January 2023 Issue
Cyber security today presents challenging problems. Modern attack vectors range from complex cyber warfare to a simple transfer of funds request, perpetrated by everything from state-sponsored attackers, to criminal gangs, to opportunistic fraudsters, to lone hackers. As attacks become more frequent and losses more devastating, companies need to take a proactive rather than reactive approach to cyber risk management – seizing the initiative to monitor their cyber risk profile and mitigate vulnerabilities.
FW: How would you describe the magnitude of the cyber security threat facing companies today? In your opinion, how vulnerable are companies to attacks targeting data, as well as attacks targeting operational technology such as physical machinery and safety devices?
Bouloux: Today’s cyber security threat is a gargantuan proposition to overcome. Modern attack vectors are both phenomenally complex and beautifully simple. They could be year-long, state-sponsored espionage attacks that rely on months of digital surveillance and complex cyber warfare tools to execute malicious attacks, down to a simple and well-crafted email that asked for a transfer of funds. With such a broad spectrum of threats encompassed under one banner, no company is immune and, as such, should have a comprehensive and adequate cyber security programme. Without the correct processes, systems and training, modern businesses are highly vulnerable to malicious cyber events. This is particularly pertinent for sensitive information and operational technology (OT) – be it physical or virtual systems – which are a key focus for cyber insurers.
Hayes: Cyber threats are currently ranked as one of the top concerns facing companies globally and they are only increasing in magnitude. Cyber attacks are becoming more frequent, and the losses from a successful cyber breach are only becoming more devastating. Reports have found that cyber attacks increased 50 percent in 2021 compared to 2020, and each cyber attack is also getting more costly, with a further report from IBM demonstrating that the average total cost of a cyber breach increased to over $4m in 2021 – the highest ever recorded. Another 2021 study found that the most common form of attack was compromising usernames and passwords. With these findings, we would conclude that the magnitude of the cyber security threats facing companies today cannot be overstated, especially as companies are vulnerable to a wealth of cyber breaches that could have a potentially devastating financial impact.
Jones: Unfortunately, hackers are determined in their quest to disrupt, and we are continuously seeing new and innovative attack methodologies emerge. The buzzword of recent years is ransomware, but phishing, man in the middle, distributed denial of service (DDoS) and zero-day exploits are also causing significant harm. While we do still see data as a key target for hackers, who often hope to leverage the sensitivity and regulatory pressures for financial gain, data-rich organisations are by no means the only targets. We also see attack methods targeting OT, aiming to halt production systems. In these environments, systems are often vulnerable due to their ‘end of life’ status and have limited monitoring and response in place, thus providing a lower barrier of entry for the attackers. While there is promising evidence of improved cyber security across the board, there is still some variation, often influenced by the level of regulation in the given territory or industry sector.
Aaron: Threats are a function of an adversary’s capabilities and intentions. When adversaries consist of nation-state actors, we must view threat levels in the context of what is going on in the world. Tensions between Russia and the west are high. Cyber attacks are part of Russia’s ‘grey’ arsenal as they fall short of ‘acts of war’ under traditional definitions and attribution is not always clear. Russia has shown a particular interest in cyber attacks that cause physical effects by targeting OT in critical infrastructure, including in the US. Ransomware continues to proliferate, and hybrid operations are becoming more common. Malicious actors have added data theft to their extortion plots. Even victims that can restore their data risk disclosure of internal and customer data. In that environment, companies remain vulnerable to the extent that they do not or cannot protect themselves against threats. OT in particular is difficult to protect once there is a pathway from the internet to machine controllers; that technology can be difficult or impossible to patch or update, and can be costly to replace.
John: In our Digital Defense Report 2022, we outlined a number of key trends that show that the threat continues to increase for organisations. We have seen a continued increase in various levels of attack. The volume of password attacks has risen to an estimated 921 attacks every second, which is a 74 percent increase in just one year. We are seeing the continued rise of ransomware and extortion with ransomware as a service (RaaS) and cyber crime as a service (CaaS) driving more mass-market adoption of criminal activity. The median time it takes an attacker to access your private data if you fall victim to a phishing email is one hour 12 minutes and the median time for an attacker to begin moving laterally within your corporate network once a device is compromised is one hour 42 minutes. Criminals are also targeting internet of things (IoT) and OT in attacks ranging from criminals using them for crypto mining to nation states attacking critical infrastructure through OT devices. OT devices exposed to the internet, often with default usernames and passwords, mean that these can constitute a genuine risk to networks. Many OT devices still ship with insecure firmware.
