The frequency and severity of cyber attacks have steadily intensified in recent years. Boosted by increasingly sophisticated tactics and the use of cutting-edge technology, malicious actors have prospered. In addition to the threats posed by cyber criminals, companies also face regulatory challenges. Maintaining compliance in a landscape where there is no universal standard across jurisdictions for data privacy and protection requires multinational companies to remain nimble. The process can be expensive and time consuming. Our experts Don Heckman and Jack O'Meara share their insights on the cybersecurity and risk management with Financier Worldwide Magazine.
How would you summarize today's cyber risk environment? What new risks have emerged in the past 12-18 months?
From a risk impact perspective, the environment remains the same, but the frequency of attacks has increased dramatically. Cyber criminals are still using phishing, ransomware and watering hole attacks to compromise their victims. The lack of patching, insecure IT platform configurations and untrained personnel continue to leave organizations' cyber attack surfaces vulnerable to cyber criminals. Just as cyber defenders are leveraging artificial intelligence (AI) and machine learning (ML) to improve cyber security defenses and detect malicious behavior quickly, cyber criminals are using AI and ML to create more sophisticated cyber attacks while avoiding detection. As a result, ransomware attacks will continue to increase, the IT product supply chain will continue to be targeted and compromised, and a new focus on cryptocurrency exchanges will likely emerge.
What demands are data privacy laws placing on companies in the US to implement security measures and follow notification requirements? How challenging is it to maintain regulatory compliance?
Maintaining regulatory compliance can pose significant challenges to companies, given there is no uniform global privacy standard. Companies must stay abreast of, and ensure compliance with, the often-disparate laws and regulations in every country where they operate. The US adds additional complexity with no single national privacy law, but rather a combination of disparate federal and state laws. These tends to focus on type of data, such as health or credit data, or specific population segment, such as students, children, and so on. Without a uniform and prescriptive privacy standard, companies are struggling to ensure compliance, ultimately increasing the cost of privacy programmes. While large companies can more easily absorb increased privacy programme costs, smaller companies may sacrifice investment and innovation funding. In 2019, a report prepared for the California attorney general's office estimated the California Consumer Privacy Act (CCPA) that went into effect on 1 January 2020, one of the more comprehensive privacy laws in the US, would cost $55bn in aggregate for California companies to comply.
Would it be fair to say that, in general, organizations are still not up to speed on detecting security breaches and privacy risks quickly enough?
According to IBM Security's 'Cost of a Data Breach Report 2021', the average time to identify a breach in 2021 was 212 days and the average time to contain a breach was 80 days. This would indicate that many organizations are still not performing even basic IT cyber security hygiene, such as asset management, configuration management, patching, vulnerability management and security awareness and training. The lack of these processes and policies are a root cause of many major cyber attacks over the past two decades.
What steps should companies take to establish appropriate processes and policies to manage cyber-related risks and keep systems safe?
Implementing a holistic cyber security programme using defence-in-depth, combined with a zero-trust framework, is the best way to keep systems and data safe. A thorough set of IT cyber security hygiene processes is critical to any cyber security programme. Every user should be required to use multifactor authentication. Privilege access management should be implemented to provide only those job or account privileges that are essential to performing its intended function. All the assets should be securely configured and monitored to ensure they are running the most current and patched software. Finally, as most breaches are a result of human error, companies need to build an enterprise-wide cyber risk-aware culture.
How are insurance providers enhancing their cyber insurance solutions to meet market demands and help companies manage the downside?
Given the exponential growth in ransomware attacks, cyber insurance is becoming more expensive, demanding that companies implement and maintain more robust cyber security programmes. The burden of proof to demonstrate sustained compliance with required security controls has shifted from the insurance companies to the insured. Finally, several cyber insurance companies have signaled they will no longer pay ransoms but will only cover the direct cost of business impact and recovery.
What considerations should companies make when evaluation cyber insurance coverage, including pricing, policy provisions and exclusions?
Before evaluating insurance coverage, companies need to understand their cyber risks. Companies are using outdated unreliable approaches to cyber risk management. These approaches are proving insufficient, resulting in recent high-profile breaches. Companies must start quantifying cyber risk to truly understand the potential business risk and associate financial losses. Using cyber risk quantification techniques enables companies to identify cyber risks, estimate their financial impact, and evaluate how this impact might be offset by financial controls, including risk transfer to the appropriate cyber insurance, including pricing, provisions and exclusions.
Going forward, do you expect cyber risk management will continue to climb the boardroom agenda as a major issue?
Cyber risk management will continue to climb the boardroom agenda if cyber attacks continue to be successful and pervasive. Given the high-profile ransomware attacks across the globe, many countries, including the US, have enacted, or are in the process of creating, new cyber security requirements and privacy regulations, such as the US Executive Order on Improving the Nation's Cybersecurity in May 2021. These new regulations put the onus of ensuing compliance and accountability for cyber risk on the C-suite. This makes it critical for cyber security executives to communicate cyber risk in terms of potential business impact to garner the attention of company executives - this information must enable the C-suite to make actionable and informed decisions. To do so, cyber security executives must be able to quantify the potential impact of cyber risk, security leaders will have the information they need to demonstrate potential incident impact to leadership, including financial and reputation damage and legal repercussions.