The cyber framework that all businesses should be using – especially during the coronavirus crisis

Cyber risk engineering is a discipline in insurance which essentially has a two-fold mandate, Philipp Hurni, Cyber Risk Engineering Global Practice Leader at Zurich Insurance Group outlined - firstly to support the underwriting function of the business, and secondly to support the insureds by providing advisory services with respect to risk mitigation.

“With all businesses moving, at least partly, to a digital business model, cyber risk has evolved from an operational IT risk to a business risk, and hence requires the full spectrum of risk management methods. This does not only include cyber risk mitigation but also risk transfer,” Philipp Hurni said. “In the same way as companies will not say, ‘OK, now we have sprinklers and smoke detectors, we don’t need insurance’, with cyber you need an entire arsenal of instruments in order to cope with the increasingly harmful nature of cyber risk.”

Philipp Hurni has a birds-eye view of the impact of the coronavirus (COVID-19) pandemic. There is an observable uptick in the level of reported cyber incidences in the Press and in threat intelligence feeds, he said, and cyberattackers are using COVID-19 as a theme for both targeted and untargeted cyber attacks.

“COVID-19 gives them a good topic as people are paying attention,” Philipp said. “People are much more likely to open attachments and click on links in emails and other channels which might be camouflaged as updates on the virus, updates on work conditions or other relevant information. These days, people are less prudent when they receive such messages because they want to be on top of such things. Cyberattackers know this and use these circumstances to their advantage.”

Another concern is higher attack activity during this time, Philipp Hurni noted, with cyberattackers targeting certain companies as they know there is an increased likelihood that these companies will pay a ransom. Hospitals, for example, are already struggling to manage the influx of patients caused by the pandemic, he said, and when an IT environment is not functioning due to a cyberattack, rather than trying to fix the damage with IT recovery processes, it is more likely that a ransom will be paid in a bid to continue operations.

Philipp Hurni outlined how the NIST cybersecurity framework developed by the US National Institute for Standards and Technology has evolved into a de facto standard within the cyber security sector, outlining how organizations can best manage cyber risk. Zurich makes use of this framework for its cyber risk engineering processes as well, and the framework also provides concrete answers for organizations to cope with the ransomware threat. The five governing functions of this framework are:

• Identify: Organizations must understand in which business processes a cyberattack can hurt them, and where their vulnerable information systems are so that the right controls can be implemented for these business-critical systems.
• Protect: Businesses must determine adequate protection measures to protect the assets identified as most critical and implement the appropriate safeguards, to decrease likelihood of breach and to limit or contain the impact of a potential cybersecurity event.
• Detect: Organizations should have controls in place to identify cyber security events (i.e. intrusion attempts) before they cause tremendous harm and adopt continuous monitoring solutions to detect threats to operational continuity.
• Respond: Should an attack occur, organizations must have the ability to swiftly react, contain the impact and should, therefore, have a response function in place to deal with any fallout from such an event.
• Recover: In the case of a ransomware attack, there should be standard operating procedures in place to facilitate recovery from the attack and this recovery plan should ensure any capabilities or services that were impaired due to the event are restored completely.

There’s no such thing as a holy grail or a single control to protect an organization from ransomware, which is a very complex type of risk that requires a multi-faceted response, Philipp Hurni said. Simply focusing on protection is not enough, he outlined, as it is only a matter of time until an attack is successful. Companies are the best prepared, he said, if they also prepare for what will occur and how the organization would react when an event happens.

When talking about risk, the terms ‘likelihood’ and ‘severity’ are often used, he said, and the severity of a cyber event has been heightened by the drastic increase in the digital dependency of businesses. If an attacker has breached a business perimeter, the damage potential is ever-increasing due to the rising level of digitization of business processes in so many industries these days.

“To make sure that this damage can only have limited impact, companies must prepare for the attack and expect the worst. They are best advised to develop response and recovery plans, and test these plans with relevant stakeholders and be well prepared,” he said, and added: “Businesses need to strive for resilience and have – wherever possible - alternative production methods in place. Business continuity planning is playing an ever more important role. This resilience piece is becoming more and more critical because you cannot count on being able to prevent all attacks, and, with planned and well-tested resilience, should an attack be successful, you could significantly dampen the severity of the attack’s impact.”

By Philipp Hurni, Cyber Risk Engineering Global Practice Leader at Zurich Insurance Group, published online by Insurance Business UK on May 4, 2020