Cyberattacks no longer a matter of "if" but "when"

Cyberattacks no longer a matter of "if" but "when" | Insurance Business New Zealand

Cyberattacks no longer a matter of "if" but "when"

Due to the rising frequency and severity of cyberattacks, businesses are now becoming more familiar with cyber insurance and how it can help protect them from losses inflicted by a growing host of cyber risks.

However, insurance is not a silver bullet against cyber threats. According to Ariel Parnes (pictured above), co-founder and COO of cybersecurity incident response firm Mitiga, insurance is no longer the affordable and effective cyber risk mitigation strategy as previously believed.

“In previous years, it was fairly easy for firms to get cyber insurance coverage at relatively low premiums,” Parnes told Corporate Risk and Insurance. “However, heightened cyber risks and significant growth of cyberattacks, particularly ransomware attacks, over the last two years has increased the number of organizations buying cyber insurance.”

Parnes cited Marsh’s UK Cyber Insurance Trends Report, which found that 98% of UK organizations experienced an increase in cyber insurance pricing in the fourth quarter of 2021. Meanwhile, in the United States, the National Association of Insurance Commissioners’ analysis of the US cyber insurance market volume showed growth of nearly 30% in the number of cyber insurance premiums written, while loss ratios for many carriers were over 100%.

“In other words, cyber insurance carriers have been losing money, resulting in increased premium and deductible costs for buyers, more exclusions for coverage, and even organizations being unable to renew or purchase cyber insurance,” Parnes said. “These increased costs and additional exclusions make cyber insurance increasingly unaffordable for many companies, which certainly does not act as a risk mitigation strategy. If an organization experiences a significant cyberattack, an occurrence that is far from unlikely, cyber insurance will not cover all the related expenses, increasing the costs and risks related to a serious incident.”

Despite this, Parnes said that organizations should not think that cyber insurance is no longer valuable and do without the coverage entirely. Instead, it should be considered just one tool in a risk manager’s arsenal.

“That does not necessarily mean that businesses should forgo getting cyber insurance coverage – it simply means that they should not rely on it for risk mitigation,” he said. “The risk remains and, as insurance costs increase, organizations need to focus on cyber resilience to ensure that they are prepared for an attack and able to return to business as usual quickly, even after a critical incident.”

In addition to cyber insurance, many experts are also advocating for businesses to improve their cybersecurity and cyber hygiene capabilities to become more resistant to being attacked. However, according to Parnes, these aren’t enough to protect the organization from losses.

“Cyber hygiene and cyber security have been and remain important,” Parnes said. “Reducing your attack surface and using prevention tools helps to block an enormous number of potential cyberattacks. No one should be proposing that we do away with either. However, cybercrime is constantly evolving. Criminals are continuously learning and improving their capabilities, organizational skills, and modus operandi – and due to the proliferation of cyber tools, they have an advanced variety of weapons at their disposal.”

Parnes said that attacker-defender asymmetry ensures cyber criminals only need to exploit one weakness to access a target’s environment, leading to the conclusion that, for an organization, a cyberattack is no longer a question of “if” but “when.”

According to Parnes, cyber environments today are so complex that it is nearly impossible to determine the extent of exposure due to even a single common vulnerability, such as Log4j, because organizations are almost certainly not aware of all the dependencies in their own software and in third-party software components. Adoption of cloud and software-as-a-service components have created a new, interconnected mesh of corporate IT, bringing with it significant security implications in organizations that are unlikely to have the skills and experience needed to handle them.

“Let’s take the example of another important, but insufficient control – patching,” Parnes said. “Patching zero-day vulnerabilities is essential to prevent attackers from using that vulnerability to attack your environment, but it is also important to remember that the vulnerability existed before disclosure occurred, and therefore attackers may already be in your environment. Cyber hygiene therefore is not enough – finding them requires proactive threat hunting and a readiness approach to ensure greater resilience to potential attacks.”

Given that being targeted by a cyberattack is all but certain, Parnes shared several strategies businesses can adopt to deal with the threat.

“The most important thing to do when organizations are breached, and the most challenging one, is to remove the inherent ‘fog of war’ by rapidly creating situational awareness across the different stakeholders,” he said.

Stakeholders should ask questions such as: “Which business processes are down and which continue to operate, which data was compromised and to what extent, and what type of access does the attacker have?” According to Parnes, these questions are key to accurate decision making and mounting an effective response to the attack.

“Actions such as shutting down systems, informing customers or regulators, or making a ransomware payment are strongly influenced by the answers to such questions,” he said “A fast, efficient, and effective forensic investigation, and a structured and focused crisis management process are key for creating situational awareness and making the right decisions rapidly. “

When an organization is breached, Parnes advised that leadership should immediately open a “war room” and quickly define roles and responsibilities, communication channels, and operational tempo. Afterwards, they should initiate a forensic investigation focused on providing the information needed for the different stakeholders to make decisions and act.

He then recommended to focus on the following four components: putting in place an incident response plan, which defines the processes and procedures for managing such a crisis in advance; running table-top exercises to test and improve these plans; collecting and storing logs and forensic evidence in advance; and having a capable investigation team (internal or external) ready to hit the ground running.