Insights

Building cyber resilience: Lessons from 2021

Corporate | Insurance Law & Litigation
Person using a computer displaying a VPN connection.

The cyber threat landscape has evolved rapidly in 2021. We have seen the following:

Responsive and malleable cyber attacks.

These include:

  • exploitation of the pandemic environment, with ransomware-as-a-service becoming more prominent
  • extortion and impersonation tactics evolving away from traditional methods and formats, from email to text, chat, social media friend requests and mobile phone calls with false claims of unauthorised transactions or your own warrant for arrest
  • criminal and state-sponsored actors targeting essential services and critical infrastructure, exploitation of security vulnerabilities to launch widespread attacks and impact supply chains.

Governments worldwide, most notably the Biden Administration and the Australian Federal Government, responding more forcefully to global cyber threats.

Governments are increasingly:

  • prioritising cyber threats as a national security issue
  • focussing on strengthening their country's cyber resilience through various legislative, regulatory and policy initiatives.

Boards and C-Suite becoming more aware of cyber security risks and the need for enterprise-wide cyber literacy, and prioritising cyber resilience.

Key statistics indicate that:

  • 41% of directors cite cyber crime and data security as the big issues keeping them up at night
  • 86% are confident they understand the risks and opportunities presented by technology
  • 53% believe their board has enough oversight over cyber threats.

The cyber insurance market hardening as the volume of claims increases and ransomware-related events drive large losses.

However, as cyber insurance continues to be critical to the overall risk management strategies of businesses of all sizes, significantly:

  • the demand for cyber insurance is increasing
  • the cyber insurance industry is adapting to this evolving cyber threat landscape, with corrections being made to cyber pricing and terms and conditions
  • we anticipate that the cyber insurance market will continue to grow, with cyber insurers, cyber insurance brokers and legal advisers playing a key and proactive role in building the cyber resilience of their corporate clients, with certain minimum standards now being "first base" insurance and data breach mitigation issues.

Our Cyber Year in Review concludes with four key lessons to inform 2022 and beyond.

1. Work on reducing the cost of the human factor.

While ransomware-related events dominated the headlines in 2021, business email compromise (BEC) continues to play a major threat to Australian businesses and government enterprises, particularly as more Australians work remotely. The common denominator of these two top threats is human error.

BEC crimes are people-centric and work to deceive people, appearing genuine, in order to successfully compromise the email account (be it through phishing or social engineering) with a common outcome being the transfer of money or the transfer of requisite information to the perpetrator. The threat to cyber security therefore is not only technology itself, but the human factor when interacting with technology. More specifically, it is human error, including indifference, lack of cyber-attack detection skills or a false sense of security, that are most concerning.

Ransomware causes similar concerns. Very often, the ability to infect a network with malware and launch a ransomware attack starts with an employee clicking on a malicious link or attachment in an email, failing to recognise or heed the warning signs.

The Australian Cyber Security Centre (ACSC) reported that BEC was one of the top cybercrime categories in FY2020–21, with the average loss per "successful" event increasing to more than AU$50,600 – over one-and-a-half times higher than the previous financial year.

In the US, the FBI's Internet Crime Report 2020 reported that BEC attacks are significantly more costly than ransomware attacks, with 19,369 reports of BEC attacks costing approximately US$1.8 billion. In contrast, there were 2,474 ransomware reports costing approximately US$29 million.

Importantly, a top priority for organisations will involve minimising human error, as well as continually investing in technological safeguards and security certifications. To minimise human error and change attitudes towards cyber risks, organisations will need to:

  • start or continue to educate and train their entire workforce, not just managers and the Board
  • improve enterprise-wide communications on the latest risks, as well as protocols for identifying and responding to incidents
  • implement cyber security practices at an individual level, including password changes and VPN installation
  • evaluate their cyber security understanding and outsource if needed.

A more detailed look into the steps that organisations can take to improve individual cyber resilience can be found here.

2. Cyber insurers and brokers can play an important role in building cyber resilience.

An increase in cybercrimes and losses associated with cyber attacks have caused an unsustainable loss portfolio for insurers. As a result of this growing loss for companies and increased claims activity, the cyber insurance market has rapidly hardened in the last year.

We have seen some insurers retreating from the cyber insurance market, insurance premiums rising, sub-limits and co-insurance requirements imposed, and policy limits capped in an attempt to manage their line sizes and aggregation. Insurers' underwriting practices are also adapting to the changing risk environment, with increased scrutiny on organisations' specific practices, controls, and protocols to prevent and mitigate threats before cover is provided.

