. First, simple disclaimers on the next slide to highlight around sharing of information, the purposes of this presentation. So if you go to the next slide, James.

(DESCRIPTION)
Slide: Disclaimer. Text: The information provided in this presentation is for general information purposes only. It does not constitute legal or professional advice nor recommendation to any individual or business of any product or service. Insurance coverage is governed by the actual terms and conditions of insurance as set out in the policy documentation and not by any of the information in this presentation. Logo: Travelers.

(SPEECH)
And then introductions.

(DESCRIPTION)
Slide: Today's Speakers. Profile pictures of four men in suits appear. From the left: Text: Matt Waller, Head of Cyber, Travelers Europe. Tim Geschwindt, Head of Cyber Incident Response, EMEA, S.R.M. -- James Doswell, Senior Risk Management Consultant, Travelers Europe. John Pain, Partner, Cyber and Data Risk, Kennedys. Logo: Travelers.

(SPEECH)
So I'm Matt Waller. I head the cyber team and Travelers Europe. I've been in cyber for 15 years now, 10 years in London and five years prior to that in New York, and run the day to day underwriting operations and underwriting team at Travelers Europe. Tim, do you want to go next?

TIM GESCHWINDT: Yeah. Thank you, Matt. Hi, everyone. My name is Tim Geschwindt. I'm the Head of Cyber Incident Response for S-RM, focusing on the EMEA region, which includes the UK as well. I've been at S-RM for eight years now, joining in 2017, initially with a focus on physical security, and then moving over shortly to cyber security. And my role is managing the team, but also responding and leading the response for major, multinational ransomware and data exfiltration incidents. James.

JAMES DOSWELL: Hi, everyone. My name is James Doswell. I'm Travelers Senior Risk Management Consultant on cyber. My background is about 30 years. The last 10 years roughly has been insurance. But prior to that, it's been hands on Head of IT, IT director, mergers, acquisitions, split outs, transformations in cyber all along the way. And that's been through to critical national infrastructure where I've had the opportunity to assist in bettering some software for things like the National Air Traffic Services.

MATT WALLER: John.

JOHN PAIN: Yeah. So my name is John Pain. I'm a partner in the cyber and data risk team at Kennedys. With our UK team, we've got the largest dedicated cyber breach response team anywhere in Europe, and that's before you factor in our European offices. Yeah, need those number of bodies. We deal with a lot of incidents. So I dealt with over 1,000 incidents in the year to the end of 2024. That's an increase on last year, which was an increase on last year, which I think shows the direction of travel across the piece here, that cyber is a growing problem. Yeah, delighted to be here.

MATT WALLER: Great, yeah. So I think we have a great panel to lead a discussion with some insights from James on the IT forensics side and on breach council.

(DESCRIPTION)
Slide: Global Cyber Threat Landscape. Three tiles from left to right feature, first, a woman gazing at a computer screen. Text: Rising Threats. Ransomware up 35% quarter-over-quarter. Asterisk, Travelers Q1 2025 Cyber Threat Report. Second, a warehouse. Text: Supply Chain Attacks. Expanding beyond Retail and Legal. Complete global supply chains equals more entry points and bigger risks. Third, a smartphone. Text: Business Email Compromise (B.E.C.). Attackers using more advanced tactics. 42% of victims lacked Multi-Factor Authentication (MFA). Double asterisk, S.R.M. 2025 Cyber Incident Insights Report. Logo: Travelers.

(SPEECH)
So the first area that we just wanted to touch on was the global cyber threat landscape and what we're seeing, and I think it's fairly consistent across all three on the trends. But James, do you want to start by kicking off this section.

JAMES DOSWELL: Certainly. So ransomware, everyone knows it. It's up by 35% quarter over quarter. You've probably seen the significant trends and the impacts in the media. We've seen trends towards smaller payments, which so far has mitigated this rise. You can read more about that in the Travelers Q1 Cyber Threat Report.

Business email compromise, that's continued at very high rates. Back in '23, we saw about 39% of all our claims involved either business email compromise or phishing attacks in some way. And the frustrating thing with this particular area is that so many of the compromises could easily have been avoided, with 42% of the victims lacking MFA on their email access.

And that brings me to retail. Clearly, it's been heavily targeted. So many reports in the media. And this is both directly and from supply chain. And there's two points that I'd like to particularly note here. First of all, we're seeing higher levels across other industries as well as the retail. It's not just them. And in particular, legal, construction, health care, manufacturing, it really is a significant problem.

The second is that there's many either that didn't have cyber insurance in place, or there's simply not enough to cover the incident costs. Certainly, Marks & Spencer, as we've seen, they've burnt through their entire stack, and there's more cost to go. I think the latest estimate that I read was about 300 million it's going to cost in total.

MATT WALLER: Great. Tim, is there anything that you would expand on on any of those points? I mean, particularly the business email compromise I find interesting because that's coming from your report and how MFA is so integral to that process.

TIM GESCHWINDT: Yeah. Just a quick comment to say, I think while ransomware gets a lot of the headlines, that I think it's a naturally more interesting attack vector potentially than your classic business email compromise incident. I think the data from our side shows that those incidents in which a threat actor is just getting access to a single employee mailbox can result in some really significant financial losses.

