Mitigating cyber risks – what can be done?

Mitigating cyber risks – what can be done? | Insurance Business

Mitigating cyber risks – what can be done?

Ransomware attacks are headline news almost daily. Victims continually face the dilemma of choosing between paying the ever-higher ransom demands, or prolonging the disruption while they race to recover their data. The consequences of a ransomware attack are not just about monetary losses, and neither is the solution. Ransomware is rampant and affecting the lives of everyday Americans as personal data is stolen, jobs and livelihoods are disrupted, and personal safety is put at risk. What can slow this trend? According to experts at Resilience, a provider of cyber insurance and security solutions to middle-market organizations, the solution can be a human one.

“When we talk about cyber risks in general and ransomware in particular, it’s all about behaviors,” says Vishaal Hariprasad, chief executive officer of Resilience. “My time as a cyber warfare officer [in the US Air Force] taught me that cyber threats really come down to human beings deliberately creating crimeware. Cyber criminals continue to exploit new vulnerabilities which means that their targets should constantly change the behaviors that keep them vulnerable. As a defender, in or out of uniform, I want to help affect behavioral changes.”

Hariprasad, more commonly referred to as “V8,” (his military buddies likened his enthusiasm for problem-solving to a high-performance engine always revving) believes cyber defenses must innovate and adapt.

“I talk to CISOs (chief information security officers) all the time,” he said. “Security strategies used to be about organizations building as wide a moat as they could and staying behind their walls. That doesn’t work anymore. What’s needed today is continuous defense, instead of ‘set it and forget it.’”

Cyber criminals are getting bolder in their demands, with ransoms going up, but they have not really innovated their tactics, Hariprasad says. Cyber criminals haven’t had to, because so many organizations continue to leave vulnerabilities unaddressed.

“People are very concerned about the impact of ransomware, but they’re not shifting their behavior to defeat attacks. Nine times out of 10, attacks succeed because the victims didn’t pay attention to the basics, such as unpatched vulnerabilities or leaving multi factor authentication off.”

This is where cyber insurance offers a valuable solution to mitigate risk, Hariprasad noted.

“Insurance does a great job of pricing behavioral risk – it offers an incentive to improve your risk profile,” he says. “At Resilience, we want to align incentives to reward clients with positive cyber risk behavior and provide them with a clear map of actions to achieve meaningful risk transfer. Our data science and security teams are constantly looking at vulnerabilities in the wild and monitoring how bad actors are testing attack methods on the dark web. When we find something, we alert clients and recommend specific actions. Working with agents and brokers, we can develop a relationship where we continuously help clients stay ahead of emerging risks.”

Michael Phillips, chief claims officer at Resilience, added that “cyber insurance helps organizations recover from an incident, but it also promotes best practices. Insurance is a mechanism that can bend the curve of whatever the risk may be.”

Lately, the major risk in cyber is ransomware, which is one reason Resilience joined the Institute for Security and Technology’s Ransomware Task Force. The task force, which is comprised of more than 60 experts from the public and private sectors, recently released a comprehensive framework for combating ransomware. The framework is based on four themes: deter, disrupt, prepare, and respond to attacks.

Phillips, a co-chair of the task force, noted that some people argue the existence of cyber insurance is encouraging ransomware attacks. He disputed that notion, stating “cyber insurance provides better preparation against attacks, identifies and sets standards for cybersecurity, and it incentivizes better behavior. Additionally, insurance has been a nexus of data on cyber events for the past 20 to 30 years. During that time, the insurance sector has paid hundreds of millions of dollars of ransomware losses, and it has a vested interest in deterring and disrupting attacks.”

Hariprasad sees health and wellness as a metaphor for how insurers and cyber security professionals will mitigate ransomware risks and help organizations become more resilient in the future.

“If you experience chest pain but don’t think you need to visit the hospital, for example, you don’t immediately call a cardiologist,” he said. “You’re more likely to consult a primary care physician initially, and, if necessary, have them refer you to a cardiologist with specialized expertise. At Resilience, we want to be that primary care physician for cyber issues: coordinating care and helping clients improve their cyber wellness to prevent emergencies with actionable advice.”

But things happen, and Resilience is also there to respond when you have an emergency. Their claims team is like an ER doctor, Hariprasad said.

“We want our clients to have that same trust in their cyber insurer, with one number to call,” he said. “The main threat won’t always be ransomware. In the future, it will probably be something else, but we will continue to help organizations stay healthy and cyber resilient.”