In a highly interconnected world, cyber risks have emerged as one of the biggest threats all businesses have to deal with. Data breaches and cyberattacks are no longer in the realm of ‘if’ but, instead, a risk manager must think about what to do ‘when’ a cyber incident occurs.
A report, titled “Advancing Cyber Risk Management: From Security to Resilience,” by global insurance services powerhouse Marsh and McLennan and cybersecurity expert FireEye, discussed an incongruence between perception of cyber risks and actions taken to manage them. The report revealed that despite growing anxieties about cyber threats, cyber resilience strategies and investments continue to lag.
Furthermore, in 2018, the total cost of cybercrimes grew by a third compared to 2016, to $600 billion, but investments in cyber security only increased 10% over the same period.
“Business executives are seeking business relevant insights and quantified economic exposure because of cyber risk in addition to the technological aspects of the cybersecurity program – which will assist in prioritization and future cyber strategy,” Leslie Chacko (pictured), director of transformative technologies at Marsh & McLennan, told Corporate Risk and Insurance. He added that concerns over data fraud and theft have been heightened among businesses, most significantly in North America and East Asia and the Pacific.
According to Chacko, defence capabilities and risk management have been relatively slow to evolve and response against the accelerated aggressiveness and sophistication of cyberattacks. He also identified three common challenges that businesses face in building an end-to-end cyber risk management process. These are:
- Overcoming and adapting to huge organizational inertia to focus on strategic cyber security and resilience goals rather than distraction with short-term earnings
- Lack of clearly quantified risk acceptance, exposure and target state, leading to deficient decision-making plans
- Common misconceptions that frontline cybersecurity defence and insurance coverage are mutually replaceable rather than complementary
With regard to cyber insurance, Chacko believes that the industry is rapidly developing to meet the new and rising threat.
“Insurers and brokers are increasingly working with organizations to offer broader areas of coverage in response to the varied cyber risk exposures,” he said. “Moving forward, there will be greater access to more accurate claims data and loss trends with the maturing international cyber insurance markets, creating greater clarity of cover and policy tests for affirmative language.”
“Our recent conversations with organizations are also increasingly focused on addressing cyber insurance solutions for physical and other business losses stemming from cyberattacks,” added Naureen Rasul, Marsh’s head of cyber practice, Asia.
Dwell time – Asia’s weak point
One important concept discussed in the report is dwell time, which is defined as the number of days an attacker is present within the victim’s network, from first evidence of compromise to detection. The report noted that dwell time considerably decreased globally compared to 2017, but businesses in Asia-Pacific still had a median dwell time of 204 days, or roughly seven months. This was four months longer than the rest of the world to detect breaches.
Chacko identified several factors that impact dwell time, such as sophistication and motivations of the attacker, the type of attack and tactics being used by the attacker, the internal cybersecurity capabilities of the organization being attacked, skill level of the organization’s cybersecurity team, and collaboration with trusted peers, product vendors, and law enforcement to educate on cyber attacker activities in their industry segment.
“The more effective an organization is in these elements can lead to reduced dwell time for cyberattackers,” he said. “Global regulations like the GDPR in Europe and Sarbanes Oxley in the US (and others) have pushed organizations to improve their cyber maturity faster than organizations that have lesser regulatory requirements. Those global regions with more proscriptive data protection requirements reflect improvements in areas like lower dwell time.”
Risk managers must build resilience
Chacko said that “risk managers must bear in mind that fundamental security controls and capabilities are essential to prevent breaches or minimize the damages and consequences of an inevitable compromise. All organizations must maintain a posture of continuous cyber resilience to prepare for and adapt to the changing threat landscape and recover from the disruptive attacks.”
Cyber resilience, he said, is a result of an end-to-end cyber risk management process composed of three important aspects: understanding risks by providing a cyber context within a business perspective, measuring risks by quantifying the financial impact of cyber exposures, and managing risks by formulating actionable steps to secure, insure, and recover cyber assets.
“Ultimately, cybersecurity is a programme of people, technology and processes designed to protect, detect, respond, and recover from an array of cyber obstacles and adversaries,” Chacko said. “In its pure form, ‘resilience’ is the outcome of an effective cyber risk management programme.”
“In some cases, organizations have only addressed the technical aspects of their cybersecurity programme. Moving forward, organizations need to address the business and financial aspects of cyber risk in addition to the technical components.”