Tag Archives: cybersecurity

Aggressive Response to Ransomware

Ransomware attacks are increasing at an alarming rate — Colonial Pipeline, JBS and now McDonald’s, where cybercriminals stole some data. And those are just a few of the growing number of cybersecurity breaches being reported.

According to the Institute of Security and Technology, victims paid $350 million in ransom in 2020, more than four times the amount in 2019. Around 2,400 government organizations, healthcare facilities and schools in the U.S. were reportedly attacked.

The economic impacts from these evolving cybercrimes are massive. Apart from the loss of money paid in ransom, companies and governments have to go through several additional challenges, such as service downtime, loss of private data and recovery cost. 

This surge in ransomware attacks highlights the urgency in dealing with the national security threat before it gets out of control. Businesses should carefully evaluate every potential alternative available before paying the ransom. When hackers succeed in extortions, these kinds of crimes become more attractive. And there is no guarantee that the hackers would give the decryption keys even if a ransom is paid.

The government organizations and the private sector should work hand in hand to deal with cyberattacks and ensure data is recovered without paying a ransom. Companies should keep law enforcement agencies in the loop when tackling a ransomware attack and support the administration in disrupting the hackers’ network. There should be an aggressive, joint strategy and an unbreakable security network to combat these cybersecurity challenges.

Meanwhile, a collaborative global effort involving governments and security agencies is crucial in the fight against cybercrimes. Nations should aggressively investigate and prosecute cybercriminals operating from their land. Governments should use strategies, such as sanctions, to pressure countries refusing to act against cybercriminals.

See also: What’s Next for Ransomware

The increasing number of cybercrimes could also be exposing the security loopholes in the companies’ network with employees working away from the office. Most businesses are operating remotely these days. It is important to note that not all business has the right security system in place, as they were unprepared for a sudden work-from-home migration when coronavirus struck. Organizations should implement security protocols, such as multifactor authentication, endpoint detection and response and data encryption, as well as prepare a plan to deal with these kinds of security threats before it strikes.

Another aspect to note in the recent cyberattacks is that the criminals seem to prefer cryptocurrency, which makes it difficult for law enforcement agencies to track criminals behind transactions. It is high time that the government enforces strict guidelines to ensure that the crypto exchanges follow processes such as Know Your Customer.

Wake-Up Call on Ransomware

The ransomware attack that shut down the 5,500-mile Colonial Pipeline, the largest fuel pipeline in the U.S., contains two important seeds of opportunity.

First, the federal government looks like it may get much more involved in preventing or at least prosecuting cyber attacks, specifically for important infrastructure like pipelines and electric grids, but perhaps more broadly, too.

Second, the attack raises the profile of the ransomware problem to the point that insurance clients may no longer be able to ignore it — which they mostly have even as ransomware activity quintupled globally between the first quarter of 2018 and the fourth quarter of 2020, according to Aon. This higher profile will create the opportunity for insurers to work with clients to finally step up their defenses.

Let me be clear, lest I come across as Polyannaish: This was a serious assault on a major piece of infrastructure and will likely result in higher gasoline prices, at least in the eastern half of the U.S. The attack also raises the prospect of devastating assaults on other pieces of key infrastructure, both in the U.S. and around the world. In addition, because the ransomware attack was arranged by a criminal ring in Russia, the attack brings into play all sorts of geopolitical issues that go well beyond what happens when some lone criminal hacks his way into a single corporation.

I’m merely suggesting that good things could also come out of the attack by the DarkSide group in Russia, because it underscores two problems that have long been obvious but that have somehow been ignored. The actions spurred by the attack won’t be perfect solutions by any means, but they should help.

The main action looks to be an aggressive response by the federal government, which has struck me as too passive as criminal gangs have greatly stepped up their ransomware attacks. There are limits to what the government can do against international gangs like DarkSide — it’s not as though President Biden can just call Vladimir Putin to complain and have him say, “Oh, sure, I’ll get right on it” — but having the Feds in the game should help a lot.

The other main action — the big opportunity for insurers — will occur because companies will increasingly see their vulnerability (finally!) and request help from the experts: the insurance companies that deal with cyber issues every day.

Thought leaders have been warning about ransomware for ages here at ITL — look at “5 Questions That Thwart Ransomware,” “A Dangerous New Form of Ransomware” and “Ransomware Becomes More Pernicious.”