And what I do see among our client base is a sort of pivoting toward protecting the endpoint when protecting the user’s identities in Microsoft 365 can be just as important for preventing your classic invoice redirection fraud. But we're also seeing threat actors be a little bit more creative now. And look at, OK, I can get into Microsoft 365 and get into email and do an invoice redirection, and that's a single monetization attempt. Or I can use the fact that that has access to SharePoint, download the entire business's data set without anyone realising it, and then use that as a data exfiltration incident. And I think securing our cloud estates, where we do a lot of our business now, is just as important as mitigating the threat of ransomware.

MATT WALLER: Yeah, it's a great point. I think, yeah, ransomware always gets the headlines, and we've all seen that. But there are other areas which businesses are certainly exposed, and business email compromise makes up a large proportion of our Travelers claims as well. And response costs that are associated with that. So

(DESCRIPTION)
Slide: Ransomeware Trends. A bar graph on the right is titled, Top 10 ransomware groups: Q1 2025, By leaksite victims posted. It has bars for the types of attacks that run from high on the left to low on the right. The attack type text is blurred. Text: Rise in, quote, organic, end quote, ransomware. Brute-force passwords. Weak credentials. Social engineering. Targeting older and lesser-known vulnerabilities. Fragmented ecosystem. 96% increase in unique threat actors (27 to 53). C.L. 0 p remains dominant player. Source: Travelers Q1 2025 Cyber Threat Report.

(SPEECH)
moving from the area of business email compromise, and we just spoke about ransomware transit, wanted to spend some time with the group on what we're seeing there. And I will spend quite a bit of time around this, on the ransomware trends, because it is an ever evolving area.

As highlighted, we've seen at 35% increase in the number of incidents quarter over quarter. And that's on a steady rise over the 2024 year and doesn't seem to be slowing down. So James, do you want to first touch on just the elements of the more organic, I guess, we've turned it into through our threat report of ransomware, and particularly those four areas that might not be as headline-driven, but are certainly areas that we've seen playbooks develop around from an attack standpoint.

JAMES DOSWELL: So brute force of passwords, it's one of those areas that's-- it's still there. You think, well, surely companies would have actually introduced password lockout policies where perhaps they try five times and the password locks out. But it's still there, and we still see it. Weak credentials. Everyone knows password1 or password1! mark's weak, and yet things like that still happen.

Social engineering. I mean, we'll come back to that in a minute. But certainly, there's a very distinct up and coming threat from social engineering. With the advent of AI, it's more and more. Targeting older and lesser known vulnerabilities. At the end of the day, there's thousands and thousands of vulnerabilities out there in software. Things get missed from patching. Sometimes systems get restored from backup, and therefore the patches get forgotten to apply.

Sometimes it's a case of, they're just missed because it's an older system. It doesn't get so much attention paid to it. And it really is becoming a target for the threat actors as they're pressed because of so many of the modern EDR solutions that do provide good protection, the modern scenes and SOCs that actually allow proper monitoring and controls, they're targeting some of these older and lesser known vulnerabilities.

TIM GESCHWINDT: OK. Just jumping in on the ecosystem point, I think this is really interesting and comes from a study we did with the ransomware groups last year. And I think one of the major points is the lifespan-- simply, the lifespan of a ransomware group has declined significantly. So we used to see groups like LockBit be pretty resilient in the face of law enforcement action and intragroup squabbling, you might want to call it, but that seems to be less effective.

So even on the graph that we've got on the page here from the Travelers Q1 report, you can see RansomHub is second there in terms of volume. RansomHub doesn't exist anymore, and this was one of the groups that had taken the mantle up and was certainly driving a lot of the incidents. You can then see Qilin is number four. Qilin is the group that we understand a lot of the affiliates have moved from Ransomhub in search of the next programme to be their stable as they run their incidents.

This period at which this affiliate grouping, mostly Russian speaking, spends at each group, has declined a year on year. They're spending a lot less time in each group. And without going into too much detail, I think really, you can trace this back to the success of law enforcement operations. I think valuing a law enforcement operation in terms of the number of arrests really misses the actual impact.

And the impact is the breakdown of the trust-based ecosystem among cyber criminals who rely on the fact that they can work with an affiliate who they've never met somewhere on the other side of the internet, wherever they might be, and run an attack together. Well, as the FBI and the Dutch police and the English NCA have managed to infiltrate those groups bit by bit, the willingness to work together on collaborative operations is declining. And we're seeing more and more lone wolves.

And as you can see there, a 96% increase in active threat groups. And we're seeing that number was from 2024. I think 2025, we're going to see an increase on that again, probably near the 100% mark up around the 100 active threat group number. But yeah, a really interesting piece there.

And last point on that would be while Clop remains the dominant player, I think Clop is interesting because they do these single-moment campaigns where they hit a file transfer tool, a load of different companies get hit at once, and then they spend a good two or three months going through the post campaign fallout and leaking the data one by one. But they're not active in between those campaigns. So really, they do one or two a year, and that really is enough for them to hit the top of the leaderboards. While the other groups are far more consistent in their approach.

JOHN PAIN: Yeah, I'll just add to that. It's quite interesting-- sorry. The interesting part about that graph is probably what comes after that 10 and that explosion of, as Tim was saying, the lone wolves. And the point about that lack of consistency or stickability with an organisation, that has a knock on effect in terms of the tactics that are adopted, the professionalism, and the reliability, and that causes real-- and I know professionalism and reliability are slightly strange concepts to give to a criminal group.

But you look at the good old days of Conti, LockBit, and those kind of things, and could provide meaningful advice based on a real watch of intelligence, meaningful intelligence. So you could say that there is very adept at getting data out, so you can bank on exfiltration. They have a decryptor key, which mainly works. They will name you after seven days if you don't engage, and they'll be probably a leak of data 10 days after that if you still don't engage.