Ahuja: The cyber security threat to companies is at an all-time high due to the sheer amount of data that is online. And despite every year seeming to be another record high, the cyber security threat will continue to grow because of the increasing trend to move even more data and activity online. The only recent dip in the cyber security threat was this past year. At the start of the conflict in Ukraine, the number of cyber attacks in the US or affecting US-entities had materially waned, with cyber attacks instead focused on Russian or Russian-affiliated targets or Ukrainian targets. But within the last two to three months, we are witnessing a sharp uptick in cyber attacks in the US and against US- affiliated entities.
“The purchase of cyber liability and D&O insurance policies will provide D&Os some peace of mind. It is, however, essential that these policies are reviewed side by side to identify any gaps in coverage.”
FW: What methods can companies use to evaluate their cyber risk exposure and determine the most suitable countermeasures to employ?
Hayes: Companies should take a proactive approach to cyber risk management, rather than a reactive one, as prevention is always better than cure. By taking the initiative to monitor their cyber risk profile, organisations can take quick action if a cyber attack takes place and reduce the risk of further cyber attacks occurring. To evaluate cyber risk exposure and make sure you are on top of your biggest vulnerabilities, the best approach is to cooperate with next generation cyber tech companies, which offer not only a one-off snapshot in the form of cyber risk reports, but more importantly provide continuous risk monitoring, which keeps an eye out for new and existing risks. Advisory teams and services can offer advice on how best to mitigate these risks before the worst happens.
Jones: When it comes to evaluating the cyber risk exposure of a business, it is wise to start with the basics. Ensure an understanding of cyber footprints through the establishment of an up-to-date asset inventory. Risk analysis can then begin. Start by considering the controls already in place, securing assets and identifying residual risk. Using cyber threat intelligence to inform analysis, consider how this residual risk suits the company’s risk appetite. Where risk exceeds tolerance levels, countermeasures should be deployed. Make sure to identify mission critical assets or crown jewels within the inventory. These items should be prioritised for deploying security controls. Concurrently, establishing a formal governance structure, and ensuring appropriate policies and standards are in place to direct business requirements, is essential. Ensure these are communicated throughout the business to drive continuity and implement frequent review processes to drive compliance.
Aaron: We favour including a cyber security risk assessment that looks at a company’s security posture from the perspective of an attacker. To be sure, there is a value to making sure that the core policy, technical and human elements of cyber defence are in place. But for companies that are more likely to be targeted or for which a successful attack could be catastrophic, it is important to engage a security company that will conduct threat intelligence research, aggressive and tailored ‘all-tools’ penetration testing, and use sophisticated methods known to be employed by malicious actors. To the extent that that risk assessment maps to legal and regulatory requirements and concerns, outside counsel can help guide the evaluation, prioritise remedial steps, and oversee a phased implementation of additional security measures. One area for particular focus is mitigating the exposure of unpatched and unpatchable OT, IoT and other devices on the network.
John: The threats that we see are here to stay, so it is important to ensure that we build cyber resilient organisations that are able to withstand attacks and continue to operate. Many of the incidents and attacks that we see across ransomware, OT, devices, data and infrastructure can be traced back to the lack of modern security capabilities. For example, 93 percent of our ransomware incident response engagements revealed insufficient controls on privileged access and lateral movement. Ninety-eight percent of all incidents and attacks that we see could be countered by basic cyber hygiene capabilities, including enabling multifactor authentication, applying the zero-trust principles, explicit verification, least privilege access, and ‘assume breach’, using modern anti-malware with machine learning and extended detection and response capability, keeping systems up to date, from firmware to operating systems (OS) to applications and protocols, and protecting data by knowing where your important data is and that it has the appropriate protection.
