The Continuous Threat of Cyber Misconduct and its Impact on Global Industry
By Kimberly Patlis Walsh, President and Managing Director of Corporate Risk Solutions (CRS)
In the lead up to Russia’s invasion of Ukraine in February, the FBI and Department of Homeland Security issued warnings of urgent cyberattack threats against U.S. and Ukrainian governmental and commercial networks. As recently as April 18th, a top U.S. cybersecurity official told “60 Minutes” that Vladimir Putin likely would resort to digital warfare resulting in a cyberattack on American targets. These warnings highlight the dire circumstances being faced worldwide as the Russian invasion continues to cause significant damage to Ukraine’s internet infrastructure, promulgating the need for coordinated and bold responses.
But, putting politics aside, the reality is any business that interacts with and/or depends on the internet is a target, regardless of size. Cyber criminals’ methods have become increasingly more sophisticated, and their ability to launch IT-directed attacks occurs with seeming impunity. As a result, the negative repercussions for businesses cannot be overstated. Indeed, potential targets are no longer limited to those that have personally identifiable information, personal health information or customer credit card data. Some of the largest cyberattacks over the last two years have not involved the mining of such information at all. Rather, these attacks have either shut down or materially interrupted vital infrastructure, health systems, financial companies, and manufacturing, including construction, supply chains, distribution, and sales.
The impact of these attacks can take any number of forms, including: malware, including but not limited to, ransomware (which disables the ability to access IT-systems until a ransom is paid); business interruption (income lost because of the inability to access systems); data restoration (reconstructing “lost” company and customer data); social engineering/phishing (loss of money based on the impersonation of a colleague, client or vendor); regulatory fines and penalties; liability to third-parties if their information is compromised; and reputational harm. Estimates for losses for these events runs from $20 billion in ransomware costs alone for 2021 up to $10.5 trillion (or $20 Million per minute) expected to be lost/spent by 2025 to respond, address and fight these attacks globally.
According to the Cybersecurity and Infrastructure Agency (CISA), the FBI and the NSA, the ongoing success of these ransomware attacks has only further encouraged cyberthieves around the globe and should put businesses of every size on high alert throughout 2022.
Specifically, CISA has advised that ransomware attackers are focusing their attention on critical infrastructure industries throughout the US, including:
- Emergency water services
- Energy sector
- Financial services
- Healthcare sector
Despite these grim predictions, it is imperative to remember that there are myriad tools available to protect businesses against and mitigate the impact of cyber-related events.
Internal Security Protocols / Controls
Cybersecurity experts have identified many of the key vulnerabilities that criminals manipulate to enter computer systems, and how to fix them, including:
- Multi-factor authentication tools to safely access internal computer systems
- Robust Desktop Security Protocols, including virtual private networks, data encryption, complex passwords, firewalls, and restricted access to admin rights
- Active management of systems and configurations
- A continuous hunt for network intrusions and third-party exposure threats
- Update and upgrade software immediately
- Develop and exercise a system recovery plan, including regular testing of backups for data integrity and restorability and preparing and annually testing of incident response/ business continuity plan
System and Information security is the primary key to mitigating cyber-related risks. Whether through in-house personnel, engaging with outsourced cybersecurity firms or having those teams work in tandem, many vulnerabilities can and should be addressed as an enterprise-wide project. While there is no “one size fits all” approach to this, and it is a true investment of capital and manpower, it is imperative that companies do an initial assessment of their cybersecurity policies and procedures. The biggest mistake companies make in this context is believing that they are not a target because of their industry, their size, their revenues, or their footprint. Everyone is a target, and, as such, these issues simply cannot be ignored.
Another key mitigation tool is purchasing a dedicated cyber insurance policy. This allows businesses to transfer first party loss (e.g., loss to the company itself) and third-party indemnity (e.g., liability claims against the company and regulatory proceedings) risks associated with cyber-related security breaches. A robust cyber policy is structured around helping the company recover and handle the costs associated with an attack and best protecting the company’s reputation. The purchase of insurance will often also act as a catalyst for implementing the tools and processes described above as cyber insurance carriers are increasingly demanding that most, if not all, of the items described above be in place (or be on track to be put in place) before they even issue a quote outlining the costs and coverages potentially available.
As part of the underwriting process, carriers will analyze possible risks pertaining to the company; the strength of IT and cybersecurity controls; compliance with legal and industry standards; and the existence and strength of a security response plans. It is vital that companies be transparent during this application and review process, so issues do not arise in the event of a claim. Misrepresentations of material facts requested by insurance underwriters, in this context especially with respect to cyber processes and procedures, have led to voided coverage when such misrepresentations came to light following the notice of a claim to the carrier. No insurance policy is worth the premium paid if it is not available in the event of a loss.
As ransomware and other cyber security threats continue to create profound financial and operational interruptions affecting businesses and insurance companies worldwide, it is imperative to seek an independent risk advisor who can serve as a soundboard and navigate through the various and sudden risks facing enterprises globally to ensure maximum recovery of data, systems and monies.
About the Author
Kimberly Patlis Walsh is President and Managing Director at Corporate Risk Solutions.
Kimberly Patlis Walsh brings over 20 years of insurance underwriting, program structuring, and multinational client risk advisory representation to her Corporate Risk Solutions (CRS) engagements. Prior to joining CRS in 2003, Kimberly served as SVP of AIG’s Mergers & Acquisitions Group, structuring insurance & financial solutions to a variety of corporations (publicly traded and privately held) to limit or transfer liabilities within corporate transactions, recapitalizations, bankruptcies and other M&A situations. She is active in both the alternative investment community as well as the insurance and risk community.