Remote Work and the Digital Pandemic
Last year, the FBI reported a 400% increase in cyberattacks, in large part due to the increase in working remotely. Among them were two major data breaches: SolarWinds and FireEye — both third-party technology partners hired to protect their clients from data breaches and then becoming victims themselves. In that same report, the FBI noted that ransomware attacks made up about 85% of all cyberattacks in 2020 (dubbed “The Year of the Digital Pandemic”) — a trend has ramped up significantly in 2021 and shows no signs of slowing.
The high-profile Colonial Pipeline ransomware attack in May 2021 followed, disrupting the country’s most significant fuel and oil pipeline. Many insurers have understandably begun to focus most of their efforts on ransomware risk protection even though other new vulnerabilities are emerging from the new remote work trend. This new class of attack could result in claims damages that amount to much more than a single ransomware attack.
Recent statistics point to a troubling increase in ransomware and phishing, web application attacks, and other emerging cybercriminal tactics. Still, the focus on ransomware is warranted and can become quite costly without proper insurance coverage.
The Colonial Pipeline incident directly prompted the Biden Administration to announce a national security directive to boost defenses against ransomware attacks to critical infrastructure. While it’s progressive in setting performance standards, it doesn’t provide any natural way to enforce them, which is why businesses must assume that cyberattacks are inevitable and take matters into their own hands.
The New Approach to Cybersecurity Risk Prevention
Companies can regain control over cybersecurity risks with robust management processes, outlined here in six main steps (and a seventh bonus step):
- Assess your risks
- Prioritize your risks
- Determine your risk profile
- Choose your risk strategies
- Execute your risk strategies
- Measure residual risk
- Repeat Steps 1-6 all over again since things are constantly changing
Managing cyber risk follows the same basic process and principles as managing any other risk; however, the best risk management plans are only as strong as their weakest link. When it comes to cybersecurity, that weak link is often a business’ third-party vendor.
Hiring a cybersecurity expert (or external consultant), purchasing password protection software, backing up your files, and enabling multi-factor authentication are some quick and easy ways to “lock the door” to cybercriminals. But, as ransomware and other attack vectors become more lucrative and easier to initiate, companies of all sizes will need to implement additional, more layered security measures, especially if they’re working with third parties that are equally at risk.
Companies should start by taking inventory with a thorough gap assessment of personnel and both capabilities and find a way to address any discrepancies with either an internal expert or an external consultant (or both, depending on the companies’ needs). Next, they should prioritize which risks are worse than others and develop a continuity plan to manage them and recover if disaster strikes.
To cover losses when an incident inevitably occurs, companies should purchase or shore up their cybersecurity insurance policiesas well as requiring that their third-party partners (e.g., suppliers, vendors, contractors, franchisees, etc.) carry a certain amount of cybersecurity coverage to pay for damages and the cost to remediate them.
How Insurance Verification Helps
It’s not enough just to carry cybersecurity coverage — companies need to make sure the policies are adequate and haven’t lapsed. This is where verification, and ongoing re-verification, of third-party cybersecurity insurance, comes into play. This simple measure is one of the most effective ways for businesses to protect themselves and their customers from the financial risk of stolen data, ransomed files, and more.
Additionally, many cyber insurers now verify a company’s cyber risk controls as part of the underwriting process, so the act of verifying cybersecurity insurance can add a second layer of verification in one. This ensures that not only do third-party vendors have coverage but that they’ve prioritized cybersecurity protection and developed a comprehensive plan of defense.
If the Digital Pandemic has taught us anything, it’s that nobody and no business is immune from an attack. Companies need to be better about verifying their supply chains and ensuring that each vendor they’re working with is sufficiently covered.
Data breaches are inevitable, but businesses can (and should) protect themselves and their customers from third-party risk by verifying that their partners’ cybersecurity and ransomware insurance policies are active and appropriately meet the company’s needs.