Look, in particular, at this recent article: “How to Combat the Surge in Ransomware,” from Tokio Marine HCC’s Cyber and Professional Lines Group. It describes what I think is the ideal approach for insurers assisting their clients, not just by selling insurance but by helping them reduce their risks — steering clients toward state-of-the-art tools (priced based on the insurer’s bulk discount) that monitor vulnerabilities, toward using multi-factor authentication, toward training, etc.

As long as the bad guys have shown they can work together and take down big targets like the Colonial Pipeline, the good guys need to work together, too. That surely means more help from the federal government on what is a national and, increasingly, international problem but also means insurers need to step up and deliver the sort of expertise and counsel that they possess uniquely and that define the industry’s noble purpose.



P.S. Here are the six articles I’d like to highlight from the past week:

Workers Comp Trends for Technology in 2021

An efficient workflow passes 60% to 70% of medical bills straight through; workers’ comp has a long way to go.

Are Your Healthcare Vendor’s Claims Valid?

This article, the first in a series, looks at how regression to the mean is often misused to justify false claims about the success of wellness programs.

4 Ways to Seize the Latent Demand

Consumers recognize now more than ever the importance of adequate insurance coverage. Now is the time to seize on this opportunity.

Time to Reimagine the Finance Function

What’s possible for finance has been redefined: Comprehensive data makes it easier to connect performance across the business.

Tapping Into Life, Health Innovation

Those who welcome outsider participation in innovation can unlock new solutions without needing to reinvent their current businesses.

Insurance and Financial Protection

If the life insurance crisis is hard to understand, we must make it easy to comprehend. The insurance industry must lead us through this crisis.

6 Cybersecurity Threats for Insurers

The connectedness of everything – assets, people, business and commerce – has increased the severity and frequency of cyber attacks. The insurance sector faces a bigger threat than most industries because insurers deal with extremely sensitive data. Several insurance companies, such as Premera Blue Cross and Anthem, have experienced significant data breaches over the past years. However, these are not the only insurers affected. A report by Accenture shows that an average insurance company receives over 100 cybersecurity attacks each year, with 30% of the attempts being successful.

As an insurance leader, being aware of the potential cybersecurity threats puts you in a better position to adopt the right prevention measures. Here are the top cybersecurity threats in the insurance sector that you should know.

6 Cybersecurity Threats for Insurance Leaders

1. Cloud Vulnerabilities  

Cloud data access and storage has become a common practice for many people. However, this practice can increase the risk of a data breach. You can be susceptible to denial of services (DoS) and account hijacking attacks. With such attacks, hackers can access and tamper with your company’s data while preventing your team from accessing it. This threat can be prevented by implementing an extensive cyber risk management plan.

2. Patch Management

If your insurance company is using outdated software, you have a higher risk of cyberattack. Most cybercriminals exploit software vulnerability to access and steal company information. Failing to update your software patches makes your organization vulnerable to numerous data breaches.

Cybercrime vulnerability can be through something you consider as minor as the computer operating system. For instance, most organizations became exposed to cyber-attacks in 2018 for failing to update their Microsoft Office software following a patch release for Eternal Blue vulnerability. Therefore, it is advisable you stay up-to-date with any software you are using in your organization to avoid costly attacks.

3. Social Engineering

With the increase in social interactions, cybercriminals are exploiting such opportunities to launch social engineering attacks. Deception is the major aspect of such attacks. Usually, these criminals use trickery and manipulative approaches to lure individuals into taking various actions. For instance, you can be lured to disclose sensitive information or even bypass set security measures.

Social engineering threats are high because targets simply give hackers access to the system. Thus, it is hard for you to prevent these crimes with cybersecurity systems. However, regular training on cybersecurity is necessary for ensuring that your team members know how to detect and prevent such crimes.

See also: A Novel Approach to Cybersecurity

4. Ransomware Threats

If you thought it was only individuals who can be held hostage, think again, because your computer systems and data can, too. Ransomware attacks are some of the serious cyber threats you should worry about in the modern era. A report by the U.S Depart of Homeland Security reveals a rising number of ransomware attacks. The hackers attack your network and prevent you from accessing any data in it until a certain amount is paid. Such attacks are associated with significant losses. For example, besides the immediate losses, a ransomware attack can lead to huge monetary damages because of lost data and loss of productivity.

