Lions and gazelles – the reality of the cyber jungle
March 2021 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
March 2021 Issue
To understand the current state of cyber security risk, picture the golden sun rising over the plains in Africa. Each morning, the gazelle has one primary thought: “I must outrun the fastest lion today, or I will be eaten”. The lion, meanwhile, knows that in order to eat that day, it only needs to catch the slowest gazelle.
In either case, as the old African proverb goes, when the sun comes up, you need to start running.
Companies, both large and small, must realise that they are the gazelles in this scenario. Hackers are the lions, of which there are many roaming the plains in search of prey. The lions are constantly running, and the gazelles must not slow down.
The lions, it should be noted, rarely seek the difficult catch. They are looking for the easy kill, the low-hanging fruit. They want the clueless gazelle standing by the water hole, not the graceful one galloping along at 50 or 60 miles per hour. In short, you do not have to be the fastest gazelle. But do not be the slowest.
From an insurance standpoint, imagine being the company that provides cyber insurance to the gazelles. You know the lions are abundant, hungry and faster than ever. You know the gazelles are their primary target every day. Naturally, you want to limit your risk by not insuring the slow and sitting prey and offering cover to those beasts less likely to be caught by the lions. That, in essence, is where we are today.
With so many recent ransomware attacks, cyber insurance companies are levying significant increases in premiums. This trend has generated headlines over the last year and continued to take shape at the end of 2020, when there was a reported 15 to 20 percent increase in cyber insurance rates. In January 2021, it was reported that insurers were seeking to introduce ransomware co-insurance and sub-limits to cyber policies to reduce their exposure to the recent increase in the number and size of ransom demands. And looking ahead, those same reports indicate that rates are expected to increase by 20 to 30 percent throughout 2021.
For all companies, the effects of ransomware attacks can be severe. To say that an attack could be an existential threat is hardly hyperbole. Insurers know this and companies must accept it as well. Corporations must also bear in mind how opportunistic hackers are. They knock on one corporate door and if it does not open easily, they usually move on to the next one. Unless they are absolutely determined to attack your specific system, which would usually only occur if the hacker has a specific agenda that they wish to pursue, they will typically search for an easier entry.
Companies would benefit from keeping cyber security simple. Some corporations make their cyber security too complex, such that it can be overwhelming to those who are not technical experts. For many, it feels like a foreign language. But it does not have to be this way.
For starters, companies should view cyber security as a corporate governance issue, not an IT issue. They must also involve all corporate leaders and address the company’s cyber needs from a strategic, cross-departmental perspective. Do not make it merely a technology issue which IT must figure out on its own. In our experience, the best way of getting corporate leaders to engage in this process is to highlight the business interruption consequences of a cyber incident – emphasising that a ransomware incident, for example, may cost the company $10m in the first week alone tends to focus minds on just how important cyber security is.
Accordingly, boards should feature the appropriate amount of cyber security expertise and, in turn, should create meeting agendas that devote time to addressing cyber-related issues and strategies. Boards need to discuss specific risks and plans for each risk area, including the appropriate insurance strategy for each.
When a company fully understands its IT infrastructure and devotes the necessary time, energy and money to cyber security, it enables them to know what their operational and financial exposures are and, in turn, it will prove beneficial when preparing to handle a cyber crisis.
As a starting point, an understanding of the company’s IT infrastructure and core operational applications must be set out, as well as how these change from site to site. In addition, detail of how these sites are connected and can be segregated is also important. Furthermore, controls regarding external access to the network would need to be documented. The threat landscape faced by the company needs to be understood, as well as the mechanisms used to monitor and detect threats and, in a worst-case scenario, network intrusions.
The NIST Cybersecurity Framework, among other similar guidelines, allows companies to take a true risk-based approach to cyber security. It is more than just a simple listing of cyber controls. The five key areas (identify, protect, detect, respond and recover) encourage companies to take a deeper dive into their cyber capabilities, including their strengths and weaknesses, as they strive to prevent, detect and handle cyber attacks.
Once a cyber security framework review has been completed for the first time, it is advisable that an annual audit is performed to ensure that any unexpected changes to the system have not raised the risk profile. In addition, it also allows a company to ensure that any improvements made subsequent to the last audit have been successfully implemented and their goals achieved.
Among the recommended best practices are updating IT systems regularly, such as patching systems as needed, amending the cyber response plan as appropriate and preparing for all potential scenarios before an attack occurs. This foundation will create a clear plan that not only helps prevent and respond to an attack, but, when shared with cyber insurers, helps demonstrate a strong understanding of the actual risk exposure.
Remember that corporations do not need to have perfect cyber security systems and protections in place. They just need to be in, say, the top 50 percent. That is the safe zone, as we see it, where hackers are unlikely to proceed with an attack unless there are specific motives for targeting that exact company.
More importantly, if the company can demonstrate and evidence to its cyber insurers that it is in that top 50 percent cohort, then chances are it will still be able to obtain cyber insurance coverage. Furthermore, any premium increase may be at the lower end of the 15 to 30 percent range that the cyber insurance market is currently quoting.
While lower premiums are ideal, you should – above all – make sure your systems are not among the most vulnerable. Regardless of your premiums, that is a group that you do not want to be in. After all, the lions are watching.
Ben Hobby is a forensic accounting partner, Bernard Regan is a forensic technology principal and Christopher Tait is an information technology principal at Baker Tilly. Mr Hobby can be contacted on +44 (0)20 7065 7925 or by email: ben.hobby@bakertilly.com. Mr Regan can be contacted on +44 (0)20 7065 7937 or by email: bernard.regan@bakertilly.com. Mr Tait can be contacted on +1 (414) 777 5515 or by email: christopher.tait@bakertilly.com.
© Financier Worldwide
BY
Ben Hobby, Bernard Regan and Christopher Tait
Baker Tilly
Q&A: Managing identity fraud risks
Prepare now for the next catastrophe
Maintaining regulatory compliance
Digital transformation and the increased regulatory burden
Lions and gazelles – the reality of the cyber jungle
Handling the rise in cyber attacks in the era of remote work
The importance of curated data for robust portfolio and risk management
Four current regulatory risks facing US insurers