Cyber insurance underwriters are focusing more and more on an organization’s resilience. The most common definition is the ability of an enterprise to limit the impact of security incidents. This is a broader approach that encompasses cyber security and business continuity management, which aims to not only defend against cyber-attacks, but also ensure that the business is able to survive.
According to a recent Symantec study, as much as 60% of Small and Medium-sized Enterprises who incurred a significant hack went out of business after six months. The primary reason was failure to accept the importance of having a post – incident / business continuity response plan in place. The vast majority of damage done in cyber-attacks is due to the inability of the party being attacked to respond because they have not adequately planned out and practiced a cyber response strategy.
Stop and think about this. We practice fire drills, earthquake duck and cover exercises and active shooter training. Shouldn’t we do the same to prepare for a risk with similar catastrophic characteristics as the aforementioned? If your ecommerce system, web site, email or customer data was suddenly inaccessible because of an attack, would you be able to get back up and running within minutes, hours, days, or at all?
The enterprise attack surface is vast, and constantly growing. The Internet of Things’ proliferation is a case in point. Similarly, the threat landscape is continually evolving, while at the same time it is also poorly understood by management. Enterprise networks contain large amounts of insecure software / hardware, and all this is developed, managed and maintained by people – making them all entities that are imperfect and fail regularly from a security standpoint. The objective of security teams is to implement mitigations to offer a cyber-resilient enterprise on top of insecure components. Now, that’s a tall order!
An intuitive notion that all security practitioners agree: given enough effort, anything can be breached. History documents innumerable examples of besieged fixed fortifications falling to a strong, persistent enemy – Troy, Masada, Medieval Castles and The Maginot Line. There is a direct relationship between the likelihood of a breach and effort by the adversary. A more secure network will not only reduce the risk that small changes in effort by the hacker will not increase the risk significantly, but act as a high enough barrier to entry to discourage further attempts to gain system access. In the hacking world, time is money, and the ROI on that time determines where a hacker deploys his energy. The best defense comes from a proactive, diligent approach with a sense of urgency.
Cyber-Resilience depends on the configuration of the infrastructure, current controls and mitigations in place, with the effectiveness of people and processes operating the mitigations. For example, the on-premises infrastructure using network segmentation, 2 factor authorization, advanced endpoint controls, using bastion hosting for network administration, employee training, ingress and egress filtering, VPNs, SoC automation all improve resilience.
Cyber-resilience includes the ability to continuously discover and monitor all points in your attack surface and analyze this information to predict likely breach scenarios. This is not enough. There must be a plan to take appropriate action after a breach, and most businesses fail at this critical point. The first step toward adopting a resiliency mindset is understanding that the goal is not to simply protect your data as well as your customers’ data, but to ensure continued operations and service delivery. This is in the form of a Post-Incident Response / Business Continuity Plan.
Cyber insurance, which is the ultimate backstop to a loss, includes coverage for notification costs, credit monitoring services, forensics, crisis management, ransom, fines and penalties and loss of income. Together these are expensive costs, but the loss of reputation and income stream can be the most costly item.
As a result of Cyber’s dynamic exposure, and post incident costs, cyber underwriters have modified their focus to put more emphasis on a policyholder’s resilience compared to their property brethren. Traditionally, the property insurer’s predominant concern has been security. How deep is the moat? How high is the wall? Today, a significant amount of cyber underwriting attention now takes into account how a business will be able to function after bad things happen. Will it be able to operate and move forward? Because, if the only alternative is to eventually shut down, then it’s a bad risk.
When it comes to cyber threats, and how they continue to evolve, businesses are faced with the known and massive unknown. As such, buyers of Cyber Insurance need broader and better solutions, not just more insurance products. (I know, this is a curious statement from an insurance guy.) As cyber perils loom, the focus must shift from a reactive position of obtaining cover from products to a proactive approach engaging risk management, incident prevention and response. To truly maximize the benefits of Cyber Insurance, success is about integrating technology and forging relationships with third-party providers. Because in-house IT is primarily composed of general practitioners focusing on the network’s functionality, and not security specialists, the emerging Cybersecurity model requires the reliance on specialized outside resources to fill this gap.
With this in mind, Orion Risk Management, along with its security operations partner, developed Cyber Protection Reimagined that combines the five necessary elements for a comprehensive Cyber-risk Control program – Prevention, Detection, Mitigation, Compliance and Insurance. This is a holistic approach and powerful solution transforming the way our clients view their cyber exposure to better manage this risk.
Many businesses are under-prepared and/or under-insured for their growing cyber peril. Therefore, it’s imperative for businesses to have a quantifiable way to understand their own digital network security posture. This was the reason Orion rethought the traditional insurance approach and with our security operations partner, established Cyber Protection Reimagined. This end-to-end solution identifies an organization’s network vulnerability, closes those gaps, educates employees on how to avoid exposing the network to hackers, provides 24×7 monitoring and establishes a post-incident event plan. These best in class attributes reduce the chance of cyber disruption for an improved risk profile, resulting in more favorable Cyber Insurance terms and conditions.
This all comes from the understanding it’s not about “if” a cyber event will happen but “when” one will happen. A twist on the old adage is pertinent here – “Prior Proper Planning Promotes Peak Performance.” How engaged is management on this issue? How well will the company manage business interruption? Is there a continuity plan in place, with back up vendors and all those things that are going to make sure your business is resilient and prepared, not just secure?
An attacker doesn’t have to be good every time, they just need to be successful once! Offense wins and defense loses.