5. Third-Party Exposure Threats

The use of third-party services is a common practice nowadays, especially for payment processing. Most organizations do not take the necessary precautions when engaging in third-party transactions. Even where the party you are transacting with does not handle personal data directly, it can put your organization at risk of attack.

Hackers are using malware to access personal data, such as credit card numbers and Social Security numbers, through third-party companies. Therefore, it is important to take all the necessary precautions when dealing with a third-party vendor. For instance, inquire about their policy on data breaches and find out whether they have any measures in place to prevent cybersecurity attacks.  

6. Outdated Hardware

There is a common misconception that cybersecurity threats have to come from software. If you are using outdated hardware, your company data is vulnerable, too. With the increasing rate of software updates, some hardware may find it challenging to keep up. Obsolete hardware may be difficult to accept the latest security measures and patches. In such cases, your organization’s data is exposed; hence, at a high risk of cyberattack. Therefore, it is critical to regularly check your devices and replace any obsolete ones to avoid outdated hardware-related cyber-attacks.

See also: The Missing Tool for Cyber Resilience

Holistic Risk Management Plan

There you have it – a comprehensive overview of some of the top cybersecurity threats in the insurance sector. Evidently, as technology advances, insurance companies will continue to face different forms of cybersecurity threats.

While there might not be a one-size-fits-all approach to address or prevent cyber threats, being knowledgeable on the various cybersecurity vulnerabilities can help you adopt better risk detection and prevention measures. Therefore, make sure to adopt a holistic management plan to stay away from most of these threats.

Navigating Security in the Remote Paradigm


The current remote work situation has brought to light a three-part problem around security. First, it has created challenges in defending against traditional threats – both physical and information security. Second, emerging technologies promise new threats that will be all the more difficult to counter in remote settings. Third, the body of regulations mandating security measures vis-à-vis personal data is growing. Liability for breaches does not abate due to the current circumstances. The inherent vulnerabilities of the remote situation paired with likely advances in adversary tactics and threats from emerging technologies will challenge organizations to meet their regulatory security obligations. In this article, I will give an overview of these problems in isolation and discuss how they might combine. Finally, I will suggest some measures to take to begin to deal with this predicament. 


At its core, a security program’s goals are the protection of life and the maintenance of the confidentiality, integrity and availability of information. 

The recent widespread shift to off-premises work has two primary distinguishing features from a security perspective: It expands or eliminates the organization’s physical perimeter and necessitates remote access to corporate networks as well as a far higher degree of dependence on information systems for communication between employees. These factors upend an entity’s normal process of security assessments and controls and create fertile ground for both traditional and emerging threats. With unsupervised personnel and data dispersed to uncontrolled locations, using various means to access organizational networks, numerous varieties of threats abound.

Categories of vulnerabilities and threats for which there were standard controls and processes in the traditional setting require rethinking in this new reality. Likewise, emerging technologies pose novel threats. We can expect adversaries to continue to adapt to changing conditions of work by capitalizing on physical vulnerabilities and developing increasingly sophisticated and clever implementations of both existing and new technologies. 

At the same time, targeted organizations and individuals continue to bear the costs and liabilities of adversary actions. Victim entities may suffer direct losses from attacks. In addition, cybersecurity requirements related to privacy and penalties for failure to comply grow with each new law without regard to the remote work situation. This creates a difficult bind for defenders and all types of enterprises and individuals who control the data of others. 

There are, however, steps that can be taken to address these concerns. Now, more than ever, defenders will see the advantage of relying on skilled security personnel and cross-disciplinary leaders and teams as well as adopting an approach to security that recognizes that cyber and physical security are intertwined.  

While the long-term status of the recent shift to work-from-home remains unclear, inherent vulnerabilities of the remote paradigm combined with threats based on new technologies present an opportunity for reflection on the status of future contingency plans and demand the attention of executives, counsel, security professionals and insurance providers now. 

How the Remote Paradigm Interacts With Security for Traditional Threats  

Effective security programs apply technical, physical and administrative controls or countermeasures to assessed vulnerabilities, threats and risks. While not always uniformly or well-applied, and noting that threats are continually evolving, standards are generally well-developed in the context of traditional workplaces and often in the case of small groups of workers who require remote access, such as members of sales teams and business travelers. 

The remote paradigm expands or eliminates the physical perimeter and forces remote access and communication, with serious significant consequences for security controls. 

