Building cyber resilience: Lessons from 2021

The cyber threat landscape evolved rapidly in 2021, giving rise to new threats and a step change in the response from governments and businesses.

Evolving cyber threats

The pandemic represented new opportunities for cyber criminals as businesses adapted and mobilised technology in response to remote working requirements. These conditions, coupled with the low barriers to entry for cyber attackers with the proliferation of Ransomware-as-a-Service, have both cyber and privacy implications for businesses and individuals.

Extortion and impersonation tactics also evolved from traditional methods and formats, expanding from email to text, chat, social media friend requests and mobile phone calls, with false claims of unauthorised transactions or the threat of arrest by authorities. Deep fake videos impersonating someone can also be created in as little as 30 minutes using free online software, with low-cost tactics and low barriers to entry having the potential to cause significant damage.

The year was also marred by criminal and state-sponsored actors targeting essential services and critical infrastructure, and exploiting software security vulnerabilities to launch widespread attacks and impact supply chains.

Governments respond

Governments worldwide, most notably the Biden Administration and the Australian Federal Government, demonstrated greater force in responding to global cyber threats in 2021.

Domestically, governments are increasingly prioritising cyber threats as a national security issue and focussing on strengthening countries' cyber resilience through various legislative, regulatory and policy initiatives.

Internationally, allied governments are also increasingly banding together to face global cyber threats. The enhanced trilateral AUKUS security partnership between Australia, the United States and United Kingdom has seen the Australian Cyber Security Centre (ACSC), the United States' Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) regularly issuing joint cyber security advisories.

Growing awareness

Boards and C-Suites are becoming increasingly aware of cyber security risks and the need for enterprise-wide cyber literacy, and are prioritising cyber resilience.

Key statistics indicate that:

• 41% of directors cite cybercrime and data security as the big issues keeping them up at night
• cyber attacks, data loss and cyber extortion are the top three worries for directors and officers globally, including the Australasian region
• 86% are confident they understand the risks and opportunities presented by technology
• 53% believe their board has enough oversight over cyber threats.

Cyber insurance claims increase

The cyber insurance market hardened as the volume of claims increased and ransomware-related events drove large losses in 2021.

However, cyber insurance continues to be critical to the overall risk management strategies of businesses of all sizes, which has meant demand for cyber insurance continues to increase.

The cyber insurance industry is adapting to the evolving cyber threat landscape, with corrections to cyber pricing and terms and conditions. Given these factors, we anticipate the cyber insurance market will continue to grow, adjust and innovate to meet demand, with cyber insurers, cyber insurance brokers and legal advisers playing a key and proactive role in building the cyber resilience of their corporate clients and insurability.

Four key lessons

2021 reinforced the importance of taking cybersecurity and data privacy seriously. Below, we explore four key lessons organisations should consider to strengthen their cyber defences and resilience.

1. Work on reducing the cost of the human factor.

While ransomware-related events dominated the headlines in 2021, business email compromise (BEC) continues to play a major threat to Australian businesses and government enterprises, particularly as more Australians work remotely. The common denominator of these two top threats is human error.

BEC crimes are people-centric and work to deceive people, appearing genuine, in order to successfully compromise the email account (be it through phishing, pretexting or other types of social engineering attacks) with a common outcome being the transfer of money or the transfer of requisite information to the perpetrator. The threat to cyber security therefore is not only technology itself, but the human factor when interacting with technology. More specifically, it is human error, including indifference, lack of cyber-attack detection skills or a false sense of security, that are most concerning.

Ransomware causes similar concerns. Very often, the ability to infect a network with malware and launch a ransomware attack starts with an employee clicking on a malicious link or attachment in an email, failing to recognise or heed the warning signs.

The Australian Cyber Security Centre (ACSC) reported that BEC was one of the top cybercrime categories in FY2020–21, with the average loss per "successful" event increasing to more than AU$50,600 – over one-and-a-half times higher than the previous financial year.

