A matter of cyber risk management culture

Companies that can demonstrate a strong risk culture and robust cyber risk management– in particular around people and process- will be in the best position to purchase cyber cover and full limits.

People and processes are key to addressing cyber risks, including the growing problem of ransomware, according to Oliver Delvos, Global Cyber Underwriting Manager at Zurich Insurance Group

Cyber risk is growing more complex and challenging by the day. New technologies, the move to cloud services and the acceleration of digitization and remote working increase our reliance on technology and create new vulnerabilities. At the same time, the threat from cyber criminals and nation states grows ever larger, with paralyzing ransomware attacks, data breaches and outages.

Ransomware, in particular, has become a major problem. July started with a significant attack on Kaseya, affecting many of their customers worldwide. In May, the Colonial Pipeline ransomware attack caused one of the biggest critical infrastructure outages in recent history, temporarily shutting down a pipeline that delivers 45% of fuel supply to the US east coast. Recent ransomware attacks also include those against US meatpacking plants owned by JBS, the Irish healthcare system and Japanese technology firm Fujifilm.

People and process

Unfortunately, there is no ‘silver bullet’ technology solution to problems like ransomware. Technology is just one of the three pillars of cyber security, with people and process being equally important. Arguably, processes and corporate culture have a more significant impact on resilience than spending vast sums on technical solutions.

Analysis of cyber incidents consistently show the critical role that people and processes play in cyber attacks, large and small. According to Verizon’s 2020 Data Breach Investigations Report, 85% of data breaches involved a human element, with more than one in five incidents the result of a mistake made by an employee. Almost a quarter of data breaches involved social engineering, while one in 12 breaches are caused by a member of staff using information improperly, namely privilege abuse or ignoring access policies.

Back to basics

As a cyber insurer, we see many companies continue to miss the basics of good cyber hygiene. For example, some companies have yet to roll out multifactor authentication throughout the entire organization. Backing up critical assets off-site or having adequate privilege access controls in place, are other procedural basics. Interestingly, we still see regional differences in cyber security and risk culture, with adoption of best practices typically slower in Europe than the US.

Yet, these simple processes can make all the difference. The Colonial Pipeline attack, for example, was facilitated by a compromised password. Early this year, we observed that some companies had yet to implement security patches for a Microsoft Exchange Server vulnerability, weeks after critical vulnerabilities became public and emergency patches were available. Such situations are a race against time, where organizations must implement emergency procedures quicker than hackers can exploit newly discovered vulnerabilities.

Cyber risk culture

While ‘human error’ is often a driver for severe incidents, a strong cyber risk culture - with a focus on people and processes - can have a positive impact on business resilience. For example, good training and employee awareness campaigns can have a positive effect on reducing business email compromise and phishing attacks. People and processes are also critical to addressing the growing problem of ransomware, where tested incident response plans are critical.

Businesses cannot avoid ransomware or sophisticated targeted cyberattacks, but they can reduce the risk and mitigate the impact. Weak user credentials, phishing and improperly managed access controls make a ransomware attack more likely, while gaps in business continuity planning and disaster recovery will make attacks more severe.

However, organizations can mitigate the financial and reputational impact of a ransomware attack by ensuring they have up-to-date backups and that they regularly test disaster recovery plans. Crisis communication plans are also key to mitigation: How does the business intend to liaise with affected customers after a breach? How shall the collaboration with regulatory bodies work? Which statements are communicated when to the media?

Emerging technology risks

The two pillars of people and process are set to become even more relevant with the drive for digitization, new technologies and regulatory changes. A growing number of countries are implementing stringent data protection and privacy laws, while business continuity is also under increasing regulatory scrutiny, especially for financial services and critical infrastructure. In particular, cloud services typically see organizations outsource parts of the IT environment, yet ownership of data, and the associated liabilities, remain with the data owner.

In general, cyber risk management and governance has struggled to keep pace with advances in technology, even before Covid-19 accelerated the trend for digitization and remote working. Under the competitive pressure to adopt new technologies – such as artificial intelligence, biometrics, IoT and cloud computing – it is important not to lose sight of the people and process implications, as well as the technical elements of cyber security.

New technology will require evolving and flexible governance and risk management frameworks. For example, the use of ‘deep fake’ video and audio technologies could be used for social engineering, to commit fraud, or to gain access to personal information and protection systems. The growing use of the cloud and reliance on external IT services and vendors will require detailed governance and management frameworks. The recent attacks on Solarwinds and Kaseya are stark examples.

Risk management focus

As the cyber insurance market matures, insurers have increased their focus on cyber risk management and governance as part of the underwriting process. Companies that can demonstrate a strong risk culture and robust cyber risk management– in particular around people and process- will be in the best position to purchase cyber cover and full limits.

A number of insurers are also developing specialist cyber risk engineering services to help customers manage cyber risks and build resilience, including practical advice on people and process. For example, Zurich’s recently launched Zurich Resilience Solutions offers a range of risk management services for cyber, while Zurich Cyber Security Services, a strategic agreement with cybersecurity firm CYE, supports companies throughout their cyber security journey from assessment to remediation plan, accompanied by strategic consulting.

The importance of people and process in building cyber resilience cannot be over emphasized. These two pillars are at the heart of addressing growing cyber exposures, a point that can be overlooked among the excitement of new technologies and the dash for digitalization.

Originally published on Commercial Risk Online on July 26 2021.