Ahuja: There are primarily four methods companies can use to evaluate their risk exposure and determine more suitable countermeasures to deploy: penetration tests, vulnerability scans, security assessments and tabletop exercises. Regular penetration testing allows companies to evaluate the security of their enterprise to identify exploitative vulnerabilities. The rule of thumb is that penetration testing should be done at least yearly, but its frequency truly depends on a company’s online presence. Vulnerability scans are superficial, but easy to do frequently, and allow companies to quickly patch for identified vulnerabilities. Security assessments permit companies to identify gaps in their security programmes. Finally, tabletop exercises allow companies to ‘practice how they play’. By putting their incident response plans to the test, tabletop exercises allow companies to determine what works in their plans and what does not. Incident response plans are only worth their effort to create if they provide value to the enterprise. If they are too long, or too detailed, or simply too confusing – and offer no practical solutions – a new incident response plan should be developed.
Bouloux: Firstly, modern businesses must build strong foundations for their cyber security programme. Government-run entities, such as the UK’s National Cyber Security Centre (NCSC) or the US’s Cybersecurity and Infrastructure Security Agency (CISA), are excellent resources for advice and recommendations for strategy and threat management. They even include up-to-date advice for the latest attack vectors or zero-day exploits. Once a company’s programme is operational, testing and training are key, particularly for responding in times of crisis. Each cyber professional should know their role and how to respond to a cyber event, and they should have a well-thought-out response plan. Additionally, the business should consider how it can switch over to other systems and resources to provide good business continuity. External support from cyber security and penetration companies can add huge value to the assessment and testing of a business’ cyber security. Bug-bounty programmes can also help by allowing ‘white hat hackers’ to help identify holes in the security framework to which businesses can then respond. Finally, there is an increasing emergence of third-party companies that specialise in 24/7 scanning of a company’s internet-facing infrastructure. They will scan a company’s virtual horizon and alert institutions to evolving threats and obvious issues. They also provide comparison scoring within a peer group, which helps reassure budget holders that IT spending is beneficial.
“Never believe that you have finished improving your security. Even if your attack surface does not change, new vulnerabilities will be identified.”
FW: With the uptick in cyber threats having led to a more stringent regulatory environment, how are companies coping with greater compliance requirements? How should they go about managing the cost and complexities involved in fulfilling their obligations?
Jones: Establishing a dedicated privacy team, in-house or outsourced, will undoubtedly help when it comes to delivering on compliance requirements. These dedicated functions are responsible for monitoring the regulatory landscape and driving compliance as required. For global companies, local relays in each territory will further ensure that all applicable compliance requirements are being considered and addressed effectively. To reduce related costs and complexities, mapping data flows and applying data classification will increase the efficiency of applying the appropriate security for each data type. Close communication with the IT and IT security functions to ensure privacy-by-design will also ensure compliance is embedded from the start, thus removing the need for costly remediation projects further down the line. Finally, regular engagement of internal and external audit functions to review compliance gaps will ensure that nothing is being overlooked in this field.
Aaron: One important step companies can and should take is accepting opportunities to contribute to the rulemaking process. Several US agencies have proposed new cyber security regulations and have requested public comment and input. The private sector should actively engage with regulators, for example to note areas in which companies are subject to redundant, contradictory or irrelevant requirements or where the costs of demonstrating compliance outweigh the security benefit of following a rule. More generally, we have seen companies taking steps to incorporate cyber security more into board briefings, more C-suite attention to cyber risk, and, perhaps most importantly, more interest in establishing relationships with incident responders, security vendors and government agencies before an incident occurs.
John: Taking a risk-based approach to cyber security and building cyber resilience is the most important factor. Many compliance requirements focus on doing the basics well and ensuring that cyber risks are understood and well managed. Pursuing a broader risk management perspective that includes compliance with regulation is more important than just having a checklist. Cyber security is not a project but an ongoing programme to build security into the DNA of the organisation.