And so you can-- it allows an organisation to plan and to really have a playbook for how they deal with the incident. With some of the names that you've got, even on that top 10, there's a real, again, lack of professionalism in some of them. You see we've got a number of Fog instances, for example, at the moment.

And evidence of data having been exfiltrated, but no contact with the threat actor-- no ability to contact the threat actors because they haven't left the normal Onion or Tor browser links. And we've got Fog matters which go back quite some way now where although we've seen evidence of exfiltration, it's never been made public. So it makes it really-- that fragmenting, that lone wolf makes it really, really difficult to respond to an incident.

MATT WALLER: Yeah, I think that's a really interesting point, John, on the fragmentation. And they're building these playbooks on the threat side that we talked about with the evolution of going back to the old tricks of weak passwords, that sort of stuff, and that's starting to get stale on that side. But you're still dealing with separate organisations that are going to act at different ways and at different points. A follow-up-- one-point follow up on the exfiltration side, that seems to be much more prevalent and consistent. Is that what you're seeing across all threat groups now as well, and that's just part of your incident response process, is engaging and understanding what the exfiltration is occurring?

JOHN PAIN: Yeah. So that's an interesting one really, because again, it goes to that fragmentation of it. So there are an increasing number of incidents where there is no encryption. It's just straight exfiltration. And so the first the organisation knows about it is that they're contacted by a threat actor with the proof of life files or file trees and that kind of thing. So yeah, straight through exfiltration.

But on the flip side, we have seen incidents where they've just gone straight in, deleted, and tried to encrypt and just try and make as much of a mess of the environment as possible as well. So I think exfiltration is always going to be the target. But actually, we think there's been a shift in the last 8 or 9 months to our priority in terms of-- I mean, it's always going to be getting the business back up and running, obviously.

But the threat actors seem to be making much more of a attempt at operational disruption and seeing the value in that rather than the data per se. But I don't think there's any clear pattern there, which again, goes back to that graph. And actually what happens below that 10-- the top 10 in the-- it's quite a tired example, but it is the Wild West out there at the moment.

JAMES DOSWELL: I've certainly been made aware that data weapons are becoming more prevalent. And I think that probably brings us nicely onto the next slide, which is the trends continued. Where from an automation perspective, we're seeing faster attacks, faster impacts, much wider reach to them.

(DESCRIPTION)
Slide: Ransomware Trends - Continued. A holographic screen displays charts and graphs in a photo on the right. Text: Automation amplifies impact: Faster attacks, wider reach. Trickle-down tactics: Smaller groups mimic major ransomware players. More incidents, fewer payments: Payments fell from 28% (2022) to 14% (2024). S.M.E. pressure intensifies: 53% rise in small businesses listed on leak sites in 2024. Sources: Travelers Q1 2025 Cyber Threat Report and S.R.M. 2025 Cyber Incident Insights Report.

(SPEECH)
And that automation-- I had the opportunity a little while back to actually see a dark website that they were reselling scripts.

So for the price of $200, you could actually click on a link, download a script that would automatically remove pretty much any of the top 20 EDR XDR solutions. You just type in which one is the one that you're particularly targeting with your threat if you were the threat actor. And it allowed that script to be downloaded, payment of $200, and that's it. Off you go on your merry way as an attacker. It's making life much, much quicker for them, much easier. And yeah, it's very concerning.

JOHN PAIN: Yeah. I think that links back to the proliferation of actors, and that kind of thing really lowers the bar to entry to the market. So you don't necessarily need that massive skill set. And that fragmentation-- sorry to go on, but it's then self-fulfilling. So we've seen, for a long time now, specialisms within threat actor community. So access brokers, people then utilising that access, and the whole process can be broken down. So yeah, it's a really , the more that automation is built out, the lower the bar for entry, I think.

TIM GESCHWINDT: It also impacts, I think, dwell times, and that, of course, has an impact on detection and response. So when I started my career in incident response as a junior analyst filtering through logs, I think one of the commonalities or consistencies across cases was you could pretty much expect that when you were getting into a response in 2018 or 2019, and the threat actor would have been in the network for at least a week, two weeks, sometimes a lot longer than that. And you could typically track it down to an open RDP port or a phishing incident, one of the two pretty much.

I think in 2025, you see a lot of incidents where either initial access was gained a long time before, but it was by an initial access broker, and then nothing happens. They're clearly selling it somewhere. And then boom, someone comes in and does the actions. Or you see this automation amplifying the impact by just accelerating the attack chain through the phases much, much quicker than there used to be able to.

And I'll give an anecdote for this. We were responding to an incident in Australia, but for a multinational company, last month. And it was involving a threat actor who is tracked as Velvet Tempest. This is a group who worked with LockBit, then jumped to ALPHV also known as BlackCat. Then they found themselves at RansomHub. And there were a very interesting-- they're an interesting crew who we've been tracking them for a long time.

And we managed to find out that the entire attack chain had started from an individual in a shared warehouse in Australia who went on YouTube on a shared desktop machine in the warehouse floor and accessed a reggae playlist on YouTube. And while listening to the reggae playlist, and I'm sure it was a great playlist, no doubt about that, an advert was served to the user through Google Adverts and asking or telling the user that a new Google Chrome update had been released and that his browser was out of date, or the shared browser was out of date.

