With the spate of Cyber crimes and spike in ransomware incidents in 2020, CXOs and Board Members in every organization have Cyber Risk on their agenda regularly. A single incident of unwanted ransomware could prove to be detrimental to the existence of few organizations, and a significant dent to the bottom line for others. Chief Risk Officers are crafting plans to reduce and mitigate this risk at mission critical speed. One thing is pretty clear, you don’t have a defense if you don’t have a well thought out strategy. I am not saying that having a good strategy will prevent you from falling victim to ransomware, but it can significantly reduce the risk and if it actually happens then it reduces the impact to your bottom line as well.
The first thing anyone would think is that there is Cyber/Breach Protection Insurance to protect us. And you are not wrong, Cyber Insurance is there to protect. However I’d like to draw your attention to changes happening in the Insurance industry that could significantly impact you and the software vendor who has your sensitive PII data.
Insurance companies are looking at this new niche that gained momentum in last few years. The pace at which the cyber insurance market is growing is staggering. This is driven by increased cyber attacks in recent times and a sharp increase in the number of companies purchasing cyber insurance respectively. The companies still do not know how much to plan as they do not know what would the payout look like for them. The range is very wide. Recent reports of known incidents tell that the highest payout was $4.5 Million for CWT and the largest ransomware demand stands at $30MM.
Risk is a factor of amount of loss x probability of that loss. The reason why cyber risk is as treated high risk because it has higher losses and the probability of occurrence is also really high. This is causing a lot of stress on insurers profitability as the premiums that they earn is not sufficient to cover all payouts. Mere 5 payouts can wash out the entire annual premium earned from 250 companies that have at least $200MM in insurance. This is leading to a different dynamic in the industry. The first change is an easy guess, insurance companies are increasing insurance premiums. In a recent report, the annual increase in cyber insurance premium (between 2020-2021) ranges between 35-40% due to increased severity and frequency of demands. Unlimited cyber insurance will cost even more. The software vendor, who sells the software to you also sells it to hundreds of other customers. Every customer has a insurance clause as a requirement in their MSAs. Guess what, the vendor will not pay the premium from his own pocket, so where is he going to recoup that cost? The customer, of course. The cost of your software and support would also rise with the rise in premium. Days are not far away when vendors would start to decline business over customer’s demand to have unlimited or a higher cyber insurance. Insurers are also limiting their own exposure by putting a cap on the total claimable amount. It is not a sustainable proposition for anyone including the software vendor, client and not even for the insurer.
Cyber insurance is relatively a new niche market for insurers, with limited history to intelligently underwrite the insurance policies. Increased risk of demands would have a dual effect. It would shrink insurer’s profits but it could also propel more companies into buying cyber insurance. However insurers and reinsurers are wary to extend coverage knowing the fact that cyber threats are growing and will continue to grow at a rapid pace. Insurers are also having serious thoughts on whether they will ever be able to make money from cyber insurance market, driving them to invest in more stable markets such as real estate and car insurance.
What are my options
It is now an established fact that the insurance coverage may not cover your total loss. You also do not want a good software vendor to back off because you couldn’t come to terms on the amount of cyber insurance.
I suggest the BEDURAF strategy. I know you never heard this term before, because i just made it up while writing. BEDURAF stands for nothing but BEfore DURing AFter. What can you do before, what can you do during the time event is occurring and what can you do after?
Think of this as your core cyber security strategy and invest 90% of your time here. Without a planned approach, you’ll be as vulnerable as a three legged deer is in front of the predator. I am not a technical expert, but I can suggest from my experience that having following things in place will give you the confidence in warding off any imminent and future cyber threats.
1. Setup or outsource MSSP/SIEM that monitors security events 24x7, applies algorithms to isolate read threats proactively and remediates them
2. Hire third parties that do penetration testing
3. Scan your technology environment for vulnerabilities that could be exploited
4. Upgrade every version, Patch every hole. Have a formal currency program.
5. Implement solutions to monitor incoming and outgoing traffic, identify anomalies and investigate. Differentiate between good traffic and bad traffic.
6. Back up everything, on DR sites, tape drives, other storage media types
7. Have secured privileged access, give write access only if required.
8. Enforce a zero trust policy even on the patches that you get from trusted vendors.
9. Sure have a cyber insurance package, offer the software and hardware vendor to share insurance costs and increase the coverage.
10. Have a strong antivirus, anti malware, anti ransomware and a strong firewall.
11. Enforce a strong password policy, have a formal cyber security training program to educate employees on the importance of being alert all the time and report suspicious behavior. Spread awareness.
12. If you don’t have one yet, setup a technology team dedicated to cyber security.
13. Keep a list of ransom payout negotiators ready
If you do become the unfortunate victim, don’t panic. Assess the situation, what’s the damage, do you have backups that you can recover from, what kind of data is lost, do you anticipate lawsuits from regulator and customers, what happens if you don’t pay. Remember in many cases, even after the payment was made, the hacker could not fully recover the data or the decryption key did not work. After you assess the whole situation, if you feel that you don’t have a choice but to pay, then negotiate. There is evidence available that companies were able to negotiate the cost down. If you don’t know how to negotiate, hire a negotiator from the list (point 13 above).
Hackers are becoming increasingly creative. You have to stay one step ahead. A strong cyber security defense requires a constant vigilance and a commitment to keep the network and technology assets secure. Consistently invest in upgrading the first line of defense. Continue to educate employees on cyber risks and their responsibilities. Get board commitment to help with this endeavor. Focus on Continuous Improvement.
We need to stand together as a community against cyber crimes as it affects not just corporates, but everyone. I still wonder how many people are still not aware of the risks and still click on that malicious link. If people are more aware and know how to avoid common mistakes, it will be hackers who will be under stress. Not us!!