This might seem grim for cyber insurers, cyber insurance brokers and insureds. However, from this hardening cyber insurance market we see strong potential in cyber insurers and brokers taking on a critical and proactive role in building up the cyber resilience of organisations worldwide. This would in turn bring about long-term benefits for insurers, brokers and insureds.

Cyber threats are here to stay, and Boards and C-suite are alive to this risk. Although the uptake on cyber insurance globally has been low to date, the demand for cyber insurance as an important risk management tool will continue to grow as organisations prioritise the management of cyber security risks.

Cyber insurers and brokers can make use of this awareness and demand to play an important role in proactively uplifting the cyber resilience of their corporate clients.

  • Requiring certain cyber resilience standards to be met in order for cover to be available would ensure that insurers' losses and exposures can be minimised as much as possible, and that cyber risks continue to be insurable
  • Cyber insurance brokers can use this as an opportunity to showcase their expertise and understanding of their clients' business, helping insureds understand the changing market and cyber insurance policies available for their risk profile, and strategies that need to be undertaken to uplift their cyber resilience and get cover
  • On the other hand, as the protection gap is addressed, insureds' improvement in their risk profile would make them more insurable and have access to more options for cyber insurance. This would be a win-win for all.

3. Information sharing is key.

Information sharing on cyber threats and vulnerabilities is key to ensuring that the private sector, governments and the insurance industry are in the best position to tackle cyber security risks proactively, and to ensure cyber risk insurability.

One challenge that has constrained the cyber insurance market is a lack of information-sharing between insurers and organisations. Policyholders are hesitant to disclose information about their incidents, costs and losses while insurance companies are reluctant to disclose the damage and claims data from their customers. A number of considerations have caused this reluctancy, including privacy, legal implications, reputational damage and the risk of revealing vulnerabilities.

However, neglecting to share information, particularly during the underwriting phase, results in information asymmetry where the policyholder is more aware of the risks than the insurer. Information asymmetry makes it difficult for insurers to determine a risk-based premium. A lack of information sharing, coupled with the lack of data in a relatively "young" cyber insurance market, has therefore been challenging for cyber risk modelling and insurability. Resolving this problem will require collective will from insurers, insurance brokers, the private sector, and governments.

Cyber threat information sharing results in earlier awareness of developing threats, new techniques for preventing and responding to threats and a reduction in cyber security costs by spreading the cost of intelligence and preparedness. Eventually, as more data becomes available, insurers in collaboration with insureds can formulate more accurate and complex cyber models that will greatly assist in forecasting risk and pricing eventualities.

Outside the insurer/insured relationship, it is important that organisations share information on detected vulnerabilities with other organisations and government agencies. Cyber criminals are constantly finding new software vulnerabilities and more complex methods for exploitation. Proactive information-sharing about attacks, vulnerabilities and mitigation strategies builds resilience across organisations and can improve reactivity to potential threats.

4. A collective approach is needed for cyber eco-system strength.

Like natural ecosystems, the cyber ecosystem consists of a variety of diverse participants including governments, the private sector, individuals and devices (Internet of Things) that continuously interact, dependent on masses of data. Whilst technology continues to push the boundaries and keep us more connected than ever, this exponential potential of interconnectivity is hampered by the equally rapid growth of points of vulnerability on the network and the scale of data being collected.

Cyber threats are global and so geographical borders and physical national defence mechanisms are, in essence, immaterial. As a result, cybercrime is a global problem and coordinated combative efforts between governments, the private sector and international organisations may provide the only defence. A multi-national approach and strong global political will help promote cyber resilience, which is critical to ensuring a stronger cyber eco-system.

Efforts may include disrupting ransomware networks, developing cohesive and consistent multinational policies and enabling the rapid tracing and interdiction of virtual currency proceeds.

We have seen some positive steps in this direction this year, with international enforcement efforts resulting in the arrest of two members of the REvil group under the coordination of Europol and Eurojust.

Cyber security is a global issue that requires coordinated action and collective will in order to build a stronger cyber eco-system. It is only when we can build up cyber resilience globally that the far-reaching impacts of cyber attacks can be properly minimised.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.

Key
Contacts

Melissa Tan

Special Counsel

Keely O'Dowd

Senior Associate

Louisa  Henderson

Louisa Henderson

Lawyer