They clicked on the software update link served through YouTube, looked like Chrome, YouTube, Google Product, looked very legitimate. And that downloaded the DarkGate Trojan in the background, which was relatively a rare Trojan, to be honest with you. Five hours and 58 minutes later, the threat actor had managed to go from that single desktop PC in Australia to the active directory level on the domain controllers for the global network and managed to take down all operations in Australia, Belgium, and the Czech Republic. The other entities, thankfully, in the other countries weren't impacted.

But that sort of dwell time from initial access to absolute impact at multinational level used to be a week-long effort from multiple threat actors. But as James has noted, you can find these scripts anywhere, and it really, really helps you progress through that attack chain train at pace.

MATT WALLER: That's a scary thought. Yeah, I won't be listening to reggae music for a while now. But yeah, it's-- again, going back to the spread of the threat groups and automation, there's more threat actors out there, on there. So it's opening the exposure to businesses much more rather than the big game hunting and the strategic attacks that we saw five years ago. This is just mass proliferation that ultimately trickles down. And that's the next point.

And Tim, we were talking about that on the retail side before and saying like, yeah, that makes all the headlines. That's what people are going to be reading about in the paper, the big UK retail breaches. But there's lessons learned from that, and those lessons learned will then be carried out to these wider organisations that will then be applied at scale. So maybe can you expand a bit more on that logic?

TIM GESCHWINDT: Yeah, of course, Matt. And I think you describe it really well already, to be honest with you. But I'll add a little bit of colour, which is, it's around this sort of copycat issue or mimicry. You can divide the cybercriminal ecosystem enough into a few tiers. Where in the tier 1 grouping, you really have your nation state and APTs and your most advanced cyber criminals, your e-criminals, financially motivated.

Then you've got this secondary band, which would be your well-known ransomware groups, ransomware groups as a service. So your LockBits and your ALPHV's and your Qilins, your RansomHubs, your Clops And then below that, you get your-- John mentioned it, your lone wolves is really what we often call them, or these fringe actors. And what you often see is there's this trickle down effect where the tier 1, the APTs, come up with these strategies, they develop the exploits. They come up with new techniques.

And a good example would be the use of Mimikatz and EternalBlue by-- well, EternalBlue was an NSA American-developed exploit in the Intel community. And Mimikatz was developed by a security researcher, Benjamin Delpy. It was the APTs, Russia, who put them together and figured out that they could hit Ukraine in what was pretty much an automated incident. Then all the e-criminals went-- well, Mimikatz is actually awesome. I'm going to use this, and we still see Mimikatz to this day being used.

What we're seeing with the health care-- health care, the retail sector incidences, the widespread reporting and really the reporting around the UK campaign, retail sector campaign, has been really significant, very detailed. And I don't think it's a coincidence that within two weeks of some of the exposés by the BBC on the attack chain, that Coinbase released that they were then breached through a social engineering of their service desk, which is the exact attack chain that the media have reported the Scattered Spider incidents were due to.

Now, my intelligence suggests that is not the cause of the or rather the threat actor involved in the Coinbase incident. It appears that it must have been someone either complete coincidence and they were planning this beforehand, or it may have been someone who's looking at the impact and the success of the Scattered Spider campaign and going, why don't we give it a go? And I think that this is one of the concerns I have, is, it's not very-- these sophisticated techniques don't stay with the sophisticated actors for very long when we're showing off these attack chains in mainstream media. And so my concern definitely is this trickle down-- this mimicry over time.

MATT WALLER: Yeah. I think that makes the worry for businesses, that matter size as you see this ecosystem continue to develop, and then some of the trickle down elements. John, you have something to add as well?

JOHN PAIN: Yeah. I was going to-- don't need to dwell on it particularly, but it does link back to the supply chain point. And it isn't a particularly clever thing to say, which is probably why I'm the one left to say it, but it does bear repeating that you're only as strong as your weakest link. And it's really, really difficult for organisations, even large and sophisticated organisations with the resources to map out where all their different points are, and then the cloud to actually try and enforce or investigate with those third parties what their kind of security provisions are.

So Marks & Spencer's struggling, as we've seen, with that. The standard or an SME or something like that just don't have the cloud or the time or the resource to really probably properly mark out. But even if they do mark out, then be able to put themselves in a position to interact with those third parties that they are engaging to drill down in a meaningful way on those security provisions. And I will say, that won't necessarily have stopped the Marks & Spencer's attack. That social engineering side of things is always going to happen. But yeah, as I say, just link-- does link back, I think, to that supply chain issue quite nicely.

(DESCRIPTION)
The slide briefly moves to the next one, then returns to Ransomware Trends - Continued.

(SPEECH)
MATT WALLER: And then there's the last two points, just going back to the last slide. I think those are trends that are aligned with what we're talking about, the separation. But if somebody wants to volunteer or comment on this falling of ransom payments. I think partially that's people are getting better at recovering from backups, that element of things. But also, this rise of exfiltration outside of the side of the coin where almost the cost benefit that businesses are going through of being encrypted or losing data.

The threat groups are playing on both ends of that kind of spectrum to give them the best opportunity to get the ransom paid. So I'd be curious, maybe, John, you could cover this off and just say... And then potentially also on the incident side, talking about how this on the leak side element, how that's playing through with law enforcement and what their-- your engagement on that side of things is data and privacy-- data privacy will come into play.

