EP. 28: Looking in the Rearview Mirror: Cyber Lessons Learned from 2021

12/01/21 • 31 min

Insuring Cyber Podcast - Insurance Journal

The year is coming to an end and cyber insurers as well as their clients may be reflecting on lessons learned from this year’s biggest threats. However, Kurt Suhs, founder and CEO of cyber risk company Cyber Special Ops, says moving forward in the current threat landscape is an ongoing challenge.

“The thing about cyber is we want to get organizations on the road, but you will never get to your destination because the technology, the litigation, the threat landscape is changing so quickly that by the time you were actually even to model a threat landscape, you’re already going to be examining and looking at things from the rearview mirror,” he says. “So that’s the challenge, and that’s where I think organizations just need to get on that road, on that path, and move forward.”

Ransomware attacks have continued growing in scale and complexity this year as they affected businesses, hospitals, schools, local governments, critical infrastructure and even insurance companies’ own operations, and experts on this podcast episode say this cyber threat landscape will likely continue in the new year.

“I think certainly the lesson learned is that cyber attacks and the ransom malware that’s hitting so many organizations will look at your organization regardless of how large you are, what type of business you’re in and where you are geographically,” Suhs says. “So it just continues to get worse every day, and I think it will continue to do so in both frequency and severity.”

As cyber incidents become more and more unavoidable for many organizations, Vishaal Hariprasad, who goes by V8 and is the CEO of Resilience Cyber Insurance Solutions, warns that organizations need to begin planning for incidents early.
“Get more proactive,” he says.

Suhs agrees.

“People like to say it’s not if, but when,” he says. “I like to say it’s not if, it’s not when, but it’s how large.”

This means that insurers have an important job of educating clients and helping them to reduce their vulnerabilities to avoid getting exploited, Hariprasad says.

“Our companies, our clients, don’t have the specialty and time and resources to become cyber experts themselves,” he says. “The insurance world, I believe in all realms, including cyber, does a great job of clarifying what are the key items of risk that they need to address in providing the loss control and risk engineering guidance so that it’s actionable, and then providing the appropriate financial incentives, in the form of risk transfer, to incentivize the clients to adopt it.”

The key takeaway for cyber insurers and clients alike in 2022, although not necessarily hopeful, is an important one, Hariprasad adds.

“The key takeaway is the vulnerabilities will always be exploited,” he says. “It’s a continuous effort, not just a one-off where you block it and you’re done. Cyber’s going to always be a continuous cat and mouse game.”

Check out the rest of this episode to find out what else V8 and Kurt had to say, and be sure to check back for The Insuring Cyber Podcast’s first episode of 2022, publishing on Wednesday, January 19th. Thanks for listening.

The post EP. 28: Looking in the Rearview Mirror: Cyber Lessons Learned from 2021 appeared first on Insurance Journal TV.

Suhs agrees.

“People like to say it’s not if, but when,” he says. “I like to say it’s not if, it’s not when, but it’s how large.”

This means that insurers have an important job of educating clients and helping them to reduce their vulnerabilities to avoid getting exploited, Hariprasad says.

The key takeaway for cyber insurers and clients alike in 2022, although not necessarily hopeful, is an important one, Hariprasad adds.

The post EP. 28: Looking in the Rearview Mirror: Cyber Lessons Learned from 2021 appeared first on Insurance Journal TV.

Previous Episode

EP. 27: Two Experts Debunk Some of the Biggest Myths Around Cyber Insurance

Cyber attacks are continuously evolving, and companies that don’t stay educated about the space could be caught off guard, experts say.

“A lot of times, I think cyber has this type of mentality that it’s not going to happen to me,” said Luis Gazitua, principal at JAG Insurance Group, on this episode of the Insuring Cyber Podcast.

However, that’s a misconception that businesses need to avoid as cyber losses mount, he said.

“Cyber specifically is one of those things that could take down your business,” he said. “It’s one of what I consider the biggest unknown losses.”

This is particularly true for small businesses, despite misconceptions that they won’t be targeted without as large of a footprint as bigger firms.

“Small businesses are the ultimate low hanging fruit,” he said. “It’s more likely that a cyber attack would shut them down indefinitely.”

However, many firms – especially in the small or mid-sized space – may be worried that they can’t afford cyber insurance. Earlier in this episode, Odin Olson, vice president of business development at security operations provider Arctic Wolf Networks, spoke about why he believes this is a false notion.

“Can you afford, or did you plan?” he said. “Maybe it’s a slightly different way to look at that. Can we afford things that come up within two weeks as an organization that maybe hasn’t budgeted or planned for this kind of thing? That’s painful. Can you afford if you’ve thought ahead of time and, as I mentioned just a minute ago, looked for different carriers, different options, different coverage options and that kind of thing?”

He also raised another important question.

“And can you afford not to?” he said. “I think you probably can’t afford to have a $5 million ransomware event.”

One method to ensure businesses can not only afford coverage but also will qualify for it is to get started early, he said.

“I think if you let this conversation go until you’re 30 days out or two weeks out from having to buy a new policy for the year, you’re probably out of time to qualify if you haven’t explored other carriers or brokers,” he said. “That may be one of the biggest items, which is start thinking about this now.”

This will give insureds more time to make technology decisions that are becoming primary drivers for insurers in deciding whether or not to grant coverage, he added.

“You can’t implement technology in two weeks to have the capabilities you need to get a lot of the policies these days,” he said.

