Cyber Resilience before Cyber Insurance

This article counts towards accumulating your annual CII CPD structured learning hours for Cyber and Data Security. By reading this article, and correctly answering the three questions underneath, you will have achieved the following learning outcome: Summarise how the insurance industry is responding to cyber risk. Visit the CPD Hub to log in and begin accumulating CPD hours.

Alongside that, organisational resilience is regularly being tested by cyber attackers, especially in the post pandemic era. With organisations rapidly shifting their way of working we have increased our dependency on digital systems, cloud environments and remote collaborations. As organisations were going through this major transformation, we saw a significant rise in cyber-attacks.

Current Cyber Threat Landscape

Phishing is currently the most potent attack vectors for cyber-attacks. According to DCMS Cyber Security Breach Survey 2021, 83% of all identified attacks in 2020 were phishing. Also, the report shows an increase in the number of phishing attacks compared to the previous year where it accounted for 72%. We also saw a significant rise in the number of phishing attacks using the COVID theme. First, the virus, then the furlough scheme, then vaccine research and finally even the supply of vaccine were used as topics for phishing attacks. Cybercrime and fraud are increasing exponentially, and criminals are increasingly using new technologies like deep-fake. According to World Economic Forum the number of deepfake videos online has been increasing at an estimated annual rate of about 900%.

Another type of attack that managed to grab the headline in the last year was supply chain cyber-attacks with notable examples like SolarWinds Sunburst attack, the attack using the Microsoft Exchange Vulnerabilities, and the recent Kaseya Incident.

Alongside these, cybercriminals were constantly targeting vulnerabilities in remote working infrastructures like RDP Protocol, VPN, Firewalls etc. as more and more people were forced to work remotely.

But the highest critical cyber threat has been ransomware attacks. Threat actors have been targeting organisations of any shape and size. Almost every week we saw some form of ransomware attacks across the world. It has been a very effective tool to use against businesses, and the highest ransomware payments went from 7 figures to 8 figures. Cyber criminals are constantly evolving strategies and the biggest change has been the advent of the leak sites where cyber criminals are not only encrypting business systems, but also exfiltrating data before applying the encryption. They then publish the data in these sites if the ransom is not paid. So, you are under additional pressure as you are handling business interruption at the same time as a data breach, a double extortion. We are finding out cybercriminals are shifting to ransomware as a service model where low skilled cyber criminals can easily get hold of a well-crafted ransomware in exchange of a percentage of their criminal earnings.

Overall, looking at the present cyber threat horizon, cyber attackers are becoming much more sophisticated, organised, using latest tools and techniques and the success rate of infiltration and execution of malware is higher than ever before.

Cyber Risk Transfer: Are we ready for it?

A lot of organisations are quickly shifting their cyber strategy and buying cyber insurance to protect them; indeed the portion of businesses buying cyber reportedly doubled in 2020. Unfortunately, the very same factors that led to this rush to buy, have also led to a change in the dynamics of the cyber insurance market. More cyber criminals are being drawn into the space by increasingly lucrative earnings, and this has led to a rise in frequency of claims. At the same time, these claims are also more expensive to handle as the combined impact of privacy breaches and business interruption is felt. All of this has led to a so-called “hardening” of the market, which is being felt in a number of ways.

Firstly, premiums are rapidly increasing in order to fund these more frequent and severe claims. Secondly, insurers are less willing to provide large limits in an effort to protect themselves from the highest losses. Finally, more restrictive cover is being offered; most notably through the occasional imposition of sub-limits and co-insurance (whereby the Insured will have to retain a portion of their own risk).

There are of course plenty of things that an Insured can do in order to mitigate the impact of this shifting market, most importantly taking the time to fully explain their exposures and controls to underwriters. Some key controls that insurers are looking out for include:

• Multi-factor authentication for remote and privileged access
• Segmentation of their systems to protect crown jewels and prevent lateral movement
• Endpoint protection solutions
• Monitoring and response capabilities (either inhouse or outsourced)
• Offline (or isolated within a cloud) backups
• Rapid patching, especially for high critical vulnerabilities

Even with these controls though, it may not always be possible to secure cyber insurance, especially for high risk industries such as the public sector, law firms, and education, all of which have been particularly targeted by cyber criminals. Whether or not cover is being sought, good cyber risk management and cyber resilience are essential for any company.

The Residual Cyber Risk

Risk transfer is a good mitigation for risks where impact is high, and probability of occurrence is low. But considering the present threat horizon, cyber-attacks like ransomware as well as data breaches have both high likelihood and impact. With the inherent risk of cyber-attacks being very high, organisations must strive to apply the right level to controls to bring the residual risk down within the organisations risk appetite.

The first thing to understand is that that cyber risk is not just about malicious attacks. It can include a broad range of honest mistakes by insiders or technological failures. Zurich’s Global Cyber Underwriting Manager Oliver Delvos notes that it is “A matter of cyber risk management culture”.  Expanding on that, organisations can spend money behind expensive technical solutions but without the right combination of people and process controls, technical controls won’t be enough to bring about effective risk reduction. Educating end users and making them aware of their cyber responsibilities is a key mitigation for cyber risk.

Organisations need to stop reacting and start anticipating. This means that instead of focusing their efforts on keeping criminals out of their network, it’s better to assume they will eventually break through your defences. So, start working on a strategy to reduce the impact; the focus needs to be on cyber resilience not just cyber security. Some of the most important things to consider when developing a resilient cyber posture are, a secure disaster recovery plan, an incident response plan, and a business continuity plan. Exercising plans are just as important as having the plans, as it not only validates their suitability but also provides scope of improvements.

Considering the present cyber threat horizon other key considerations to maintain a secure and resilient cyber posture will be, good patching regime, good identity and access management including secure privileged access management and finally a good detection capability to find and react to anomalies.

It is very important to develop a good risk management process with regular and systematic assessments of cyber risk across all critical business processes. Know your crown jewels and understand the exposures, risks, and potential impact it can bring to the business. Information Security/Cybersecurity must be included and should be an active participant in any ERM programme, and Cyber risk should be addressed and reported in the same manner as other risks of the company. Cyber must not be siloed within IT.

Align your cyber programme to cyber and infosec standards and get certified against it. For example, in UK, ensure that you are at least Cyber Essentials or a Cyber Essentials Plus certified. It is a great starting point to protect your business as well as demonstrating good cyber practice to an Insurer.

Finally, Senior management plays a major role in ensuring that cyber risks are properly managed and given the right level of attention it deserves in the context of the business.

How Can Zurich Help?

Zurich has recently launched Zurich Resilience Solutions or ZRS to provide specialist risk management services for customers. ZRS is basically, risk management beyond risk transfer.

The aim of ZRS is to support our customers to enhance resilience in a rapidly changing world by offering risk identification and mitigation services. This is to proactively manage complex risks and, in some circumstance, uninsurable risks. One of our main areas is cyber.

We have developed a portfolio of Cyber Risk Engineering propositions to help our customers understand their cyber exposures and cyber risks, as well as identify gaps in controls and help them select the right mitigation.

Some of the services like Cyber Health Check or Ransomware Readiness are perfect for customers to assess the maturity of cyber resilience posture as well as identify gaps.

We’ve also recently been helping our customers to develop future cyber strategies, review security policies, select and apply appropriate mitigations with improving cyber incident response planning, carrying out cyber tabletop exercises, developing end user awareness strategy as well as carrying out leadership engagement.

Finally, Zurich has partnered with specialist cyber security firms to complement our internal expertise and provide more technical mitigations, assessment, and certifications tailored to customer requirements.