As cyber criminals’ methods become increasingly sophisticated and their ability to launch attacks with seeming impunity continues, the repercussions for businesses, from the smallest to the Fortune 50, cannot be overstated. Potential targets are not limited to those that have personally identifiable information, personal health information or customer credit card data. In fact, some of the largest cyberattacks over the last two years have not involved the mining of such information at all. Rather, these attacks have either shut down or materially interrupted vital infrastructure, health systems, financial companies and all means of the manufacturing process, including construction, supply chains, distribution and sales.
The FBI and Department of Homeland Security’s Feb. 17 warning of anticipated cyberattacks against U.S. (and Ukrainian) governmental and commercial networks in the wake of Russia’s invasion of Ukraine, which has now come to pass, highlights the dire circumstances being faced worldwide. Any business that interacts with or depends on the internet for its existence is a target, regardless of size.
The impacts of such attacks take any number of forms, including: malware, including ransomware (which disables the ability to access IT systems until a ransom is paid); business interruption (income lost because of the inability to access systems); data restoration (reconstructing “lost” company and customer data); social engineering/phishing (loss of money based on the impersonation of a colleague, client or vendor); regulatory fines and penalties; liability to third parties if their information is compromised; and reputational harm. Estimates for losses for these events runs anywhere from $20 billion in ransomware costs alone for 2021 up to trillions of dollars being spent by 2025 to respond to and fight all manner of these attacks.
The Tools to Mitigate Cyber-Related Events
Despite (or perhaps because of) these grim predictions, it is vitally important to remember that myriad tools can protect businesses against and mitigate the impact of cyber-related events.
Internal Controls
Due to the sheer number of attacks, cybersecurity experts have been able to identify many of the key vulnerabilities that criminals manipulate to gain entry into computer systems, and how to fix them. That list includes:
- Multi-factor authentication tools to safely access internal computer systems
- Robust desktop security protocols, including: virtual private networks, data encryption, complex passwords, firewalls and restricted access to admin rights
- Active management of systems and configurations
- A continuous hunt for network intrusions and third-party exposure threats
- Immediate updating and upgrading of software
- Development and use of a system recovery plan, including regular testing of backups for data integrity and restorability and preparation and annual testing of incident response/ business continuity plan
As this list indicates, system and information security is the key to avoiding (or at least mitigating) cyber-related risks. Whether through dedicated in-house personnel, engaging with an outsourced cybersecurity firm or having those groups work in tandem, companies can see many vulnerabilities and address them as an enterprise-wide project. While there is no “one size fits all” approach, and it is a true investment of both capital and manpower, companies must at least do an initial assessment of their cybersecurity policies and procedures. The biggest mistake companies make is believing that they are not a target because of their industry, their size, their revenue or their footprint. Everyone is a target, so these issues simply cannot be ignored.
See also: Tips for the Hybrid Work World
Insurance
Another key mitigation tool is purchasing a cyber insurance policy, which allows businesses to transfer risks associated with cyber-related security breaches to first-party reimbursement (e.g., loss to the company itself) and third-party indemnity (e.g., liability claims against the company and regulatory proceedings). A robust cyber policy is structured around helping the company recover and handling the costs that are associated with an attack.
The purchase of insurance will often also act as a catalyst for implementing the tools and processes described above. Cyber insurance carriers are increasingly demanding that many of the items described above be in place or be on track to be put in place before they will even issue a quote outlining the costs and coverages potentially available. Carriers will assess: possible risks pertaining to the company; the strength of cybersecurity controls; and compliance with legal and industry standards. Companies must be transparent during this application and review process, so issues do not arise in the event of a claim.
No insurance policy is worth the premium paid if it is not available in the event of a loss. As ransomware emerges as one of the more profound financial and operational interruptions affecting businesses and insurance companies worldwide, it’s imperative to seek an independent risk advisor who can serve as a sounding board and help navigate through the various and sudden risks facing enterprises globally.