Bouloux: Western governments have never been so open or communicative about the threats posed to citizens and their businesses. The cyber threat is moving higher and higher on the geopolitical agenda. As such, modern governments are at the forefront of identifying these threats, and how to defeat them – doing so through organic capabilities and trusted partners in the industry. Modern companies must learn to trust the advice of well-regulated and considered institutions like the NCSC. The requirements are increasing in complexity, but for a good reason, as these recommendations result from sound research, lessons learned and direct feeds from the world’s leading cyber institutions. Concerning the cost, it is vital that companies take time to consider the markets’ proposition and ensure they are fit for purpose. No one vendor is a one-stop-shop for managing cyber threats.
Ahuja: The general rule was that companies should be mapping out the technical requirements of all of their applicable regulations and monitor compliance across their entire enterprise. But the number and complexity of security laws has been rapidly increasing. Companies may find themselves taking risk-based approaches to compliance, focusing on the most rigorous standards first, as many companies did on the privacy side with the General Data Protection Regulation (GDPR). In this space, with the sheer number of laws spanning different geographical areas and industries, companies should be working with outside counsel to ensure compliance across all regulations and across all industries.
Hayes: The rate of cyber attacks continues to rise, meaning that cyber insurance is now a must-have for all companies, resulting in coverage becoming more costly and complex to obtain, and insurers making the requirements to be accepted for a policy stricter than before. The role of technology and solutions has therefore become essential to the cyber insurance application process, given the increase in stringency to the necessary criteria to be accepted for coverage. Companies can employ solutions to manage their application for them, enabling them to secure coverage at the best terms and price, as well as instant visibility of their cyber risk profile. Technology firms can offer continuous risk monitoring to reveal new and existing vulnerabilities, as well as one-to-one calls to guide companies through the insurance application and renewal process to help them secure coverage at the best terms and price, with the added benefit of improving their cyber risk profile and making them less susceptible to cyber attacks.
“The threats that we see are here to stay, so it is important to ensure that we build cyber resilient organisations that are able to withstand attacks and continue to operate.”
FW: To what extent is cyber risk climbing the boardroom agenda? Are you seeing more organisations creating clear cyber policies and disseminating them from the top down?
Aaron: The shift has been gradual in our experience, but particularly in small and mid-size companies that are not tech companies but which rely on technology to conduct business, we have seen more chief executives and chief financial officers engaging at earlier stages of cyber preparation and response. Requests from companies of all sizes for guidance on cyber security briefings for boards and board committees continue to increase. We expect forthcoming regulations for publicly traded companies and new rules specific to individual sectors to further raise interest at board level.
Ahuja: Cyber risk is increasingly climbing the boardroom agenda. Part of this is natural, given the material impact a cyber event can have on a company, but another part is due to regulation. Both the Securities and Exchange Commission (SEC) and the New York State Department of Financial Services (NYDFS) have recently issued rules and regulations, or proposed rules and regulations, regarding board oversight of cyber security. A recent proposed amendment to the NYDFS Cybersecurity Regulation mandates that the board needs to provide oversight and direction to management of the covered entity’s cyber risk management programme. Similarly, recent proposed rules by the SEC require cyber security expertise among the board. As a result of these realities, companies are witnessing a top down cyber security focus and a need to marry that focus with a company’s existing data privacy and cyber security policies.
Hayes: Company boards are increasingly being required to have information about the company’s cyber risks and enough base-level knowledge to make sure management is governing their data correctly. Many companies have improved their cyber security measures in the last few years, however the fact that cyber risks are climbing a company’s board agenda is sometimes as a result of a successful cyber attack. In an ideal world, a company would take a proactive approach to cyber risk management, but often such technical information is unable to convey in simple terms how to understand the risks and make decisions on this. This issue can be solved by risk reports which are simple and easy to understand. The most important thing is that the board’s concerns are met with clear explanations of the necessary next steps, and that they understand the risks facing the business and can make informed strategic decisions.
Bouloux: Read any established businesses’ annual report in 2022 and you can almost guarantee cyber is a key threat mentioned within their risk landscape. Boardrooms are now asking for updates and strategies for cyber threats with increased cadence and prominence as they know our reliance on technology is dramatically increasing.
