Make cyber resilience a key objective in the year ahead

For businesses of every size and industry segment, 2022 was another year of increasingly costly cyber events, amplified by heightened cybersecurity concerns arising from the war in Ukraine. Some of 2022’s most significant impacts¹ included:

• A Russian hacker group crippled the banking system in Costa Rica.
• A new form of ransomware proved it could shut down 600 Windows operating system components and bypass embedded security software.
• Uber took a rough ride when a hacker invaded the company’s Slack channel, prompting the firm to temporarily disable all technical systems as a stopgap.
• A hugely popular metaverse NFT game dependent on cryptocurrency wallets created by players was hacked to the tune of $625 million.

Indeed, 2022 saw the severity of cybercrimes reach new heights. The average cost of a data breach in the U.S. hit $9.44 million, and healthcare — for the 12th consecutive year — was the biggest target.²

As the cyber risk environment continues to evolve and expand, companies must continually reinforce their cyber resilience to reduce vulnerability to threat actors whose aims are to profit from the damage and disruption they inflict. Cyber insurance is an important risk transfer tool, but it can’t be the only investment. Companies must continually sharpen their tools, processes and training to help build cyber resilience.

Cyber insurance markets under stress

The expanding universe of cyber risks, and growing uncertainties about what’s ahead, drove one of the most challenging cybersecurity trends in 2022 — rapidly rising rates combined with a tightening of capacity in the cyber insurance marketplace.

Even as the number of companies adopting cyber insurance increased, the strains of increased cost and reduced capacity were evident in the 2022 Information Security and Cyber Risk Management survey of 353 risk managers, insurance buyers and other risk professionals conducted by Zurich North America and Advisen Ltd., a Zywave company. While the 12th annual survey found that 86% of respondents now have cyber insurance — three percentage points over 2021 and the highest to date in the 12 years of the survey — a difficult cyber insurance market has left many buyers feeling frustrated.

While the majority of those surveyed viewed cyber insurance as an important purchase, some questioned the long-term sustainability of cyber insurance products at an affordable cost.

One global market index cataloged a 53% increase in average cyber pricing in the third quarter of 2022, which may be prompting some buyers to begin exploring alternative solutions such as captives.⁴

Link the talents of risk management and IT security

Strengthening the foundations of an effective cyber defense must begin with closer collaboration between the traditional risk management team and the organization’s chief information security officer (CISO). The goal should be to form a dedicated enterprise security group not only to better defend against threats but also to help leaders more clearly understand the potential financial impacts. A concerted enterprise security group will also help support cybersecurity staff training and ensure that leadership is kept abreast of evolving cyber risk trends.

While software developers are constantly working to provide active defenses in the form of critical security updates and apps, it must also be remembered that the human factor remains the weakest link in any cybersecurity framework. By embedding information security best practices and enhanced awareness in the minds and everyday work habits of employees through formal, frequent cybersecurity training, a business can help build a first line of defense against both new and time-tested tactics employed by cybercriminals, such as email phishing and social engineering.

Strengthening cyber defenses

Other actions to help manage cyber risks include obtaining and regularly updating enterprise cybersecurity software. Protective practices such as multi-factor authentication (MFA) should challenge authorized users whenever they attempt to log on to a network, especially when logging in remotely. Monitoring on a 24/7 basis should be integrated into network architecture, whether performed by dedicated in-house resources or contracted through external providers. And mission-critical data should be backed up in “air-gapped” offsite data stores not connected to your network. In addition to protecting data against cybercriminals, air-gap backups can also restore data in the event of disasters, such as fires or floods, or if data is lost or corrupted due to a software glitch or hardware failure.

Finally, even the best, most well-designed network security protocols may have an Achilles’ heel that, if left unrecognized, can be an open door into a company’s critical systems. Businesses with even the most robust defensive postures need to periodically test the efficacy of their network defenses to determine whether they can stand up to an aggressive, resourceful attacker. The services of so-called “white hat hackers” acting as security consultants can be an invaluable resource in testing the strength of network barriers. Testing should be conducted on a regular basis because threats are constantly evolving.

Make cyber resilience a priority

It’s a given that cyber risk is here to stay, not only for the large corporate entities best equipped to fight them but to all businesses regardless of size and industry. While large organizations, where criminals stood to score the most financial gain with the least effort, have invested in much stronger network defenses, the focus is gradually shifting to small- and mid-sized firms. The current sweet spot for many cybercriminals is a mid-sized business with weak controls and protocols in place.⁵ While cyber insurance can help, it can only go so far against the growing financial and social impacts of increasingly sophisticated bad actors.

All of which is why one defining cybersecurity trend of 2023 and beyond should be a commitment among companies to build a strong cyber resilience culture and mindset, employing the right strategies, tools, employee training and tactics. Such a posture will have added benefits beyond helping organizations better defend against attacks. A demonstrated commitment to resilience will also show the cyber insurance market that a company is taking the risk seriously and acting to mitigate it. Such a customer will represent a better bet in terms of underwriting, pricing and capacity, just as a manufacturing plant well engineered against fire represents a more favorable property insurance risk.

It’s been said that businesses must be able to defend against every one of the countless cyberattack attempts every day, while the criminal only needs to succeed once. Unfortunately, that is true today and will only become more worrisome as cyber rogues become more creative and better equipped. The fight will take an ongoing, coordinated front engaging corporations, insurers and governments.

We won’t always win, but we can significantly improve our averages if every entity at risk of cyberattacks — from Main Street to multinationals — adopts an enduring commitment to strengthen and maintain cyber resilience in 2023 and the years ahead.

For insights about ways to help organizations build cyber resilience, visit Zurich Cyber Risk Engineering Services. 

References:

1. “Halloween Special: The Scariest Cyber Attacks of 2022 (So Far).” TechFunnel. 31 October 2022.
2. Cost of a Data Breach Report 2022. IBM Security. July 2022.
3. “Has cyber cover reached a price where it no longer makes sense to buy?” The Insurer. 4 November 2022.
4. “Marsh: Global commercial insurance pricing continues to moderate with 6% increase in Q3.” The Insurer. 26 October 2022.
5. Sayce, Scott. “The changing cyberthreat landscape.” PropertyCasualty360. 2 November 2022.

The information in this publication was compiled from sources believed to be reliable and is intended for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.