In very general terms, an expanded perimeter leads to: 

  1. Less physical control over information systems and data
  2. Technical/physical vulnerabilities (e.g., potential adversary access to residential Wi-Fi) 
  3. Less physical security over personnel (e.g., threats to their physical safety) 
  4. Less supervision over staff 
    1. complicating application of administrative controls such as job rotation 
    2. greater potential for problems from insider threats – both witting and unwitting 

In equally general terms, remote access and communication means: 

  1. Inherent technical vulnerabilities to data – both at rest and in transit 
  2. Proliferation of endpoints and lack of control over these 
  3. Reliance on communication between remote users and the need for out-of-band communication
  4. Communications involving proprietary data (e.g., trade secrets) and sensitive activities (e.g., engineers working on live systems) that normally occur in controlled settings and may now be conducted remotely
  5. Increased reliance on, and accelerated migration to, the cloud 

Organizations have established processes for addressing traditional threats in the context of the status quo. The remote paradigm entails significant changes to the security process. Categories of vulnerabilities, threats and risks that are relatively well-managed in an on-site setting must be reconsidered when the whole enterprise is operating remotely. Adversaries are left to their imagination in ways to overcome whatever security measures may (or may not) be in place in the many home offices from which employees operate. 

Beyond considerations around configuration management, security professionals must be aware of the potential presence of Internet of Things devices such as smart appliances and smart speakers that may have implications from both a technical and physical security perspective.

In addition, two newly established threats can have significant potential ramifications in a remote environment. In “Zoom bombing,” someone who is not supposed to be involved in a meeting can disrupt it, eavesdrop or alter the message. In other words, the person can interfere with the confidentiality, integrity or availability of information. Secondly, a well-made deep fake can be very damaging to an organization if, for example, it falsely portrays an employee acting in a way that runs counter to the entity’s interests. These threats are particularly problematic in remote settings because communication and public messaging is complicated and potentially interfered-with. 

See also: Getting Back to Work: A Data-Centric View

Emerging Threats 

At the same time as the remote paradigm complicates existing threats, new threats are on the horizon with emerging technologies. As with traditional threats, emerging threats will pose more of a problem in the remote environment. Here, we will consider some potential malevolent applications of quantum computing, artificial intelligence/machine learning (AI/ML) and real-time deep fakes. 

Both quantum computing and AI/ML are broad new technologies with myriad potential beneficial implementations as well as malevolent uses by adversaries. 

Practical applications of quantum computing are not yet reported to be in use outside of a laboratory setting. However, there is a quantum arms race underway due in large part to the fact that quantum computing will revolutionize cybersecurity. Quantum computing is predicted to make child’s play of current encryption. Remarkably, it may be possible to apply quantum decryption of current protocols retrospectively. That is, traffic might be recorded today and replayed through future quantum decryption tools to decrypt it later. This could have dramatic implications for organizations to the extent that they rely on current encryption to safeguard sensitive communications that will remain sensitive. The current predicted timeframe for widespread use of quantum technology varies; however, three recent developments suggest it may be accelerating. First, processor power has been improving exponentially. Second, the U.S. Department of Energy recently unveiled a blueprint report to develop a national quantum internet. Third, given the threat of quantum computing to current cryptography, the National Institute of Standards and Technology (NIST) aims to develop a post-quantum cryptography standard by 2022. 

Moving to AI/ML, adversaries are already using the beneficial features of AI/ML in numerous malicious ways. For example, AI/ML can obfuscate an attacker’s location and identity and augment traditional attacks, providing additional power and scale. Malevolent uses will continue to evolve to enable far more sophisticated attacks. Recent developments involving photon-based chips have moved us closer to AI/ML that learns independently at the speed of light.   

Judging anecdotally from the preponderance of articles and developments in both AI and quantum, we may be at a tipping point for both.

Although enabled by AI/ML, deep fakes are a sufficiently rare use case as to merit their own mention. Separate from the pre-recorded deep fakes discussed above, it is now possible to create a deep fake in real time. The primary concern with real-time deep fakes is that an adversary could appropriate the likeness of an employee, infiltrate an internal or external video teleconference, convince an audience of the veracity of the messages and influence outcomes. It is also possible to imagine that a real-time deep fake could falsely portray an individual engaging in some sort of behavior that is damaging to the organization.