John: Cyber risk has become a much more common topic within the boardroom. We are seeing organisations regularly discussing it at board level and working with their chief information security officer (CISO) to understand and clearly articulate policy. The question is often asked and the approach to managing this is maturing in many organisations. It is important for everyone to continue to do this.
Jones: Cyber risk, including the threat of both data breach and operational disruption, has consistently featured among the greatest threats to business for several years. Therefore, cyber risk is not a new topic within the boardroom but one that is now met with a greater level of understanding and willingness to invest. Positively, despite economic downturn and financial hardship during recent years, we have not seen cyber security budgets deteriorate. On average, we see anywhere from 7 to 15 percent of the total technology budget being dedicated to IT security, a monetary value that is increasing year-on-year. Clear cyber policies that are centrally managed and regularly maintained are something insurers look for as evidence of the right attitude toward cyber risk. However, we do still see elevated risk coming from mergers and acquisitions where adoption of these central policies can be delayed and lead to inconsistencies.
“The rate of cyber attacks continues to rise, meaning that cyber insurance is now a must-have for all companies, resulting in coverage becoming more costly and complex to obtain.”
FW: Could you outline the main risks that cyber issues pose to D&Os on a personal level? What measures should a company take to ensure that robust D&O liability cover addresses cyber security and data breaches?
Hayes: In the UK, directors of public companies bear responsibilities for compliance with the GDPR and personal liability for any fines, and in the financial services sector, the Financial Conduct Authority (FCA) closely scrutinises boards. We have seen examples in the US of class action lawsuits against D&Os personally, over their failure to take steps to prevent cyber breaches, as well as criminal investigations into directors and officers (D&Os) who sell stock before a data breach is disclosed, resulting in insider trading. A well-placed D&O policy should respond in case D&Os are faced with cyber-related investigations. Boards should be proactive by establishing a cyber security governance structure, hiring the right professionals, implementing effective cyber risk management, and crafting a data breach response plan. These steps will help support due diligence defence if cyber attacks lead to litigation against D&Os personally.
Bouloux: Anyone who can authorise change, allocate budget spend, impact a company’s reputation or be exploited for privileged access, must be aware of the modern cyber threat and their role and responsibility in mitigating such threats. Organisations are becoming increasingly reliant upon technology to provide goods and services. The reality is that many organisations are walking the tightrope between needing to invest in technology and managing business impact assessments that demonstrate that outlined investment corelates directly with an exponentially higher potential for catastrophic disruption to operations. The fiduciary duty of D&Os is not only tied to ensuring that the correct IT and OT investments are made to maximise the return on investment and yield the appropriate return to investors, but also to ensure that the infrastructure is sound and protected, minimising any potential impact of a cyber event. The role is undoubtably demanding and can leave leaders of modern enterprises very exposed. The challenges of managing these exposures are further complicated by the industry, the type of data collected, the geography of operations, and a host of other factors unique to each organisation. Traditional D&O policies, by default, will protect the actions of the insured in managing the platforms needed to drive the organisation, provided they adhere to a standard of duty of care and loyalty in doing so. This means that they cannot be seen to be negligent in making these decisions, and therefore will be expected to be investing accordingly, not only in security but in a culture of staff engagement and accountability too. Further, as data assets become more valuable, it is important to ensure that D&Os are not complicit in allowing the wrongful collection, misuse or inappropriate selling of data – all actions which could be interpreted to be criminal, and therefore excluded under a D&O policy, leaving the individual personally liable.
John: There are regulatory risks if D&Os have not been seen to take due care to protect their environment. Taking a risk-based approach and being able to document robust decision making that focuses on the protection of personal data and infrastructure will help with demonstrating that the right thing has been done. Engaging with your security teams and treating them as a true partner in understanding and managing technology risk is important.