JOHN PAIN: Yeah. So I think it's the shining positive, I suppose, out of all of this. Things are getting worse, but ransom payments are down. I think you touched on that-- covered the two points really. Traditionally in commerce, you pay because you're hard down and you need that decryption key, or as you say, the sophistication of organisations. And I won't dwell into Tim's world there talking about segregation and things like that.

But for the fact that you are-- we quite often see now that an organisation has been hit isn't necessarily hard down. There'll be elements of their infrastructure which won't necessarily have been impacted. So OK, threat actors taken out your two on-prem servers, but you've got cloud-based third party software applications which you can still use to run at least part of the business. And then that backup regime-- And again, Tim, be interested in your view on this, but that there has been, in the past 12, 9, even 6 months, an exponential increase in even frankly, relatively small or otherwise unsophisticated organisations having what are really quite sophisticated backup regimes, which allow, as you say, them to recover really, really very quickly.

And where you're taking away that imperative for paying, you are left with paying to suppress the data. And again, while there will be circumstances where there's intellectual property there or there's real really business critical data, from a data regulation, so privacy ICO kind of perspective, paying to suppress the data doesn't really move the dial as far as they're concerned in any meaningful way in terms of derisking things.

An organisation's still going to have to go through the rigmarole of sifting through that-- through processing it, carrying out an appropriate risk assessment, and making the notifications where they are required. So the cost benefit-- sorry, the cost benefit analysis of making payment for suppression only is a much less attractive one.

I also think that-- and it goes back to Tim's point about reporting. In some ways, these Marks & Spencer type of incidents are a good thing in people's minds. It's got my mum talking about it, for heaven's sake. She's not interested ordinarily in what I do. But it puts it on a footing that the general public can understand and almost destigmatises it in the eyes of lots of people. Which means that actually, paying a criminal to try and stop that embarrassment factor or that PR factor is probably counterproductive.

And I think it's-- that counterproductive swing is-- I don't think you can underestimate the impact of the Russian invasion of Ukraine and the fact that there is that predominant Russian language threat actor , a lot of them are Russian language threat actors. So there is, again, a PR nightmare brewing if you find that you're diverting payments towards paying people who may be in some ways, at least tangentially, involved in that incident.

So yeah, I think it's a great thing that it's decreasing, and I suspect we'll see it continue to decrease. What I will note there is-- and Tim jump in if I'm getting any of this wrong, because I appreciate this is an S-RM statistic. But that decrease to 14% is on matters that S-RM have dealt with. What I would say is that we-- at Kennedy's, that figure is-- that's a single figure percentage point on incidents that we're instructed in where ransom payments are made.

And then I'll contrast that with-- there are figures from Coveware, who are generally accepted, as is having pretty good visibility over this. And I think they've seen, again, a year-on-year decrease. But I think the figure for payment across the market generally is about something like 37%. That divergence in numbers I think is really significant, because certainly from a Kennedy's perspective, where we've got corporate retainer clients, we tend to be dealing with insured entities. The fact that they are looking at taking out insurance suggest that they've got IT security posture as at the forefront of their mind. They're alive to these things, which probably means they've carried out some risk assessments and have a sensible IT security posture in the background in the first place.

And Matt, no offence to this, but how subjecting themselves to the rigmarole of going through the underwriting process. That will invariably throw up weaknesses and points which underwriters have seen as, OK, this is a problem for us, which allows those organisations to address those concerns and have them identified. I know you're, it's going to get spoken about later, but Travelers, S-RM, and Kennedy's offer of a wide spread of proactive services as well, so the insured clients that we see are availing themselves of that.

So actually, when they do get hit by a ransomware incident, they've got the added bonus of being able to get Tim and dare I say myself on a call within half an hour. So the background work is done there in a much better place prior to the incident. And then when they do have an incident or if they do have an incident, they've got experts on hand that can guide them through that process. And I think that is reflected very markedly in that divergence from 37% across the market to 14%/5% where an organisation comes from an insured background.

TIM GESCHWINDT: Yeah. Just to, I think, add an S-RM comment on that, I think it is important to always contextualise the stats you get from the cyber security industry in general, just because we are all positioned slightly differently. Now, S-RM does negotiations, but it's not our core business. And so Coveware's core business is negotiations, so you can imagine there being instructed on cases which are more likely to go to payment or might only be instructed on a case to facilitate a ransom payment.

But definitely, what you said there early on, John, around the protection of backups, I think, is what we see in terms of the initial scoping call with an insured or an uninsured retained client, whoever it is. The number of times now that we are walking into those calls-- and they know what we're going to ask around, OK. So have you done the discovery exercise? Have you validated the backup?

When I started my career, those questions were either, well, we haven't had a look yet, or, we have and they're encrypted. Never did anyone say to me, oh, I've actually had a look through a Hex viewer, and I validated that the backups are definitely encrypted. Well, nowadays you walk onto those calls, and they've done all that. They've checked, they've validated it. They've probably got a restoration job already running for one of the priority servers. So the competency is something we've also got to reflect on and acknowledge.

I think often when I've sort of walked into an incident, the client has turned around, and you can see there's a bit of guilt and a bit of shame, you mentioned that, John, around the embarrassment factor of paying a ransom, but also just being hit by-- in a cyber incident, there is that shame dynamic there. I think over time, people are, as you say, becoming a little bit more aware of that most companies have experienced an incident of one form or the other by this point in 2025, and that the stigma around that is decreasing.

