No One’s in the Safe Zone: Preparing for a Cyber Hurricane

Here’s how organizations can stay well-equipped, prepare for a ‘cyber storm,’ of threats and maintain strong cyber protection in today’s hardened insurance market.

Lori Bailey, Chief Insurance Officer, Corvus Insurance

September 30, 2022

5 Min Read
Hurricane danger as a dangerous natural disaster tropical storm weather system off an ocean coast shaped as a death skull
Brain Light via Alamy Stock

For anyone who's been working in the insurance industry over the past decade, it’s concerning to see how hardened the market has become, and the new challenges it’s uncovered for cyber managing general agents (MGA) and businesses alike. Cyber hurricane-inducing incidents like Log4j and the Russia and Ukraine conflict have sparked more conversations among C-suite level executives about how exposed their organizations are to outside threat actors. However, there are many companies that have yet to make progress toward reducing exposures and investing in an organization-wide security protocol. Although we haven’t seen any major “cyber hurricanes” to date, there have been many little “storms” drawing increased demand for cyber insurance -- a sign that a larger squall could be on the horizon. This is why it’s mission critical for companies of all sizes and industries to be prepared for when it hits -- nobody is in the safe zone.

To stay well-equipped and protected in today’s hardened market, organizations need a foundational cybersecurity strategy for third-party risk management and cyber incident mitigation. To implement an effective strategy, they must understand how to determine exact risk levels, prioritize data transparency within risk assessment processes, and build overall cyber confidence. Below, I’ve outlined a few ways that organizations can address third-party risk to prepare for a “cyber storm,” and stay resilient in the event of a disaster:

Understanding Third-Party Cyber Risk Management Factors

Cybersecurity does not offer a one-size-fits-all solution -- there are many elements worth considering when it comes to managing an organization’s third-party cyber risk, both from a technical and non-technical standpoint. Third-party cyber risk management is needed across a range of different technologies, with factors that include:

  • Email service provider/email security tools

  • Industry-specific software

  • Cloud service/web hosting providers

  • Virtual private networks (VPNs)

  • Patch management practices

Each third-party solution comes with its own unique benefits, but it also comes with its own unique vulnerabilities. This is why it’s critical for business leaders to understand where exactly those vulnerabilities lie -- such as how their sensitive information can be accessed, the likelihood of this information being compromised, and potential blind spots in protecting this information. Additionally, there are other elements that can impact risk management that extend beyond cybersecurity. A vendor’s poor financials, or behavioral circumstances can make companies more susceptible to cyber-attacks. For example, if a vendor has multiple liens on it, appears unprofitable, or is borrowing more than it can pay off, outside threat actors can view the company as a target, causing a hurricane to form around its operations. A combination of risk aggregation management, data-based risk analysis, and human oversight can make a significant difference in cyber protection when it comes to relying on third-party solutions.

Prioritizing Data Transparency

Leveraging data is key for organizations to ensure reliable outcomes for each risk assessment. Therefore, business leaders need increased visibility into all available data to accurately determine which cyber exposures put them at a higher risk. Unfortunately, due to the large quantity of data often moving from one business solution to another, maintaining a strong level of visibility is not easy. This is why digital tools that support data transparency need to be regularly updated and prioritized within an organization’s cybersecurity investment stack. For example, risk of data compromise can stem from improperly patched software, using out-of-date programs, or misconfigured cloud applications. At the same time, access to real-time data can help organizations identify emerging threats -- even those that have not yet resulted in an insurance claim. As a result, organizations can enrich their understanding of incoming risks before a severe operational damage or storm of threats even occurs.

Data transparency, while providing organizations with deep risk insights (including real-time information), can also help analyze and pinpoint the biggest risks’ origins. Top business executives must of course be kept informed regarding their organization’s cyber exposures, but they often struggle with gathering the appropriate insights to confidently execute on risk mitigation strategies. Targeted investments in comprehensive data delivery not only helps to improve cybersecurity outcomes and strengthen overall cyber hygiene but leads to elevated confidence in the long run.

Building Cyber Confidence for the Long Term

In order for organizations to successfully execute on any of the above tactics and achieve their goals of long-term market share, business leaders must practice cyber confidence. Cyber confidence can be supported by a broad range of resources, with education and awareness at the root of it all. Organizations can’t protect what they don’t see nor understand, so initiatives such as conducting regular security training and building an incident response plan can help employees feel more supported and knowledgeable.

To build an effective incident response plan, the plan should leverage a holistic approach -- focusing not only on the role of technology, but also incorporating the human element. For example, IT system user training can boost employees’ confidence across all departments. Examining the layout and digital structure of internal IT systems can help employees gain a deeper understanding of where cybersecurity gaps might lie, and the unusual places they might accrue certain risks. Additionally, if the nature of that IT infrastructure is inherently more resilient -- such as modern cloud systems that provide redundancy and backups by default -- organizations can more confidently navigate the complexities that come with each system.

If there’s one definitive lesson that industry leaders have learned over the last few years, it’s that no two large-scale cyber-attacks are the same. Therefore, relying solely on information from past losses to inform current cyber insurance strategies won’t suffice. Incorporating modern security practices around third-party solution management and data transparency is key to feeling equipped for when a cyber hurricane strikes. Accessing both historical and real-time information can help organizations elevate their strategies to become the most effective. This technology-first approach, while also rooted in human intellect, can support the holistic mentality needed for organizations to find success within their cybersecurity initiatives, and ultimately, support confident navigation of cyber insurance.

About the Author(s)

Lori Bailey

Chief Insurance Officer, Corvus Insurance

Lori Bailey is Chief Insurance Officer of Corvus Insurance. Bailey’s experience stems from over 20 years of working on both the carrier and broker sides of the insurance industry. Prior to Corvus Insurance, Bailey was the Global Head of Cyber Risk for Zurich Insurance where she developed and implemented global underwriting strategies, governance, and product offerings for all cyber risk exposures. She has previously served on committees for the World Economic Forum, Pan-European Insurance Forum, and Institute for International Finance.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights