Striking the right balance between IT security, risk management and cyber insurance
"In another example, a custom-built application relied on an old version of Apache Log4J for logging, and the updates to Log4J did not support data in the same way. There was no budget for this application to be rebuilt at the time..."
Only 19% of cyber leaders feel confident that their organisation is resilient against attacks, as reported by Accenture and the World Economic Forum. Desperate to combat this and have a Plan B in case threat actors succeed, organisations use cyber insurance as a way to fund recovery operations.
GlobalData estimates that the cyber insurance market will be worth more than $20 billion annually by 2025 due to the accelerated need to fill the gaps and cover potential costs associated with a breach.
Despite this growing investment, the cyber insurance sector is yet to fully mature. When cyber insurance was first introduced, it was seen as a safety blanket, providing cover under any circumstance for everything linked to a breach. Over the past few years, this view has drastically shifted due to the sheer number of successful attacks that have taken place. Prices for cyber insurance rose by 54% in 2022 (according to Marsh), on top of price increases of 133% in 2021. The level of coverage has now also dropped, with recent guidance from Lloyds of London stating that insurance policies should not cover nation-state attacks from March 2023.
See also: New Lloyd’s of London cyber insurance exclusions land amid “a certain amount of panic”
The impact of this new attention and shift in interest around cyber insurance, plus the complexity of managing risk, is that IT security has become significantly more difficult to manage than before.
So how can cybersecurity leaders respond and work with cyber insurance providers to improve their situation?
Rather than looking at every piece of cybersecurity and risk in silos, every pillar must be considered together: people, process, technology and cyber insurance. Most importantly, all these pillars must adapt together to the rapidly changing circumstances that companies face daily.
Improving overall results around risk and cybersecurity
Security teams rely on technology, from simple tools for analysis to full sets of products and solutions that can detect problems, recommend actions and prevent issues. While technology plays a significant role, the success and impact of the tools deployed rely on processes and people to work effectively. To most effectively manage your organization's risk, processes must be constantly evaluated to translate strategy and investments into actions.
While this evaluation provides direction on strategy, it also brings to light the most pressing issues that need to be addressed. For example, your business may run critical applications that are difficult to update and maintain. I have witnessed one instance where an application is connected to capital-intensive hardware assets for manufacturing but can only run on a specific operating system that is now outdated. Replacing this hardware, which would be expected to run for many years, was not practical.
In another example, a custom-built application relied on an old version of Apache Log4J for logging, and the updates to Log4J did not support data in the same way. There was no budget for this application to be rebuilt at the time,so it was left behind as technical debt. In these types of circumstances, implementing mitigation processes was necessary to protect these systems.
Similarly, you will also have to consider how your teams operate. For instance, how you run your security operations centre will depend on your people and how they manage their workloads. They can have the best tools, but without the right training and support, you risk burning them out or critical events getting missed. This can lead to gaps in security potentially leading to a serious breach.
Cyber insurance is a part of your risk strategy
In today’s threat landscape, cyber insurance has become a necessary piece to this puzzle and the fourth pillar for risk management. Yet as the number of claims being made following breaches rises, cyber insurance providers are drastically changing policies, looking to reduce their potential exposure and cover less scenarios.
Rather than the widespread support that was available in the past, cyber insurance will provide resources for recovery but is linked to much more stringent security processes and preparation. Cyber insurance companies want to implement continuous risk monitoring and risk engineering services with their customers. This supports policyholders in mitigating newly identified exposures and security weaknesses throughout the policy period, following the old adage that prevention is better than cure.
As a cybersecurity leader, collaborating with cyber insurance providers can reduce costs and improve coverage. Demonstrating how your organization successfully implements and facilitates necessary security processes - like asset management, vulnerability management and patch deployment - flags that you have an effective strategy in place. It is the basis to show that you are less likely to succumb to simple security flaws, and that you are a less risky bet for insurance purposes.
In cybersecurity, hope is not a strategy. Today’s organizations - no matter the size or industry - must live by an “I’ve already been breached” mindset. Many organizations today focus solely on detection. However, if you are not discovering and remediating the risks in your environment, you will always be playing a game of catch-up with threat actors. But even with a fair balance of attention on these pieces, technology and people to be perfect 100% of the time. Organizations must also have a “Plan B,” which is where cyber insurance comes into play.
Today, all companies face the prospect of a potential security breach. By combining the four pillars of security - people, process, technology and most recently, cyber insurance - organizations can be more proactive in preventing issues, and have the correct resources in place to do damage control if needed.