Aaron: One important area of D&O risk is that D&Os may be targeted because of their greater access. They could be targeted in their individual capacity because of high net worth, but they are also attractive targets based on their official roles. Their communications could be compromised so an actor can transmit fraudulent instructions, such as wire transfer instructions, that purport to be official requests. Or their access to intellectual property (IP) and other business information could be exploited. When it comes to liability protections, it is important to obtain expert reviews of policies that cover cyber risk. When you have seen one policy, you have seen one policy. There is no settled-upon industry standard, including when it comes to risks presented by potential nation-state actors. With multiple variables when it comes to the origin and nature of an attack, and numerous possibilities for downstream consequences, it is critical to look at the coverage and exclusions of a given policy. D&Os must also be educated about personal cyber self-defence. Basic security measures such as multifactor authentication (MFA) are becoming more common and user-friendly. Cyber self-defence needs to be seen as part of everyday life, like a home alarm system, and not as something reserved for the paranoid, techie and ‘tin-foil hat’ crowds.
Jones: While headlines prove that even the most well-run companies can fall victim to cyber attacks, the personal financial risk to D&Os arises where it can be argued that the loss can be attributed to a failure in their fiduciary duties by, for instance, not implementing and executing a robust cyber strategy. In addition to the risks cyber issues pose to business continuity, depreciation of share price and threat of ensuing shareholder action, D&Os must also consider the personal reputational harm they could suffer as a result of unfavourable media coverage. There is also the emerging concern that alleged data breaches will result in criminal proceedings, although this threat varies by territory. The purchase of cyber liability and D&O insurance policies will provide D&Os some peace of mind. It is, however, essential that these policies are reviewed side by side to identify any gaps in coverage. Once these gaps are identified, D&Os can consider how they can minimise, manage and retain this risk.
Ahuja: D&Os are often targets in social-engineered hacking. In order to ensure that companies have insurance in the event of D&O liability, companies should work with their outside counsel and brokers to review insurance policies and ensure that, at a minimum, their standalone cyber coverage policies cover D&O activities and that their D&O-specific policies consider cyber events.
“Cyber risk is increasingly climbing the boardroom agenda. Part of this is natural, given the material impact a cyber event can have on a company, but another part is due to regulation.”
FW: What essential advice would you offer to companies on implementing effective strategies to mitigate cyber risk and strengthen their defences?
John: Focusing on cyber resilience is very important. Make sure that you are managing the basics well and have good ongoing operational procedures. Advanced security is built on a strong foundation, and many threats can be managed by doing this well.
Ahuja: At a macro level, companies should be implementing cyber risk management programmes – penetration testing, risk assessments, vulnerability scans and tabletop exercises. On a more granular level, however, companies should be requiring MFA on their email system and virtual private network (VPN). In addition, given the increase in social engineering hacks, companies should be training their employees on social engineering hacks, phishing and, increasingly, vishing.
Jones: Underpinning a cyber security strategy with a robust framework will provide a strong foundation on which to base any strategies, the National Institute of Standards and Technology (NIST) cyber security framework and the International Information Security Standard (ISO 27001) both being popular and well-respected choices. Once implemented, cyber security frameworks and the policies and standards that enforce this must be regularly reviewed to ensure they remain fit for the current threat landscape. Cyber security is not a one-off project. On a more granular level, however, there is definitely a set of core controls that insurers view as beneficial for all organisations to mitigate their cyber risk, which have been proven to correlate with reduced claims experience. By no means an exhaustive list, these critical controls include secure backups, MFA for all remote and privileged access, endpoint detection and response (EDR) on all endpoints and servers, strong email security, regular training and awareness, and formalised and tested business continuity plans, including cyber incident response and disaster recovery.
Aaron: First, never assume that you are not a target, and never underestimate the creativity of malicious actors. Sophisticated tools that used to be available and usable only by equally sophisticated actors are now making their way into the wild. That means that weapons that were formerly wielded only by relatively well-regulated organisations that were tethered to governmental strategic interests will become the tools and tradecraft of less disciplined actors who may not fully understand what they are using. That combination can be highly dangerous. Second, never believe that you have finished improving your security. Even if your attack surface does not change, new vulnerabilities will be identified, new exploits will be developed and, hopefully, new patches will be pushed out. Threat intelligence monitoring can help understand your risk level and raise flags when that level jumps. Finally, companies must recognise the importance of complying with rules and frameworks but take compliance as a starting point. Ask an expert whether compliance reduces your risk to an acceptable level. It might, but it might not, and limiting yourself to compliance might leave a gap in your defences that it would be cost-effective to mitigate.