Whether in a traditional setting or operating at a distance, these emerging threats are problematic. However, the remote environment continues to provide adversaries with more opportunity due to the expansion or elimination of the physical perimeter and the necessity of remote access and communication. 

Some Scenarios

Having looked at the inherent problems of the remote paradigm and some of the emerging technologies, consider some edge cases. Each of these is presented in its starkest form and capitalizes on weaknesses in a generic remote model. 

The first scenario stems from advanced persistent threats (APTs). APTs are insidious in that they tend to burrow into an information system and lie in wait or operate undetected, frequently exacting a heavy toll. They can benefit from emerging technologies of AI and ML as well as the security shortcomings and potential chaos around the current remote work situation. 

The next general category of threats has to do with physical violence against employees operating away from corporate offices or in settings that are not within a security perimeter managed by the organization. This could range from a kidnapping to a home invasion and assault or murder. Likewise, as in a remote bank robbery, an employee could be forced to take actions against an organization’s interests under duress. 

Next is the new category of real-time deep fakes. The real danger to organizations with this technology is the prospect of a real-time deep fake during an internal or external communication. At a minimum, this could interfere with the confidentiality, integrity and availability of information. At worst, such a tactic could be used as a ruse to outright direct the actions of employees or outside interlocutors. 

Finally, a very serious and dramatic threat is that an adversary could take advantage of the various attack vectors available combined with the weaknesses in the remote paradigm to completely divert the organization’s resources to his or her uses for a time. Far more damaging than ransomware, this could constitute a total takeover. This might involve a mix of physical force and real-time deep fakes as well as other technical weaknesses inherent in remote communications. Further, the attacker could rely on an entity’s lack of out-of-band communication or other successful means of authentication to ensure that he or she is able to carry out the plan. This is admittedly an extreme, worst-case scenario. A far more nuanced possibility would involve an attacker subtly manipulating corporate resources using scaled-down versions of the same tactics. 

Considering these scenarios, readers might be tempted to ask who would do these things and why. 

The potential cast of bad actors and motives is the same as always. It ranges from opportunistic “script kiddies” to activists to common thieves and organized criminals to nation-states. What is different here is that the how becomes easier. Further, bad actors may be emboldened by the lack of traditional security controls and barriers. Simply, someone not otherwise inclined to physically access a system or commit violence in the service of what could be a relatively white-collar crime might make a calculated decision that the risks involved are not prohibitive relative to the rewards. In a traditional environment, corporate security and access control measures would ordinarily discourage the mere consideration.  

Potential Consequences 

These threats can cause a variety of harms – physical harm to people, exposure of private data, financial loss to shareholders and damage to the organization through lost profits, regulatory trouble and reputational harm. 

Regardless of other priorities, any entity’s first concern must be mitigating increased risk to remote employees stemming from their employment. Should harm come to pass, there could possibly be civil liability, but safety is the first priority.   

The next area for concern is data privacy. Nearly all entities hold personally identifiable information (PII) of some sort, even if it is little more than the data of their own employees. If a breach exposes that data, liability to data holders (customers, employees, vendors) or shareholders may ensue. Likewise, chances are that a given entity is bound by at least one of the ever-growing number of industry- or regional-specific regulations addressing cyber security and privacy.

In the U.S. alone, there are multiple regulatory regimes and regulators that address PII and security – the California Consumer Privacy Act (CCPA), the Sarbannes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability Accountability Act (HIPAA) and the Payment Card Industry-Data Security Standard (PCI-DSS), as well as those falling under the jurisdiction of the New York State Division of Financial Services (NYSDFS), the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) – and the list is growing. Meanwhile, the GDPR has major implications for organizations whose operations have a connection to Europe.

In some cases, the obligations are clear, while in others, what exactly a business is required to do vis-à-vis PII is opaque. For instance, both the FTC and CCPA refer to a requirement to implement “reasonable” data security, without providing much clarity on what constitutes “reasonable.” The sum and substance of these requirements is that even when, or precisely when, they are the victim of an attack, organizations remain obligated to provide a given measure of security over PII. 

Although beyond the scope of this article, organizations might consider potential downstream effects should their systems be used as a launching point for attacks on third parties, as well as impacts on the performance of contracts. 