For agents and brokers, education about technology and cybersecurity is equally important, he said. Whether it’s multifactor authentication, backup tools, 24/7 monitoring or privileged account management, Olson said brokers should be familiar enough with those terms to give clients at least a two-sentence explanation.

“I think that’s something that the brokers can also be doing to bring more value to their clients,” he said. “To really understand the why and what’s happening with these trends and with these technologies so they’ll be better advisors to their clients.”

According to Gazitua, however, the biggest misconception around cyber insurance is still summarized by the sentence, “It’ll never happen to me.”

“It’s not just, ‘I spent $10,000 on the best IT infrastructure,’ or, ‘I pay every month for the best malware system to protect me from a potential issue,’” he said. “But the truth is most of it is human error.”

He added that with the ongoing remote working environment due to the COVID-19 pandemic, this is even more prevalent.

“There are a lot of systems set up where it’s just human error,” he said. “It could be your kids using your laptop, right? Because how do you balance the personal and business laptop? Those things are happening. I think another big misconception is it’s not just about the system you have in place, but the human error element is never going to go away. That is the most likely reason why you’re going to have a cyber claim.”

For those still questioning whether cyber insurance is affordable or makes sense for their business, Gazitua has a word of caution.

“This is going to be something where maybe you get caught off guard,” he said. “More and more, it is going to become the norm in the next three to five years.”

Check out the rest of the episode to hear what else Odin and Luis had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday on Insurance Journal TV and Apple Podcasts along with the Insuring Cyber newsletter. Thanks for listening.

The post EP. 27: Two Experts Debunk Some of the Biggest Myths Around Cyber Insurance appeared first on Insurance Journal TV.

Next Episode

EP. 29: New Year’s Resolution? Experts Say For Cyber Criminals, It’s More Widespread Attacks

The looming threat of increased supply chain and critical infrastructure attacks is causing both cyber experts and cyber insurers to lose sleep already in 2022, according to guests on this episode of The Insuring Cyber Podcast.

“Those are going to, I think, proliferate,” said Bob Cattanach, partner at international law firm, Dorsey & Whitney, on The Insuring Cyber Podcast. “And in my conversations with carriers, I think that’s what’s got them staying awake at night because that’s a risk that we don’t really have much actuarial data on.”

James Silver, deputy chief for litigation of the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, later in the podcast episode described supply chain attacks as a situation when a cyber criminal enters a piece of trusted code that might be deployed throughout multiple systems, or software supply chain companies, that are providing code to lots of customers. This means many endpoints can be exploited at once.

Silver added that critical infrastructure attacks are one of his top concerns for 2022 after some of the major attacks of last year – the Colonial Pipeline attack being one that drew widespread attention.

“I am most concerned about critical infrastructure attacks, and I’m also concerned about cyber crime evolving toward directions where we can’t use the old tools and the old methods we have before,” he said.

In a June 2021 episode of this podcast, cyber experts said that the Colonial Pipeline attack, in which ransomware took down 5,500 miles of critical infrastructure along one of the nation’s largest pipelines, should be a wake up call for all companies to prioritize their cyber hygiene. That’s a message that’s being carried into 2022, as Silver called the attack “a watershed moment” for many.

“The lesson that I draw from [2021] is we see what happens when cyber attacks have effects that spill over into critical infrastructure and the physical world. We obviously saw during the Colonial Pipeline incident that people were having a hard time getting gasoline in certain parts of the country,” he said. “So I think that the lesson I draw from that is cybersecurity has always been important, but we see an even clearer reason to focus on the supply chain and to harden it, and to focus on critical infrastructure and entities that are connected to the internet but are going to interface with the physical world.”

He said attacks like this mean there is less time to respond in many cases, leaving companies with limited time and ability to make the right decisions.

“The pressure goes up immediately on everyone because the effect of an attack on a critical infrastructure entity is going to spill into society in ways that it otherwise wouldn’t,” Silver said. “And so, we have less time to respond.”

Cattanach added that with this in mind, it’s important for companies to update their incident response plans now in preparation for evolving attack methods.

“And if you don’t have one, draft one, because that will focus on, ‘What do we do as an entity when the bad day comes?’” he said. “The watchword is not prevent, because I wish I could say you could prevent, but it’s really more a response than prevention.”

Indeed, he said cyber is “a continuing cat and mouse scenario where we know that the bad guys are at least one step ahead.”

One silver lining in all of this uncertainty, however, is that as cyber attacks have gained increased visibility, the need for better cybersecurity is catching the attention of c-suites and boards, Cattanach said.

“Everybody gets it,” he said. “It used to be that some segments, obviously financial segments, got it. Healthcare segments started to get it a little more quickly. Now, everybody gets it because everybody’s been impacted.”

This move toward better understanding is also presenting a unique opportunity for cyber insurers to offer expertise and guidance as well as insurance protection, Silver added.

“Insurance companies themselves, they don’t just offer cyber insurance, but are really in a position to help their covered entities implement best practices to get to a more secure environment that will benefit all of us,” he said.

While Silver and Cattanach both agreed that increased efforts toward cybersecurity and attack response will pay off in the long-term, it’s important to stay vigilant.

“While I’m optimistic that our increased efforts in this area can make a difference, the threat landscape, it’s always changing,” Silver said. “It’s dynamic. It’s part of what makes this work so challenging and interesting, because cyber criminals are very intelligent and they evolve constantly in their practices.”

Check out the rest of this episode to see what else Bob and James had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along...