Investing In Better IT Security to Protect Against Cyber-Attacks Will Make Organizations More Resilient Against Other Risks Including Third-Party Vendor Risk
In 2023, companies in all market segments are now faced with the possibility of finding that they are unable to obtain a cyber security insurance policy since the volatility of cyber-attacks reaches new levels.
Companies are increasingly required to implement increased levels of cyber protection and new technology to their enterprise security ecosystem before they will be considered for cyber insurance. According to insurance organizations, the cost of cyber risks insurance has soared, as the demand for cyber insurance policy coverage exceeds supply.
The World Economic Forum (WEF) recently published its Global Risk Report 2023, which identifies widespread cyber-attacks and cyber insecurity as one of the top ten risks facing governments and organizations over the next 10 years. Geopolitical and economic uncertainty around the world is intensifying the threat of potentially serious Cyber-attacks, increasing the risk for businesses across sectors.
This past year, various geopolitical risks continued their impact, disrupting supply chains in major industries ranging from energy to manufacturing and agriculture. Innovative technologies are also evolving quickly, and with these come new vulnerabilities, which attackers – some of whom have strong geopolitical motives – are often quick to exploit.
The risk of a cyber-attack could include a disabling ransomware attack or a breach of sensitive consumer or confidential data, which would cause large-scale disruption and be costly for operations, financial stability, and organizational reputation.
While progress has been made in strengthening cybersecurity awareness and planning, there is more that businesses can do to increase resiliency, including improving cyber literacy, communication, and information sharing throughout the enterprise.
Additionally, the focus on Third-Party Risk offers a key entry point for implementing new systems and due diligence analysis and reporting about cyber risk. Organizations now understand they need to continue to apply resources to better understand potential risks from their supply chain and third-party relationships.
Insurance companies including global broker Marsh, and one of the contributors to the WEF report, stated that insurance companies were now coming out and saying that “cyber risk is systemic and uninsurable.” So, companies may not be able to find insurance coverage for risks such as ransomware, malware or hacking attacks. Carolina Klint of Marsh said, “It’s up to the insurance industry and to the capital markets whether or not they find the risk palatable,” she said in an interview with Computer Weekly, “but that is the direction it is moving in.”
Just earlier this month cyber-attacks have disrupted the international delivery services of the UK postal service Royal Mail and infected IT systems at the Guardian newspaper with ransomware.
The Global risks report rates cyber warfare and economic conflict as more serious threats to stability than the risks of military confrontation. “There is a real risk that cyber-attacks may be targeted at critical infrastructure, health care and public institutions,” said Klint. “And that would have dramatic ramifications in terms of stability.”
Other Global Cyber Risks
Russia’s cyber-attacks against Ukraine could, depending on how the war progresses, lead to more cyber-attacks against inadequately protected IT systems in the West.
“I do think with Russia’s attacks, depending on the level of frustration and the success or failure of the war, we might be looking at broader spray attacks, which are going to be less targeted, which means that more companies or individuals might suffer,” Klint said in an interview with Computer Weekly.
That could be accompanied by targeted attacks on critical infrastructure, such as hospitals and health care services, which are already under strain, a lack of funding, and shortages of nurses and other staff.
Greater numbers of employees working from home and the increased use of digital technologies have opened-up new paths for malicious actors to break into computer systems. One future risk is that hackers will be able to harvest voice inflexions and facial expressions of people, which could be used to imitate them or to fool voice-based identification systems, used by banks.
Managing Cyber Risk Requires Collaboration
Managing cyber risk cannot be left to chief information security officers (CISOs) – it requires collaboration across the enterprise. Cybersecurity risk requires collaboration throughout the organization to discuss the scope and impact of cyber risks and the strategies, procedures, and technologies to mitigate it. That means collaborative effort and dialog between departments, Operations, Finance, HR, IT and the CISO.
In order for companies to be insurable they will need to make certain they have the right cyber security systems and processes in place, along with basic security protections such as multi-factor authentication (MFA). Companies may not be able to continue to rely on two-factor authentication based on sending SMS codes to mobile phones, to provide secure access to their systems, as that is in itself susceptible to potential SMS phishing attacks.
