In the past six months, the United States has seen cyberattacks against hospitals, America’s biggest gasoline pipeline, a global meat supplier, and countless other public entities, manufacturing firms, and organizations supplying critical infrastructure.
The threat landscape has evolved to a point where really any company operating a network system or reliant on a network system to function is now at risk, according to Shannan Fort (pictured), head of cyber at McGill and Partners. In other words, no business is immune to cyber risk.
Bad actors have grown far more emboldened and sophisticated in recent years, constantly changing their tactics and finding new ways to monetize their illegal access to corporate networks. In recent years, they’ve shifted their focus from stealing and selling personally identifiable information (PII), to planting ransomware on corporate networks and demanding payment for data de-encryption.
Since 2017, hackers have achieved tremendous success by weaponizing ransomware, to the extent that they are now demanding multi-million-dollar ransoms in cryptocurrency from large organizations. There has also been an explosion in ransomware-as-a-service (RaaS), a subscription-based model sold on the dark web, which enables hackers to use already-developed ransomware tools to execute ransomware attacks.
“As the focus has shifted to ransomware, data/financial information aggregators (like financial institutions, retail, healthcare) are no longer the only primary targets of threat actors,” Fort told Corporate Risk and Insurance. Today, all companies with a corporate network are at risk, but in particular, hackers seem to be upping their antics against manufacturing firms, public entities and critical infrastructure.
“These organizations tend to be reliant on outdated network systems, which are often decentralized and require a significant number of endpoints,” Fort explained. “All of these factors can magnify the impact of an issue and bring the business to a halt. The very nature of their operations and reliance of third parties (whether that’s consumers or other businesses) on their business means functionality is absolutely paramount and must be restored immediately. This combination can make them lucrative targets.”
There are lot of steps that businesses, regardless of size or sector, can and should be taking today to reduce the potential for a cyber incident. Best practice cyber risk mitigation may look different depending on the industry, but there is a minimum standard that all companies should strive to hit, according to Fort.
“There is an expectation that companies protect their most critical assets, however there is some flexibility as to how this can be done and any decisions should be made with the system configuration and business need in mind,” she said. “At minimum, there is an expectation that companies are focusing on recovery through robust backup procedures and prevention through tools like multifactor authentication (MFA), but it’s important to stress network security must be uniquely configured to the organization for it to be most effective.”
Companies with strong cyber risk management practices will earn the favor of underwriters in a dramatically hardening cyber insurance market. Today, MFA is almost a pre-requisite for coverage, and other practices like securing remote desktop protocol (RDP), having remote data back-ups, and engaging in regular employee training are also important considerations.
“It’s all about prevention, preparation, response and mitigation,” said Fort. “Organizations need to show a clear understanding of the threat and a detailed, tested plan for how they are managing the threat, and how they will respond to an incident. They must be able to clearly articulate the protections they employ and their response capabilities.
“Clear and constant communication is needed between all stakeholders: the insured, the risk manager, the broker, and the underwriter. This market is rapidly evolving, and every part of this chain must have a clear picture of what is on the horizon. Risk managers need to know what to expect from the market and carriers need to know how companies are continuing to keep security and protection at the forefront. The broker is key in the flow of information both ways.”