Zurich outlines the cyber framework all businesses should be utilising

For Zurich’s cyber risk engineering global practice leader, Philipp Hurni (pictured), cyber risk management is essentially the red line that links together his multi-faceted career. Throughout his time within the insurance sector, he has seen the development of cyber risk and watched as this has developed as a key consideration for businesses. Cyber risk generally tends to be less understood by insurers than other, more traditional risks, such as fire or flood, as it is still a relatively new risk, he noted, and thus there are still a great many contributions which can be made to help generate a better understanding of this complex topic.

Cyber risk engineering is a discipline in insurance which essentially has a two-fold mandate, Hurni outlined - firstly to support the underwriting function of the business, and secondly to support the insureds by providing advisory services with respect to risk mitigation.

“With all businesses moving, at least partly, to a digital business model, cyber risk has evolved from an operational IT risk to a business risk, and hence requires the full spectrum of risk management methods. This does not only include cyber risk mitigation but also risk transfer,” Hurni said. “In the same way as companies will not say, ‘OK, now we have sprinklers and smoke detectors, we don’t need insurance’, with cyber you need an entire arsenal of instruments in order to cope with the increasingly harmful nature of cyber risk.”

As the leader of Zurich’s cyber risk engineering practice, Hurni has a birds-eye view of the impact of the coronavirus (COVID-19) pandemic. There is an observable uptick in the level of reported cyber incidences in the Press and in threat intelligence feeds, he said, and cyberattackers are using COVID-19 as a theme for both targeted and un-targeted cyber attacks.

 “COVID-19 gives them a good topic as people are paying attention,” he said. “People are much more likely to open attachments and click on links in emails and other channels which might be camouflaged as updates on the virus, updates on work conditions or other relevant information. These days, people are less prudent when they receive such messages because they want to be on top of such things. Cyberattackers know this and use these circumstances to their advantage.”

Another concern is higher attack activity during this time, Hurni noted, with cyberattackers targeting certain companies as they know there is an increased likelihood that these companies will pay a ransom. Hospitals, for example, are already struggling to manage the influx of patients caused by the pandemic, he said, and when an IT environment is not functioning due to a cyberattack, rather than trying to fix the damage with IT recovery processes, it is more likely that a ransom will be paid in a bid to continue operations.

Hurni outlined how the NIST cybersecurity framework developed by the US National Institute for Standards and Technology has evolved into a de facto standard within the cyber security sector, outlining how organisations can best manage cyber risk. Zurich makes use of this framework for its cyber risk engineering processes as well, and the framework also provides concrete answers for organisations to cope with the ransomware threat. The five governing functions of this framework are:

• Identify: Organisations must understand in which business processes a cyberattack can hurt them, and where their vulnerable information systems are so that the right controls can be implemented for these business-critical systems.
• Protect: Businesses must determine adequate protection measures to protect the assets identified as most critical and implement the appropriate safeguards, to decrease likelihood of breach and to limit or contain the impact of a potential cybersecurity event.
• Detect: Organisations should have controls in place to identify cyber security events (i.e. intrusion attempts) before they cause tremendous harm and adopt continuous monitoring solutions to detect threats to operational continuity.
• Respond: Should an attack occur, organisations must have the ability to swiftly react, contain the impact and should, therefore, have a response function in place to deal with any fallout from such an event.
• Recover: In the case of a ransomware attack, there should be standard operating procedures in place to facilitate recovery from the attack and this recovery plan should ensure any capabilities or services that were impaired due to the event are restored completely.

There’s no such thing as a holy grail or a single control to protect an organisation from ransomware, which is a very complex type of risk that requires a multi-faceted response, Hurni said. Simply focusing on protection is not enough, he outlined, as it is only a matter of time until an attack is successful. Companies are the best prepared, he said, if they also prepare for what will occur and how the organisation would react when an event happens.

When talking about risk, the terms ‘likelihood’ and ‘severity’ are often used, he said, and the severity of a cyber event has been heightened by the drastic increase in the digital dependency of businesses. If an attacker has breached a business perimeter, the damage potential is ever-increasing due to the rising level of digitisation of business processes in so many industries these days.

“To make sure that this damage can only have limited impact, companies must prepare for the attack and expect the worst. They are best advised to develop response and recovery plans, and test these plans with relevant stakeholders and be well prepared,” he said, and added: “Businesses need to strive for resilience and have – wherever possible - alternative production methods in place. Business continuity planning is playing an ever more important role. This resilience piece is becoming more and more critical because you cannot count on being able to prevent all attacks, and, with planned and well-tested resilience, should an attack be successful, you could significantly dampen the severity of the attack’s impact.”