Bouloux: Listen to experts and heed their advice. Cyber security professionals know their stuff. They have years of education and experience behind them and are dialled into the modern methods and toolsets that are being exploited in the here and now. With their advice in hand: stop, pause and assess. Form a robust strategy based on expert advice. Secure ample funding, then decisively implement at pace. Beyond this, be sure to revisit your cyber security efforts as much as financially permittable. Failure to do so will only result in a rapidly obsolete cyber security programme.
“Western governments have never been so open or communicative about the threats posed to citizens and their businesses. The cyber threat is moving higher and higher on the geopolitical agenda.”
FW: Looking ahead, how do you expect cyber threats to evolve over the coming years? What long-term trends do you expect to see in the way companies respond to protect their data, devices and critical infrastructure including physical machinery?
Bouloux: Let us treat cyber security threats like the evolved modern weapon systems of today. A decade ago, cyber weapons and tools were akin to the biplanes of World War I. They were useful and provided insight and intelligence, but they did not stop the battles of the trenches. Today’s cyber tools are like modern fighter jets that can dominate large areas of the battlespace and be used to dramatically impact the outcome of modern conflicts. Modern cyber tools are dramatically more complex than ever before and have a much greater effect on the environment around them. Machine learning will play a huge role in the next evolution of cyber threats. In 2022 any user can log onto a multitude of websites and ask artificial intelligence to paint a complex picture, in any style, from a few simple keywords. It is not too long a jump to suggest that the same could be asked of an intelligence system to create cyber tools from observations of existing codes. Businesses must keep a close eye on the latest iterations of cyber security capabilities. Additionally, and where possible, they should collaborate with their industry peers and government bodies to share and identify best practices in defeating malicious threats.
Jones: No one can talk with authority around the forthcoming cyber threats, but it feels a safe bet that the risk will not diminish anytime soon. I would suspect the continued, and increased, sophistication of current-day threats, including ransomware in all its forms. There is also speculation that a reduced success rate of extortion demands will drive an increase in more traditional business email compromise and ‘man in the middle’ attacks to obtain funds though fraudulent diversion. Zero-day vulnerabilities are also expected to increase in both frequency and severity. Longer-term initiatives to enhance cyber security seem to have shifted toward an assumed breach mindset, with a focus on impact management. Increasing importance is being placed on secure backups to enable secure and timely restoration, implementing network segmentation to control blast zones, and the concept of zero trust. The uncertainty highlights the importance of horizon scanning, threat intelligence, information sharing and collaboration.
Aaron: Two important and related areas of evolution are the availability of multiple families of tools becoming available as a service or commodity and the deployment of existing tools in novel ways. Ransomware is a good example of both phenomena. Powerful ransomware can be customised and used by, or for, relatively unsophisticated and undisciplined actors. The ‘brains’ behind the malware itself can stay safer by essentially licensing their product to frontline bad actors who take on more risk. Those bad actors may or may not understand the tools they are using and how destructive they can be. In addition, ransomware can be used by actors who are not motivated by the ransom, rather, they are interested in the crippling effect of encrypting key data. Those impacts may be felt most in critical infrastructure. Hospitals, refineries, power grids and financial systems, for example, could suffer devastating attacks that shut down key services and result in property damage, economic ripple effects, injuries and even deaths. In the US, we are seeing more of an effort to focus on vulnerabilities in critical infrastructure, industrial control and safety systems, and OT, which all present risks and vulnerabilities that are distinct from IT systems. We expect to see more focus and resources devoted to OT protection, and we hope that that occurs before a major attack demonstrates the urgency of making that investment.
John: We will continue to see the expansion of cyber crime and cyber threats because digital technology is essential to the operation of the modern world. As we develop new technologies such as machine learning, metaverse interactions and quantum computing, the threats will move toward that environment. To best protect data, devices and critical infrastructure, focusing on resilience of the environment is essential. As you invest in new technology and capabilities, always model the possible threats alongside the opportunities to ensure that you are building as robust a system as possible that is able to enable you to protect against, detect and respond to threats in a timely manner.
