Businesses are at risk of finding that they are unable to secure cyber insurance cover as the volume of cyber attacks reaches new levels.
Companies are increasingly being required to put in place higher levels of cyber protection for their systems before they will be considered for cyber insurance.
According to insurers, the cost of cyber risks insurance has rocketed as demand for cover outstrips supply.
Their comments came as the World Economic Forum (WEF) published its Global risk report 2023, which identifies widespread cyber attacks and cyber insecurity as one of the top 10 risks facing governments and organisations over the next 10 years.
Carolina Klint, risk management leader for continental Europe for insurance broker Marsh, and one of the contributors to the report said that insurance companies were now coming out and saying that “cyber risk is systemic and uninsurable”.
That means, in future, companies may not be able to find cover for risks such as ransomware, malware or hacking attacks.
“It’s up to the insurance industry and to the capital markets whether or not they find the risk palatable,” she said in an interview with Computer Weekly, “but that is the direction it is moving in.”
In recent days, cyber attacks have disrupted the international delivery services of the Royal Mail and infected IT systems at the Guardian newspaper with ransomware.
The Global risks report rates cyber warfare and economic conflict as more serious threats to stability than the risks of military confrontation.
“There is a real risk that cyber attacks may be targeted at critical infrastructure, health care and public institutions,” said Klint. “And that would have dramatic ramifications in terms of stability.”
Risk of Russia stepping up cyber attacks
Russia’s cyber attacks against the Ukraine could, depending on how the war goes, lead to more generalised attacks against inadequately protected IT systems in the West.
“I do think with Russia’s attacks, depending on the level of frustration and the success or failure of the war, we might be looking at broader spray attacks, which are going to be less targeted, which means that more companies or individuals might suffer,” Klint said in an interview with Computer Weekly.
That could be accompanied by targeted attacks on critical infrastructure, such as hospitals and health care services, which are already under strain because of Covid-19 and flu, a lack of funding, and shortages of nurses and other staff.
“There’s definitely a risk that this will have more serious ramifications,” said Klint. “They are already under so much pressure, already pushed to the brink of what is even possible.”
Greater numbers of employees working from home and the increased use of digital technologies have opened-up new paths for malicious actors to break into computer systems.
One future risk is that hackers will be able to harvest voice inflexions and facial expressions of people, which could be used to imitate them or to fool voice-based identification systems, used by banks for example, to identify telephone customers.
Organisations will need to look at the effectiveness of their risk mitigation and risk management strategies and invest up-front in cyber security to be insurable, said Klint.
“Companies are starting to realise the importance of making mitigation efforts and being willing to invest upfront to be insurable, and this has increased over time,” she said.
Managing cyber risk requires collaboration
Managing cyber risk cannot be left to chief information security officers (CISOs) – it requires collaboration across a whole organisation.
“Cyber risk is one of those areas where you need a very diverse representation around the table to talk about the risks, what is on the risk horizon, the potential impact, and then the strategies to mitigate it,” said Klint.
That means collaborative effort between the risk function, the finance function, HR, the CISO, and the rest of the IT team.
Klint argues that for companies to be insurable, they will need to ensure they have the right cyber security processes in place, along with basic security protections such as multi-factor authentication (MFA).
Organisations may not be able to continue rely on two-factor authentication based on sending SMS codes to mobile phones, to provide secure access to their systems, as that is in itself vulnerable to SMS phishing attacks, she said.
Cyber insurance rates are increasing
John Scott, head of sustainability risk at Zurich Insurance Group, said that with the move to cloud services, increased digitisation and ransomware attacks increasing, it is not surprising that the cost of cyber insurance has risen.
“Rates have significantly increased, but at the same time the demand for cyber protection continues to rise,” he said, adding that some companies are responding by self-insuring or setting up their own captive insurance companies. While technology can expose companies to cyber security risks, it can also be used to mitigate risks facing businesses.
There have also been examples where companies have pared down their IT infrastructure to the point that they are not as resilient as they could be.
In other cases, manufacturing companies are moving away from “just in time” delivery of their products to holding extra stock “just in case” supplies of critical parts are disrupted.
“There’s a cost to that in terms of profitability, but it’s well worth accepting that and it means you can still stay in business,” said Scott, adding that that he has seen cases where companies have stripped their IT infrastructure down to the point that they are not as resilient to unexpected shocks.
It is “astonishing”, said Scott, that many companies have not put basic IT security protection in place, such as ensuring software is regularly patched and using two-factor authentication. He pointed out that organisations should also be working with their suppliers and datacentres to make sure that their supply chains are protected from cyber attacks.
At a higher level, organisations can work with governments and national security agencies to share data on the activities of state-sponsored hackers and which infrastructure is at risk.
“That can really help companies become more resilient in terms of where the attacks are and where to target the mitigation,” said Scott.
How to tackle multiple risks
With organisations facing multiple simultaneous problems, from rising energy costs, rising prices and disruption to supply chains, Klint said that it makes sense to solve problems to gain both short-term and long-term benefits.
Spending more on cyber security, for example, will also give organisations greater resilience to survive other shocks, such as failures in the supply chain.
“Cyber resilience and supply chain resilience are really closely interlinked. And that means investment in resilience will have a positive impact on more than one risk,” said Klint.
Technology platform providers and cloud providers can partner with law enforcement, governments and insurance companies to provide guidance to businesses on what they need to do to improve resilience.
“You have to think about it more in terms of survival. Because, in case you have a massive cyber attack and everything goes down, what are you going to do?” Klint added.