Author: Brandy Wityak, Vice-President, Cyber Security
Cyber insurance can be invaluable if your firm suffers a cyber attack, but an effective cyber security strategy starts with the belief that prevention is always better than cure.
In today’s world, an organisation’s data is inseparable from its business. Protecting data is critical to safeguard the business.
Risk and security advisors across the UK took careful note when the UK’s National Cyber Security Centre (NCSC) issued its first-ever detailed guidance for organisations considering cyber insurance cover. Organisations have been understandably tempted to lean heavily on insurance to transfer risk associated with cyber incidents, such as a cyber-attack which shuts down its operations, or a data breach where sensitive data is stolen or leaked to the public. The decision to invest in cyber insurance to mitigate cyber risk is important but it is crucial to first evaluate your exposure and the other forms of risk mitigation that should also be in place.
A cyber-related crisis or criminal act is likely to have an extensive impact, including business disruption, customer damages, reputational hits, and legal and regulatory exposure. Taking a strong proactive position often requires more than transferring the risk to an insurer or setting aside financial reserves.
Have the doors been left unlocked to cyber-attackers?
Of the seven questions the NCSC advises organisations to consider, it’s no surprise that the first question asks: “What existing cyber security defences do you already have in place?”. Further, they remind organisations to carefully consider a wide variety of controls – technical, procedural, and human controls – and that these may reside amongst different stakeholders, including third party outsourced providers. As the NSCS states: “Cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack. Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about.”
When it comes to cyber security, there may be relatively few hard and fast rules, but the NCSC advises that organisations act in line with their own priorities and key requirements:
“It is important for you to identify what within your organisation needs protecting the most (your ‘crown jewels’), and to also identify any scenarios that must not happen. Do not limit yourself to meeting the minimum cyber security requirements specified by an insurer; these might not adequately protect the things your organisation cares about.”
Accordingly, businesses should:
- Identify what your organisation needs to protect the most (the “crown jewels”). This depends on your organisation and includes data and the systems storing it. For a law firm, this might be where privileged communications with clients occur; for a vaccine manufacturer, it could be their operations technology in the factory.
- Identify any cyber incident “scenarios” that must not happen. Again, this will vary according to the organisation, and monitoring the type incidents experienced by your peers (whether they be crippling ransomware attacks or “phishing” targeting employees) can be useful. What could happen that would stop you operating or could harm your reputation irreparably?
- Gather information and adapt your cyber risk strategy. Identify technical, procedural and human security controls and develop a cyber risk strategy that places your “scenarios” and “crown jewels” at its heart.
Cyber attackers are acting strategically – so should you.
The return on investment to your organisation of reducing the likelihood of a cyber incident and helping to ensure compliance with data protection requirements makes the allocation of resources to these actions a straightforward business decision., This may ultimately create a saving for the organisation and protect its position in the long run.
While data on losses and damage relating to cyber incidents might not be as extensive as it is for other forms of loss, cyber incidents are on the rise in 2020, with many of the tactics and themes leveraging the global coronavirus pandemic. Here are some key trends we see as evidence:
- The growing trend of digitisation and reliance on data and technology to drive business. Ppandemic-related remote working has increased security vulnerabilities, as organisations have had to quickly onboard or reconfigure arrangements with third parties which has opened up new risks in the supply chain. Also, attackers are learning how to profit from different types of data, not just personal data to commit identity theft. They are intercepting money transfers, stealing sensitive commercial strategy and intellectual property, and running extortion schemes.
- Attackers are developing more sophisticated business models to monetise and profit from exploiting technical and human vulnerabilities. Some of the more common attack vectors, such as business email compromise (BEC) or ransomware attacks, are being launched at scale, not merely targeting specific organisations. For instance, attackers are using the pandemic-related remote working movement to scan for exploit vulnerabilities in some of the common VPN/remote access tools across any organisation that uses these solutions. The tools to launch attacks (“malware”) have also become commoditised, easy to access and buy online, and the developers are creating commercial incentives for attackers to distribute them widely.
Organisations can counter the attackers’ strategy with their own. Understanding the key cyber threat scenarios helps to ensure a good return on investment for cyber security measures and improvements – organisations may find themselves in a position where losses are uninsurable because they haven’t kept up to date with security. Cyber security investments can include:
Technology & Tools Investment: Tools and technology are constantly changing with rules and regulators adapting requirements accordingly. Something that may have been costly and forward-thinking a couple of years ago – and potentially not proportionate to most organisations – may be moving close to a standard. For example, next-generation Endpoint Detection & Response (EDR) tools are gaining prominence as over and above traditional anti-virus tools, and their absence has been cited by regulators as the basis for fine calculations. Another area of growing focus is data logging and retention, and active monitoring of outliers in user and access activity against historical trends. Investment in these measures should be considered in alignment with an organisation’s own risk appetite and key threat scenarios.