Cyber Insurance Rates Are Increasing
At Zurich Insurance Group, John Scott, head of sustainability risk said “with the move to cloud services, increased digitization and ransomware attacks increasing, it is not surprising that the cost of cyber insurance has risen. Rates have significantly increased, but at the same time the demand for cyber protection continues to rise,” he said, adding that some companies are responding by self-insuring or setting up their own captive insurance companies. While technology can expose companies to cyber security risks, it can also be used to mitigate risks facing businesses.
“There’s a cost to that in terms of profitability, but it’s well worth accepting that and it means you can still stay in business,” said Scott, adding that that he has seen cases where companies have stripped their IT infrastructure down to the point that they are not as resilient to malicious cyber-attacks.
“It is astonishing that many companies have not put basic IT security protection in place, such as ensuring software is regularly patched and using two-factor authentication” said Scott. He also pointed out that organizations should be collaborating with their suppliers and data centers to make sure that their supply chains are protected from cyber-attacks.
How To Confront Multiple Risks
With organizations facing multiple simultaneous risks and issues, from rising energy and manufacturing costs and disruption to supply chains, it is advised to resolve problems to gain both short-term and long-term benefits.
Investment in cyber security and third-party risk management will have a positive impact against risk factors across the enterprise. According to some industry estimates, the number of organizations that will either be unable to afford cyber insurance, end up with insufficient coverage or be refused a policy altogether may double in the next 12 to 18 months, as a combination of more stringent global regulation and increasing cyber threat volumes increases.
According to Australia-based risk management and monitoring specialist Huntsman Security, which is today warning that this means organizations will no longer be able to rely on cyber insurance policies as a silver bullet in the event of a serious incident.
Huntsman Security Australia-based risk management and monitoring specialist CEO Peter Woollacott said “recent and upcoming regulatory changes, such as new EU laws, revisions to NIST’s cyber framework, stricter demands from the Financial Conduct Authority and new guidance from the Information Commissioner’s Office, meant risk is becoming harder to quantify, and proving compliance is an ever-more demanding job”.
“Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organizations trying to execute on their cyber security strategy,” he said. “At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigor and capacity constraints are all limiting the accessibility of cyber insurance for many”.
“When considering implementing a cyber insurance policy, due diligence should be your watchword”, says Paddy Francis of Airbus CyberSecurity.
Cybersecurity controls will naturally vary between policies but are likely to include the implementation of multifactor authentication, endpoint protection, restricted admin rights, patch application, staff awareness and training, regular backups, and tested business resilience and disaster recovery planning.
This heightened cybersecurity strategy will also likely include Third-Party Risk Management with supply chains. Organizations must not just protect themselves but take responsibility to ensure their suppliers, partners, contractors, and stakeholders are doing the same.
Companies will need to follow best risk management practices of implementing effective security controls to quickly identify and manage any emerging cyber risk. This will give the businesses the best chance of identifying potential cyber security vulnerabilities, and if the worst happens, still being able to benefit from a cost-effective cyber insurance policy that funds containment and recovery activities.
If other lines of insurance are any guide, adopting appropriate security risk management and controls will push insurers to improve their risk pricing models, rewarding those who have made the effort with more satisfactory pricing.
Certainly, the cyber insurance sector is driving security controls world-wide along with various government regulators. Companies should ensure they are able to take advantage of any improvement in terms offered by insurance companies, by continuing to strengthen their security controls and overall ecosystem.
The Modevity Third-Party Vendor Risk Management Services will provide clients with a powerful automated branded process for vendor assessment questionnaires and a powerful due diligence background vendor risk rating reporting service with continuous vendor monitoring.
Modevity has implemented the full range of powerful global database technologies, vendor risk management systems, and open-source tools that enable our team of due diligence analysts to quickly obtain a complete vendor risk profile. Our client companies will no longer need to implement costly Vendor Risk Management & Assessment systems and FTE staff resources – providing substantial organizational cost savings to their organization.
Modevity Contact info:
Tom J. Canova, Co-Founder, CMO
Office: (610) -251-0700
tomc@modevity.com