The year 2020 raised the bar for businesses attempting to defend a new and more sophisticated level of cyberattacks.
As organizations scurried to adapt and compete in a COVID-19 remote-work environment, threat actors swept in and took advantage of new or increased vulnerabilities. What transpired resulted in more sophisticated and exponentially intensified cyber risk, primarily due to a major increase in ransomware attacks, which were up 400% over a 2-year period from 2018-2020 and will cost organizations approximately $20 billion in 2021.
A cyber loss will be felt throughout an enterprise -- in business interruption and associated unexpected costs, including potential computer forensic costs, defense costs, privacy breach notification costs, fines and penalties, and harm to a business’s reputation. Organizations are also challenged to navigate the new exposures arising from rapid digital transformation:
- Remote working is here to stay, yet only 40% of organizations report having adequate remote work strategies to manage this risk
- Only 17% of organizations report having adequate application security measures in place for the rapid pace of digital evolution
- Positively, however, 60% of organizations report having sufficient network security measures to manage new digital connectivity
Combine that with challenges of reduced revenues and constrained budgets and it is hardly surprising that many organizations are finding themselves under pressure to catch-up to achieve cyber resiliency.
This balancing act requires better and more informed decision-making around cybersecurity, which is ever evolving as new threats are constantly emerging. Here’s a strong solution to consider: Addressing the need to achieve cyber resilience and mitigate a business’s cyber exposure requires a holistic cyber perspective with a cybersecurity strategy that is circular, rather than linear.
Building Cyber Resilience Through the Cyber Loop
Businesses seeking cyber resilience will continually cycle through the four stages of assessment, quantification, insurance and incident response readiness in what is called The Cyber Loop. Resilience is possible for businesses that adopt this approach to cybersecurity, which can provide them with a greater cyber ecosystem. Managing cyber as an enterprise risk requires continuous review, improvement and investment in cyber management leading to an optimization of a businesses’ total cost of risk.
The Cyber Loop acknowledges that each organization is unique and on its own digital path. As a result, organizations may enter the Cyber Loop at any of the four points depending on where they are in their current cybersecurity journey. Here’s further background on each of the four entry points:
Assessment results allow for strategic decisions to be made in the context of an organization’s culture, risk tolerance, and mitigation. That applies to your organization and your third-party vendors and suppliers. Just one in five organizations report having adequate third-party management measures to oversee critical suppliers and vendors. Organizations that are not adequately managing third-party risks should consider a range of due diligence, onboarding and contract risk management assessment services.
There are multiple assessment services available, from general scans for a system’s weak points to more detailed evaluations such as external vulnerability assessments and penetration testing. Some providers allow businesses to benchmark their preparedness against peer organizations and receive customized remedial recommendations.
During an assessment, large amounts of data and insight are collected and analyzed within the ecosystem of the Cyber Loop:
- Critical assets, systems and operations are identified
- Policies and procedures are evaluated
- User behavior is confirmed
- Vulnerabilities are diagnosed and prioritized, cybersecurity controls are benchmarked against specific threats and governance and response readiness are assessed
Through an assessment, leaders can make sound decisions and strategically manage the cyber risk through four paths: avoid, mitigate, accept or transfer the risk.
Ransomware poses a business interruption and balance sheet risk, yet only 31% of organizations report having adequate business resilience measures in place. Conduct a loss quantification study to gain a better understanding of the financial impact of a cybersecurity attack on the business.
Quantification of cyber risk is critical. It uses financial modeling to help companies make smart, data-driven choices on cybersecurity risk management with the goal of helping safeguard the balance sheet and optimizing total cost of risk. In a quantification study, tailored scenarios are built to understand the commercial impact of a cyber incident. This involves locating business-critical technology assets throughout the business value chain, including key suppliers and IT vendors.
By quantifying cyber risk, balance sheet impact is more clearly defined and companies can more deliberately invest in information security, business continuity programs, risk transfer strategies and cyber insurance.
Managing cyber as an enterprise risk requires that a company ask if it has an effective strategy, reflective of exposures, including third-party exposures, to mitigate potential financial losses. This requires disparate stakeholders to connect -- to address the risk in unison, including but certainly not limited to the CIO, CISO, head of disaster recovery, general counsel, treasurer, risk manager and human resources manager. If approached from this holistic, enterprise view, the cyber insurance and risk transfer process can serve as the bowtie to pull key stakeholders together.
Once engaged in this phase of cyber resilience preparation, companies will find more than one way to transfer and manage quantified cyber risk. Perhaps it does make sense to transfer a portion to the cyber insurance market, but maybe an alternative risk retention, or self-insurance financing strategy, is also warranted.
The cyber insurance marketplace has hardened significantly as cyber claims have risen 336% from the start of 2019 through to 2020, due in large part to increased ransomware losses. As a result, cyber insurance buyers are experiencing double-digit rate increases, tightening terms and conditions and reduced capacity in all layers. Risk managers should work closely with their broker to best manage their cyber risk transfer opportunities.
Incident Response Readiness
Jumping on the Cyber Loop at incident response readiness can either be proactive, with advance planning and testing, or reactive – when professionals are urgently needed to find, contain and mitigate an incident. It is far more advantageous to have an Incident Response (IR) Plan that is established, rehearsed and tested to ensure the organization is well-aligned and makes the right critical steps to mitigate cyber losses should an attack occur. Waiting until after an attack to make those decisions, when stresses are high and minutes count, is not recommended.
Having an established IR strategy that encompasses people, processes and technology can mean the difference between managing a crisis and losing the fight against the attackers. Data forensic and IR consultants should be retained prior to an incident, and should be agreed upon by your cyber insurance carrier – in fact, your insurer will have pre-approved third-party response professionals in such areas as forensic incident response, legal counsel, crisis communications and ransom negotiation and payment.
About Aon: Aon plc (NYSE:AON) is a leading g lobal professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.
This material has been prepared for informational purposes only and should not be relied upon for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.
©2021 Aon plc. All rights reserved.