So I would say, as a final comment on the payment piece, geography matters, and it matters massively. Our 28% in 2022, we had a significant domination really in the UK market for where our incidents were coming from. That's now very much US-focused. And so of a proportion of that 14%, a good 80 plus percent of our ransoms are being paid in the United States. And in Europe now on the mainland, we get very little traction at all in terms of those considerations.

So domestic context, cultural context, the potential for litigation, of course, is really important if data is leaked. And so we're really happy to see ransom payments declining. To be honest with you, recoveries without a ransom payment, they're really-- for a client, there isn't a massive difference in terms of recovery timelines anyway. If you've got backups that aren't encrypted versus a decryptor, no one really rushes for a decryption tool anymore because the perception that that is a one click fix is thankfully started to disappear in the market.

But there was that perception a few years ago, that it's some one-click fix, and then you suddenly got a network, and your operations are back up. But everyone knows now that you-- you still have to-- what we call a sheep dipping, but you still have to do very careful cleaning of each device after you've decrypted it. And then what's the point? You may as well have restored from backups and do it the right way anyway. So declining payments is definitely what we're seeing. We're hoping to see that continue in 2025. But I think this is a-- as with all cyber security statistics, this is a fluctuating landscape.

JAMES DOSWELL: That brings us into the SME side of things, where the attackers are potentially-- they're finding that the bigger organisations are relatively well bolstered with their security layers, their multiple layers, and the monitoring that goes on as well. And they are targeting these smaller companies with this kind of bleeds into this 53% rise that we've seen in small businesses linked where they are being leaked and so on.

JOHN PAIN: Yeah, definitely. And I think that's where the M&S point is probably slightly counterproductive, and the reporting on that side of things. Because we hear a reasonable amount organisations. I'm sure we're not alone in this, organisation say, we're a ball bearing manufacturer in Middlesbrough or whatever. No one's going to target us. We're not being targeted. And it's that fundamental misunderstanding that--

Marks & Spencer is fine. That sounds like that was much more of a targeted kind of attack. But the vast majority of instances are much less targeted, and what they're doing is scanning for that vulnerability. Probably not actually that sure about who or don't care who they've compromised or found at that point. It's about just identifying that weigh in.

And again, because of the funding gap that's inevitably going to be there between a FTSE 100 company and an SME, that is going to put the SME in that low hanging fruit bracket much more frequently than their counterparts elsewhere. And that's not to say there aren't really sophisticated SMEs who do a fantastic job with this and put FTSE 100 companies to shame. But just on a pure numbers basis, they're not going to have that war chest or the size of that war chest to deploy.

And then again, I'll come back to that point. If you accept that having insurance is a good way of mitigating against an attack in the first place and then dealing with the attack afterwards-- and Matt, you're probably much better placed to speak to this than me. But the last figures I saw, something like one in 10 SMEs have cyber insurance. And so that leaves 90% who are in that bucket where they possibly haven't having taken their private security postures as seriously as they might. Yeah, I'm not at all surprised frankly that there's a rise in those SMEs on there, and I would expect that to continue to be honest.

JAMES DOSWELL: Well, I think one of the enablers is that the attackers are able to potentially carry out their attacks so much more quickly and efficiently. So if we move on to the next slide,

(DESCRIPTION)
Slide: AI Threats. On the right is an image of a blue network with white dots in it. Text: Mismatch. Security control detection. Security avoidance via polymorphism & obfuscation. Ghost G.P.T. - AI enabled phishing. AI driven criminal eco-system. Patching cadence simply too slow. Low score vulnerability chaining. Adaptive timing - execute attacks in low detection risk times. Deepfake - Voice impersonation, has had 100% efficacy in testing. Sources: Travelers Q1 2025 Cyber Threat Report and Travelers Q4 2024 Cyber Threat Report.

(SPEECH)
one of the reasons is, there was-- with the up and coming AI, it's been around for quite a considerable time. It's only really hit the headlines, become mainstream in the last 18 months or two years.

But in terms of AI, it's been around for decades. And one of the things from the attackers perspective, there's been a distinct mismatch between where industry has got to in the last 18 months-- and there's loads of companies out there really starting to take it on heavily, and there's been a mismatch between that and attackers not picking it up. And I suspect one of the reasons is probably that they've just been a little bit cautious about it being cloud driven, about potentially being monitored or caught.

But now that there's AI is starting to come out in offline versions, their own local little Linux versions, Ghost GPT being prime example. They're looking at being-- ways of being able to develop AI-driven security control detection, security avoidance where they're able to-- for example, for a phishing attack, whereas the filters would normally pick it out and say, hold on, this is a phishing attack really quite straightforward, now the code is polymorphic. It's able to change.

Obfuscation, they're able to embed it with multiple language sets. So instead of just having the ASCII character set, you've got Cyrillic, you've got Greek character sets, you've got all sorts mixed in. It could even be EBCDIC or Hex. And that AI-driven side of things is actually driving a criminal ecosystem, as far as I'm aware. It's causing a lot of speed up, there's certainly with patching cadence.

It's getting to the point where we're used to seeing, particularly with Microsoft environment, for example, everyone's familiar with patch Tuesday coming out once a month. Now it's getting to the point where that patching cadence is simply too slow. Whereas I think one of you mentioned earlier that it could be a week or so before they can turn around and actually develop from a vulnerability into a working exploit. To actually get that patching cadence now, they're able to-- even particularly guys that haven't got particularly good coding skills are able to use the AI, develop code, transform their exploits, go and download automation scripts, target those low-hanging fruit, those SMEs, for example, and compromise them. And it's really very, very concerning.

One of the other areas, the whole adaptive timing, whether it's 3:00 AM on the target when they're actually carrying out the attack. They can script it to run at various times. And it brings us to this whole-- the social side of it where you've got deepfake and interacting acting with help desks, interacting with the traditional finance team where they've previously been compromised is through social engineering where they think that they get an invoice come through, they think they have to pay it because it looks genuine. They think it's genuine and there's an urgency to it, and so on, the traditional bits you hear about.

With the deep fake, it's taking it to another level. We've now got voice impersonation. We've had video impersonation that's actually working. Just recently, Travelers did an internal test where we had a reasonably realistic video impersonation with only a few minutes it took to actually spin it up. The voice impersonation, again, for example, help desk staff-- that type of compromise has had 100% efficacy. We had one of our larger insureds, the CTO carried out a test against all 47 of his IT department, and they had 100% failure rate.

Where every single one of them was individually asked, can you go ahead and turn off that server, please? It's such and such. I need you to do it now. And every single one of them genuinely thought they were speaking to the CTO and went and carried it out. So I guess this brings us to Travelers recommendations. And perhaps, Matt, you could allude further.

MATT WALLER: Yeah, sure. Just on the AI side, I think that's a really important point. Obviously, there's the elements around vulnerability and scaling and the automation side of things. But what worries me in the immediate term, given the coverage that we provide under our cyber policies, that social engineering element, it's easier for them to bypass simple controls.

Phishing training is now relatively common, but we're seeing those models just slightly translating clearly and articulately, deepfake impersonation. And that's the first trend that we're starting to see come through on that. Eventually, we'll get to this next stage of the mismatch side of things. But it's that human element, and AI certainly helping improve that one weakness, I guess, and exploiting that one weakness in any organisation. And you're seeing financial crime loss as a result.

TIM GESCHWINDT: Just to add on to that, I think we've got a pretty good example of that. When you're considering ransom demands and ransom payments, and we've been talking about them going down-- and an average ransom payment at this point has dropped in terms of average value. You're looking at a couple of 100,000 pounds or US dollars. Whereas a few years ago, you were averaging out 1.2, 1.3 million.

You now need to have, say, 10, 20, 30 successful ransomware attacks to get into the 5 to 10 million range. We had one successful deepfake incident which hit the news, so you may already know of this one. So I might be telling you old news, but we had an incident where a UK CFO was impersonated, and it was actually a pretty good one. So they impersonated the CFO. And then when inviting the various top people to the call, they invited five people who were also deepfake impersonations of other people in the company. And so only one of the people invited, the target, was not part of the deepfake attempt.

And this Hong Kong-based employee, part of the finance team, unfortunately was tricked into to sending 25 million US dollars to a malicious bank account. How many successful ransomware attacks do you need to do to get to 25 million US in one day in terms of monetisation? Well, the answer is a lot, and they need to be big companies.

So this is why when we go back to the chat about BECs, I'm really worried about that AI piece. Deepfake impersonation is so easy to do. If anyone has seen the Google Veo 3 that has come out in the last couple of weeks, the level of sophistication of video generation is getting to a level where most people will just not be able to tell the difference. So an interesting anecdote, and unfortunately, a scary one.

MATT WALLER: Yeah. I felt like I was at that car show. So on the deepfake video, if anybody has not seen that, it's pretty crazy. So John touched on the elements of insurance. We've

(DESCRIPTION)
Slide: Recommendations from Travelers Cyber Risk Services team. Text: Implement phishing-resistant MFA for all remote access and email. Run an effective vulnerability management programme to quickly patch critical vulnerabilities in edge devices, such as VPNs. Ensure you have reliable backups and have a resilient disaster recovery and business continuity plan. Run EDR solutions with 24 7 active monitoring. Logo: Travelers.

(SPEECH)
talked a lot about the doom and gloom of things, but the underwriting process and building operational resiliency is a key metric and an area that businesses can help mitigate the threat landscape that we've talked a lot about.

And there's four recommendations that I'd say we have from an underwriting side and that we're looking for. And we look for businesses, small and large, to be implementing with different scale and different requirements. But if you can tackle these four things as an organisation, you're probably in a fairly good spot. And then we'll talk to the response side and insurance can bring. But this is--

(DESCRIPTION)
The next slide briefly appears, then it goes back to the recommendations slide.

(SPEECH)
sorry. James. If you go back.

So the four elements are phishing-resistant MFA for remote access and email. That's going to look at your business-- it's going to help on the business email compromise to your ransomware endpoints to the ingress into the organisation. Vulnerability management programme to quickly patch. We talked about it earlier, but all the vulnerabilities, making sure those are up to date. Ransomware groups are looking to utilise that. VPNs, another point of ingress, making sure that those are patched and not easily accessible.

Backups, that's the operational resilience. Making sure backups are in place and that the plans are tested and business continuity plans are there to help-- and they're in place. And that's something at Travelers that we can help with around incident response planning with our partners on the call as well. And really bring that holistic approach before the claim happens or the incident happens, how do we work through the response planning process to help insureds make sure they're ready to respond in a timely manner?

And then EDR solutions with 24/7 active monitoring. It's good to have EDR, but to be monitoring it is just as important and be monitoring 24/7 to make sure that you're responding to incidents as they arise. So those are the four takeaways. We talked a lot about the threat environment, but there are things that can be done for businesses to mitigate some of those concerns. And it's not perfect, but these certainly would help an organisation as they move forward and are looking at their cyber hygiene.

