3 Ways to Address Cyber Risk and the Pandemic: What You Must Do to Keep an Eye on This Expanding Risk

By: | January 31, 2021

Brian is an Underwriting Director and holds the title of Cyber Industry Leader at CNA. Brian is responsible for product development and underwriting strategy within CNA’s Cyber and Technology E&O underwriting operation. Prior to this role, Brian was a Senior Claim Counsel in CNA Specialty Claim’s Management Liability, Financial Institutions and Technology unit where he is focused on the Company’s Global Cyber and Technology claims. Brian is a regular speaker at industry events regarding global cyber insurance and risks, breach response and mitigation.

Ransomware attacks have been on the rise and are becoming more dangerous in recent years.

The total number of global ransomware reports increased by 715% in the first half of 2020 year-over-year, according to Bitdefender’s Mid-Year Threat Landscape Report 2020.

A likely stimulant points to cyber criminals looking to take advantage of the pandemic and its related increase in telecommuting, which has been shown to potentially open new avenues of entry through the cyber systems of businesses.

Not only has the number of ransomware attacks increased but also the types of ransomware continue to evolve — some looking to be even more disruptive and damaging.

According to the Sophos 2021 Threat Report, there will be a gap between ransomware operators at different ends of the skills and resource spectrum, with big-game hunting ransomware families continuing to refine and change their tactics, techniques and procedures to become more evasive and sophisticated.

This will likely involve larger organizations being targeted with multi-million dollar ransom demands, all while an increase in the number of entry level, apprentice-type attackers looking for ransomware-for-rent will be seen as well.

The good news — ransomware attacks are often avoidable, but it requires preparation.

Preparedness can begin with building a top down security culture. Securing buy-in from board and upper management can take time, ensuring everyone has a clear picture of the complications and consequences of ransomware threats.

Here are three ways to effectively gather information about a company’s cyber risk profile to prepare your case to the company’s management and/or board.

1) Take advantage of free consultations.

Many insurance carriers are offering free consultations to help businesses better understand their cyber security posture.

These discussions look at a company’s technical controls, such as firewalls; the physical controls, such as key cards; as well as its people controls, like employee training.

Some consultations, like CNA’s CyberPrep program, will provide a chance to meet with ransomware coaches and create a gap analysis to help identify the company’s cyber security posture.

2) Review regulatory requirements.

Depending on where geographically a company sells its products or services, it can be subject to different regulatory and security requirements.

Consulting with a regulatory lawyer could help the company better understand its regulatory exposure and related cyber threats. With the proper knowledge of these requirements, a company can likely improve how prepared and protected it is from ransomware threats.

3) Have a clear understanding of commercial and contractual requirements.

To ensure a business is protected from cyber threats, it means looking at every possible hole and point of entry into the company’s systems.

Similar to regulatory requirements, it is important for companies to be aware of the security control requirements they have for their customers and business partners.

A lawyer can work with the business to review all contracts, confirming that the most effective security controls are in place — not just within their company walls but also with their customers and business partners.

Next Steps

Once this information gathering is complete, it is important to present the findings to the board and upper management.

These findings, along with suggested enhanced protocols, will help the company be prepared to respond more efficiently and effectively if they are faced with a ransomware event. No matter the budget or size of the company, there are always protocols that can be put in place.

Sometimes it is a gradual approach, layering on new security controls every year.

Other times, it can be an overhaul, tightening up the cyber security posture in one large initiative.

Identification, education and knowledge will help everyone across the organization — from the top down — create a safer cyber security culture. &

More from Risk & Insurance