Finally, the takeover or even meddling with a given entity’s operations is clearly likely to have severe direct consequences to the enterprise itself. For a business, this could include loss of revenue during down time, siphoning of productivity and damage to reputation, among other potential consequences. 

What Organizations Can Do

I hope it is clear that there are some immediate problems that merit attention. In this situation, one of the worst things to do would be to deny the problem and do nothing. 

Moving forward, organizations should start by asking whether the remote situation is temporary or permanent. For any entity that has plans to return to full on-site operations in the very near term, some of these considerations may be less pressing. 

For all other entities, the first concern is how to improve security in the remote situation. The best thing any organization can do is to hire, fund and take the advice of a competent chief security officer, chief information security officer and counsel, who should work together on issues of physical security, information security and administrative controls. Preferably, the CSO and CISO will take a holistic view of security favoring a convergence approach, where appropriate. If an organization does not currently have the benefit of competent or sufficient in-house security personnel, a firm specializing in security may be a viable option in the short term.  

Developing and adjusting security controls to the remote paradigm is a challenge, but it is not insurmountable. What follows is a non-comprehensive list of recommendations that can be taken related to certain key steps. 

From an information and technology security perspective, this starts with knowing the enterprise’s network, what machines are connected to it and the identity and location of the organization’s crown jewels. Organizations must decide whether the risks of allowing certain business functions that may have only historically occurred in dedicated spaces and via hardline connections (such as discussions of trade secrets and access to live/production systems for engineers) should occur remotely. Likewise, organizations must make decisions related to approved devices, means of accessing corporate networks and standardized security procedures (e.g., securing Wi-Fi). Organizations should also decide on remote identity and access management, to include the use of two-factor authentication. Organizations should consider engaging outside security firms to assist with these assessments as necessary, to audit physical and cyber security through penetration testing and, potentially, to conduct employee training. 

Administrative controls are more difficult. Given the variety of harms that can arise directly from human behavior, leaders need to find a way to encourage and maintain a culture of security despite the lack of physical proximity. Witting and unwitting insiders have much more room to cause damage away from supervision and peers. Organizations need to find ways to implement controls such as those related to access management and job rotation, among others. Education and training, particularly around topics such as spear phishing and authorized uses of corporate networks, should be designed with an emphasis on the remote setting. Employees should be given incentives to comply with security. Security managers need to stay abreast of trends in employee malfeasance around remote work as well as emerging best practices in this new area. 

Physical security will also prove challenging. Organizations should consult with counsel to determine their obligations to employees and tailor programs to meet these needs. Just as enterprises assess the sensitivity of their data systems, they should also assess the exposure of their personnel. For certain high-risk employees, it may be wise to consider implementing off-premises physical security measures or, at the very least, training. 

For all types of enterprises, whether they plan to return to on-site operations now or not, there are some common considerations. First, they should consider the possibility that clever and determined adversaries may have taken advantage of this period during which their guard has been down to some degree to access systems and plant malware or establish an unauthorized presence on the organization’s systems. With this in mind, organizations should carefully examine their networks for indicators of compromise. Likewise, they should consider that this has been a period in which insiders have had an opportunity to grow bolder. Security departments should step up their efforts to detect insider threats. 

See also: Keeping an Eye on Consumer Privacy

In the longer term, all organizations can take certain additional measures. This period has proven fortuitous in a number of ways. First, it can be treated as a practical drill. All entities should conduct an after-action review. Leadership at all levels from individual teams to the C-suite and boards should sit down and discuss what went right and wrong. Where business continuity plans and other policies and procedures did not match with reality, they should be rewritten. We’ve been handed a real-world opportunity to improve upon our posture. 

One specific action all sorts of entities should ensure is that they have reliable out-of-band communication and authentication. This is absolutely essential. In the event of a form of takeover such as the doomsday scenario proposed above, an organization needs a reliable and immediate way of verifying information, authenticating its source and enacting contingency plans should it become necessary. 

The various regulatory obligations to provide measures of security over PII imply a responsibility to keep up to date on shifting threats and vulnerabilities that stem from changing environments and emerging technologies. Organizations are on notice that they must begin to find ways to ensure they are meeting their obligations to develop measures to provide security against these threats. In other words, organizations are on notice. The fact that NIST has a public target date for its first quantum security standard provides some saliency around this. Some companies have already taken action along these lines. 