The other element is on the insurance side, and we talked about that a bit with John,

(DESCRIPTION)
Slide: Predict, Prevent and Recover with Travelers Cyber Risk Services. A laptop is open to a Travelers security page in an image on the left. Text: Organisations that engage with these services were shown to: Be 20% less likely to experience a cyber breach. See 27% less in total claim costs per cyber breach. Asterisk: The frequency and severity of cyber insurance claims was found to be lower across all policyholder organisations that met a minimum threshold for engaging with the service offerings described above by registering their account on the cyber risk dashboard. Logo: Travelers.

(SPEECH)
we did a very good insurance pitch there. So I'll piggyback on the back of that. We're here to help, I guess, is ultimately at the end of the day. And when you're working with an insurer like Travelers, we see an improvement in the likelihood of events through the underwriting process. We can help through that process, and then claims costs come down.

I mentioned, we do claims on boarding calls and work with our partners to help onboard clients, make sure that the process is there, which then in turn reduces costs. Talked about ransom payments coming down. Maybe there's correlation to that. I'm not going to make that claim, but there is some elements around that where we can help to that negotiation process and make sure a client is ready to respond in that moment of crisis.

I have a family friend, as an example, who had an incident of their small business, and they had no insurance. Panic sets in. They're offline for days. They're trying to call lawyers, trying to figure out who to speak to. That's all there for you. And in a moment of crisis, that's what you want, and that's what Travelers and our partners are there for, to help you through that process and to provide a response in a timely manner.

And then what do those look like? So on the next slide, we have some of the active alerting processes that we do.

(DESCRIPTION)
Slide: Always On Threat Monitoring and Alerts. On the right are screenshots from an Action Centre and Confluence Vulnerability Alert. Text: Our 24/7 threat intelligence programme gathers data from dozens of first- and third-party sources, including the dark web. Targeted alerts are delivered to policyholders the same day Travelers discovers a new threat. Policyholders get an average of two weeks', asterisk, advance notice before alerted threats are exploited in the, quote, wild, end quote. Broker visibility: you are automatically informed of any alerts being sent to your client. Asterisk: Based on a 2023 internal study comparing the date that vulnerabilities were identified and policyholders were alerted with the known vulnerability exploitation date.

(SPEECH)
We're providing threat intelligence 24/7. Through our scan technology, we're able to monitor our clients, identify if there are vulnerabilities, and engage with them. We'll always keep the broker in the chain. Importantly, the brokers are very important to this process.

But what we want to have is active engagement with our customers. We find that we have that active engagement that helps everybody in that process to come to the right landing. And if we think about the small business side of things with 1 in 10 buying, this is the risk services element that I think we can really bring to the table on that transfer of the response process and making sure in that time of need, we're there to support them as much as anything.

Great. So I think that brings us to the end of our presentation.

(DESCRIPTION)
Slide: The Travelers Cyber Risk Services Difference. Text: Trusted Cyber Expertise. Industry Leading Intelligence. Always On Threat Prevention. Unparalleled Service.

(SPEECH)
I'll move into the Q&A, just to see. One Second.

(DESCRIPTION)
Slide: Q&A. Logo: Travelers.

(SPEECH)
1. All right. I have one question here. We talked a lot about ransom payments and where that is. But I guess the question maybe for John, where do we see the regulatory environment going for payments of ransoms at the moment? I mean, there's a lot talk about that at this time. So yeah, any--

JOHN PAIN: Yeah, I mean, conscious of the time, luckily, I can keep this short. It's only really going in one direction, and that is increased scrutiny over which organisations can pay and under what circumstances and/or coupled with mandatory reporting. So yeah, you probably saw in the news recently home office consultation setting out just that and looking to put in place regulations and controls over which organisations from which sectors. So they're talking, predominantly at the moment, about publicly funded and critical infrastructure type organisations not being able to pay ransoms.

I approve. It's a good idea in terms of if you stop these organisations, the threat actor groups, if you cut the supply chain by preventing payments, then in theory, it reduces their interest in carrying out these attacks. Slightly sceptical, if I'm being honest, as to how efficient that's going to be for various reasons. Not least because I think properly advised, if an organisation comes to the point that they are wanting to pay or find no other alternative than to pay a ransom, as I say, if they're properly advised, they don't come to that landing lightly. And adding that extra layer of complexity, that potential delay and that additional scrutiny I don't think is necessarily going to help the process.

And then, yeah, I think it-- there's a global movement towards looking to regulate or limit the payments that are made in these ransom situations, and that there was-- Australia have set up a mandatory reporting requirement recently, which went live recently. So I suppose I'll take some comfort. We can see how that plays out before it goes live in the UK. But yeah, I think-- sorry. For clarity, there's not-- we are still very much in the consultation phase in the UK. But I think we are going to move towards-- yeah, we are moving towards that. There's only one direction of travel. And apologies because I said that was going to be a short answer, and it wasn't so short. But yeah, it's an interesting question.

MATT WALLER: Great. Well, conscious of time. I guess I'll just wrap it up there. I think there was a lot to take on board, and it was a great discussion.

(DESCRIPTION)
Slide: Thank you. Logo: Travelers.

(SPEECH)
So Tim, thank you for the time. John, thank you for the time. Everybody on the call, thank you for the time, James, for your insights from the Travelers side. If you have any questions, please feel free to reach out to any of us, and we're here to answer those as they come up. And then we'll respond as quickly as possible. Thank you all. Bye, bye.