Time Investment: We continuously see organisations suffer breaches which could have been prevented with tools they already possess but hadn’t yet invested the time to implement. For example, multifactor authentication is often included in many common cloud computing solutions, but it takes time for IT staff to roll this out and train users. Yet it’s incredibly effective at helping preventing business email compromise, one of the most widespread and common key risk scenarios for many organisations. Similarly, the organisation will need to invest time in developing strong Incident Response Plans and testing them regularly (as detailed below). Anyorganisation, large or small, can be compromised, and a strong proactive stance and proportionate investment in time allocation and tools can help protect against this.
What are some things you can do to implement the UK NCSC’s guidance on “scenarios” and “crown jewels”?
1) Scenario-specific incident response plans
Organisations should have a clear incident response plan that answers key questions such as: who do we call for help? Do we have a trusted incident response provider that is already onboarded, vetted and familiar with our systems? Have we budgeted for an incident and do we know the potential cost?
However, here’s no such thing as a “one size fits all”. An attack which causes a client’s funds to be intercepted and stolen by a cyber criminal warrants a different response, with specific stakeholders, compared to an attack on a hospital’s network that shuts down critical patient care equipment. We recommend that organisations develop more granular and realistic response plans and playbooks for their most critical risk scenarios and to protect their ‘crown jewels’. This will enable better communication, ensure all necessary stakeholders are involved where required, and help ensure critical steps – whether it be notifying a regulator or engaging external legal counsel – are not overlooked.
2) Tabletop simulation exercises for key threat scenarios
Simulated cyber threat exercises are a critical element of a mature incident response programme, and the addition of cyber threat awareness training is vital for management who are ultimately responsible for security, but do not deal with it day-to-day. The goals of cyber threat simulation programmes vary – they may aim to test the response capability of the board/executive teams, deepen experience of security teams, or test whether specific business units are prepared to recognise an incident and trigger the incident response plan.
We recommend that organisations test their plan against key scenarios for the organisation. By regularly role-playing a simulated cyber incident as if it were happening live, you will see where communications can break down – for example, IT will likely not be able to provide accurate answers to the business, so it helps develop the ability to act on available, if limited, information. Role-play provides a necessary reality check that slow decision-making and actions can turn a minor incident into a major one. It also practices the need to flex and adapt strategy as new information comes to light on the attacker’s motive. For example, an attack on a Chief Executive’s email account may be motivated by espionage, fraud, or extortion – each of which will result in different outcomes, warrant a different response, and involve different stakeholders. An organisation that has identified its key risk scenarios in advance will know where best to focus its efforts in practice and preparation.
3) Have a third-party “ethical hacking” team test defences for key threat scenarios
We recommend that organisations engage qualified, independent third parties to test their defences, and the ability of their internal security teams to detect attacks, related to their “crown jewels” and their key threat “scenarios”. More than just a penetration test, a “Red Team” exercise puts ethical hackers to work to exploit technical vulnerabilities, attempt to “phish” employees, or even use clever social engineering to talk their way past human security to access physical locations and hardware. Investing in Red Teaming exercises will help to expose weakness and identify priorities for remediation before a real attack can strike.
4) Carry out a financial impact assessment for each key threat scenario
Whether it is to ensure that you have the right level of cyber insurance cover, plan loss reserves, or merely to better understand the appropriate level of security measure investment, it can be very useful to have an accurate quantification of the potential financial impact of a cyber incident. This can help to estimate losses attached to specific scenarios such as personal data breaches based on average cost per breached record, or cost of potential business interruption from a ransomware attack that cripples a production line.
We recommend that organisations engage a qualified third party to assess the impact of key threat scenarios, based on financial modelling specific to their cyber metrics, and analyse results in relation to cyber incidents experienced across the industry sector and particular attack scenarios.
5) Locking the cyber door where it may count most
While cyber insurance can play a crucial role in protecting a business, whether a small operation or a multi-national conglomerate, its purchase should always be treated as part of a broader cyber security strategy that has, at its heart, a proactive approach to risk mitigation (and strong locks on the cyber door!).
 UK National Cyber Security Centre, “Cyber Insurance Guidance”, Version 1.0, 6 August 2020 – https://www.ncsc.gov.uk/guidance/cyber-insurance-guidance
 Bitdefender’s Mid-Year Threat Landscape Report 2020 at __ – https://www.bitdefender.com/files/News/CaseStudies/study/366/Bitdefender-Mid-Year-Threat-Landscape-Report-2020.pdf.
 According to Gartner, 69% of boards accelerated their digital initiatives in the wake of COVID-19- https://www.gartner.com/en/newsroom/press-releases/2020-09-30-gartner-says-sixty-nine-percent-of-boards-of-directors-accelerated-their-digital-business-initiatives-folloing-covid-19-disruptions.
This is for information purposes only. Professional advice should always be sought regarding specific risk issues.