Ahuja: Offence is always easier than defence in cyber security. Because of this, companies across the globe are adopting a zero-trust security model. This involves verifying explicitly, by making security decisions based on all available data points, including in the supply chain. Using least privilege access, such as limiting access with just-in-time and just-enough access and risk-based access policies. And assuming a breach to minimise the blast radius with segmentation and end-to-end encryption.
Hayes: Ransomware attacks have long been a significant peril, causing disruption and damage to critical infrastructure industries, businesses and individuals all over the world, but it was recently referred to by a UK government minister as “a national security threat”, a level of concern inspired by the growing popularity of the RAAS threat, a subscription-based model that enables cyber criminals to easily deploy ransomware attacks with little to no coding experience. Another trend we expect to continue and accelerate in light of this is triple extortion attacks. Triple extortion aims to maximise the financial gain of successful ransomware attacks. Malicious actors demand ransom from the initial target organisation as well as the victim’s clients, partners or suppliers. The threat of supply chain attacks will also continue to cause destruction, disruption and substantial financial losses. We expect this trend to increase as cyber criminals target service or software providers to gain access to their interconnected and globalised networks. Cyber risks are not going anywhere unfortunately, but companies can take steps to ensure they pose as little of a threat as possible. Incorporating continuous risk monitoring and risk management into your defences will enable you to be proactive in your approach to cyber safety and reduce the risk of falling victim to an attack.
Jamie Bouloux is the founder and chief executive of EmergIn Risk. The company specialises in providing bespoke insurance solutions for cyber, tech E&O and media. He provides proven leadership and insight on cyber risk that goes beyond the immediate and into the deeper issues facing business today. He holds a BA in economics and history from Franklin and Marshall College. He can be contacted on +1 (917) 488 8111 or by email: jamie.bouloux@emerginrisk.com.
Jasmeet K. Ahuja is a litigator at Hogan Lovells US LLP, working on the cutting edge of cyber security litigation and data breach counselling for high-profile clients across all industries. She leverages her engineering background and her experience in national security at the Pentagon, State Department and Capitol Hill to successfully lead her clients through complex data privacy matters and class action litigation. She can be contacted on +1 (267) 675 4667 or by email: jasmeet.ahuja@hoganlovells.com.
Melanie Hayes is the co-founder and chief marketing officer at KYND, the next generation cyber risk management company. Her career spans over 20 years with experience in the luxury retail, food and technology sectors for companies such as Experian and ADM and includes creating an industry first e-commerce site and delivering award winning marketing campaigns. She can be contacted by email: mhayes@kynd.io.
Siân John MBE is a senior director in security business development at Microsoft. She leads a team focusing on developing opportunities for Microsoft to deliver new managed security, compliance and privacy offerings to market. She has worked in cyber security for 25 years across strategy, business risk, privacy and technology. She is a fellow of the UK Chartered Institute of Information Security and was awarded an MBE in the Queen’s 2018 New Year’s Honours List for services to cyber security. She can be contacted on +44 (0)118 909 4786 or by email: sian.john@microsoft.com.
David Aaron is a litigator and counsellor on cyber security, privacy and national security matters. He is a former national security prosecutor and intelligence attorney at the US Department of Justice. His experience includes investigating and prosecuting cases involving Espionage Act violations, malicious cyber activity such as data breaches, botnets and destructive attacks, economic espionage, insider threats, undisclosed foreign government influence, and export control violations. He can be contacted on +1 (202) 654 1723 or by email: daaron@perkinscoie.com.
Christie Jones joined Tokio Marine HCC’s cyber team in 2019, with a focus on the UK and international markets. She is also involved in developing the firm’s cyber offering across the globe and sits on the product think-tank committee. She holds a bachelor’s degree from Exeter University in French and international management and has completed the ACII. She can be contacted on +44 (0)20 648 1315 or by email: cjones1@tmhcc.com.
© Financier Worldwide
THE PANELLISTS
EmergIn Risk
Hogan Lovells US LLP
KYND
Microsoft
Perkins Coie LLP
Tokio Marine HCC