It does not appear as though exceptions will be made for shortcomings in security in the current situation, for example under NYSDFS rules and the CCPA. However, the rules of the road for the remote paradigm are being written as we speak. Organizations should use this opportunity to help write them. They should also develop relationships with law enforcement and regulators. They should join industry ISACs and other relevant security groups. Groups such as the IAPP and SANS also offer a wealth of information for professionals interested in working to improve their processes. In consultation with counsel and security professionals, all enterprises need to consider what constitutes acceptable security measures in the current situation and with awareness of emerging technologies. 

Of course, organizations should consider which forms of insurance are best-suited to the purposes of the scenarios laid out above. Cyber insurance and kidnapping and ransom may apply.


We are facing three simultaneous game-changers – the remote paradigm, emerging technologies and increasingly prescriptive privacy regimes. At the same time, adversaries are taking advantage of this time to invest in research and development. Victim enterprises continue to bear many of the costs. 

The current remote work situation may continue, we may return to normal or we may find itself somewhere in the middle. Regardless, this time presents an opportunity to look at our approach to remote situations. By extension, it should be a time to examine and adjust business continuity plans, many of which may have been found lacking in this experience. Moving away from the remote setting, this experience highlights many aspects of traditional security that can benefit from fresh work. Again, it calls for a recognition of the increasing interdependence of physical and information security. Further, overall, this period should demonstrate the need for competent security officers and cross-disciplinary teams dealing with security at the highest levels of the organization as well as the need to invest in comprehensive security and exercise plans meaningfully. 

Disclaimer: This article is intended as general educational information, not as security guidance with respect to any specific situation or as legal advice. If the reader needs legal advice, the reader should consult with an attorney.

How CISOs Are Responding to COVID

Since the stay-at-home orders first started in March, chief information security officers (CISOs) have been sharing both their horror stories and how they’ve shifted priorities to keep their companies safe. These CISOs work in a wide variety of companies, and the anecdotes we’ve been hearing run the gamut. 

Changes are happening in how CISOs make decisions, so, in line with Arceo’s mission of driving comprehensive cybersecurity management, we wanted to look at how the rapid expansion of remote work is affecting cybersecurity business decisions directly.

We collected one of the first sets of quantitative data on how CISOs’ priorities have changed since many businesses started moving to work from home. With our research partner, Wakefield, we surveyed 250 CISOs at companies with $250 million to $2 billion in annual revenue. We asked them about their current and changing approach to cybersecurity risk management. Below is a synopsis of some of the results we found most interesting; the full report is available on our website.

Many CISOs say they need more options and coverage for cybersecurity insurance. However, they aren’t getting the coverage they need or the post-breach services required to recover from certain incidents. Almost four-in-five (77%) reported that there are incidents they feel they need coverage for, but that they are unable to get it. 

Additionally, nearly all (96%) of the CISOs surveyed want additional coverage for the increased vulnerabilities resulting from the work-from-home surge. This means that almost every CISO out there is worried — likely because the security practices followed when working remotely are laxer than those followed in the office, leading to a higher risk of attack. In fact, over 40% of CISOs said that cloud usage (49%), personal devices usage (45%) and unvetted apps or platforms (41%) usage posed the biggest threats during this work-from-home period.

The overwhelming majority (88%) of CISOs are not completely satisfied with the performance of their company’s primary insurance brokerage. Additionally, CISOs want more help when they need it most. Nearly all CISOs (98%) want additional support from their cyber insurance provider after a serious incident. 

Nearly half of all CISOs (48%) report they have experienced a security breach. Insurers and brokers need to step up and are likely in a position to play a bigger role in the prevention and the aftermath of a breach because nine in 10 CISOs are open to purchasing cybersecurity tools along with cyber insurance from the same company. 

See also: COVID-19: The Long Slog Ahead

Now more than ever it seems CISOs seem to be concerned about disruption to continuity, which is a greater risk as staff works from home. More than half of CISOs want cyber insurance to cover business email compromise (56%), loss of electronic data (55%), cyber extortion (53%) and ransomware (52%). 

CISOs recognize they need more influence, and nearly all CISOs (97%) agree that the opportunity to interact with the board is crucial to their success as a CISO. 

Check out the full “Quantitative Analysis of Unmet Insurance Needs and Cyber Security Tools Among CISOs” report to find out more about how CISOs view the changing landscape and how cyber insurance needs to adjust to fit their needs.