In the US, the FBI's Internet Crime Report 2020 reported that BEC attacks are significantly more costly than ransomware attacks, with 19,369 reports of BEC attacks costing approximately US$1.8 billion. In contrast, there were 2,474 ransomware reports costing approximately US$29 million.

Importantly, a top priority for organisations will involve minimising human error, as well as continually investing in technological safeguards and security certifications. To minimise human error and change attitudes towards cyber risks, organisations will need to:

• start or continue to educate and train their entire workforce, not just managers and the Board
• implement proactive and effective end-user security awareness training focused on topics such as social engineering techniques, use of social media, safety and privacy, and organisational security policies
• improve enterprise-wide communications on the latest risks, as well as protocols for identifying and responding to incidents
• implement cyber security practices at an individual level, including password changes and VPN installation
• evaluate their cyber security understanding and outsource if needed.

A more detailed look into the steps that organisations can take to improve individual cyber resilience can be found here.

2. Cyber insurers and brokers can play an important role in building cyber resilience.

An increase in cybercrimes and losses associated with cyber attacks have caused an unsustainable loss portfolio for insurers. As a result of this growing loss for companies and increased claims activity, the cyber insurance market has rapidly hardened in the last year.

We have seen some cyber insurance carriers retracting capacity locally and globally, insurance premiums rising, sub-limits and co-insurance requirements imposed, and policy limits capped in an attempt to manage their line sizes and aggregation. Insurers' underwriting practices are also adapting to the changing risk environment, with increased scrutiny on organisations' specific practices, controls, and protocols to prevent and mitigate threats before cover is provided.

This might seem grim for cyber insurers, cyber insurance brokers and insureds. However, from this hardening cyber insurance market we see strong potential in cyber insurers and brokers taking on a critical and proactive role in building up the cyber resilience of organisations worldwide. This would in turn bring about long-term benefits for insurers, brokers and insureds.

Cyber threats are here to stay, and Boards and C-suite are alive to this risk. Although the uptake on cyber insurance globally has been low to date, the demand for cyber insurance as an important risk management tool has and will continue to grow as organisations prioritise the management of cyber security risks.

Cyber insurers and brokers can make use of this awareness and demand to play an important role in proactively uplifting the cyber resilience of their corporate clients.

• Requiring certain cyber resilience standards to be met in order for cover to be available would ensure that insurers' losses and exposures can be minimised as much as possible, and that cyber risks continue to be insurable
• Cyber insurance brokers can use this as an opportunity to showcase their expertise and understanding of their clients' business, helping insureds understand the changing market and cyber insurance policies available for their risk profile, and strategies that need to be undertaken to uplift their cyber resilience and get cover
• On the other hand, as the protection gap is addressed, insureds' improvement in their risk profile would make them more insurable and have access to more options for cyber insurance. This would be a win-win for all.

3. Information sharing is key.

Information sharing on cyber threats and vulnerabilities is key to ensuring that the private sector, governments and the insurance industry are in the best position to tackle cyber security risks proactively, and to ensure cyber risk insurability.

One challenge that has constrained the cyber insurance market is a lack of information-sharing between insurers and organisations. Policyholders are hesitant to disclose information about their incidents, costs and losses while insurance companies are reluctant to disclose the damage and claims data from their customers. A number of considerations have caused this reluctancy, including privacy, legal implications, reputational damage and the risk of revealing vulnerabilities.

However, neglecting to share information, particularly during the underwriting phase, results in information asymmetry where the policyholder is more aware of the risks than the insurer. Information asymmetry makes it difficult for insurers to determine a risk-based premium. A lack of information sharing, coupled with the lack of data in a relatively "young" cyber insurance market, has therefore been challenging for cyber risk modelling and insurability. Resolving this problem will require collective will from insurers, insurance brokers, the private sector, and governments.

Cyber threat information sharing results in earlier awareness of developing threats, new techniques for preventing and responding to threats and a reduction in cyber security costs by spreading the cost of intelligence and preparedness. Eventually, as more data becomes available, insurers in collaboration with insureds can formulate more accurate and complex cyber models that will greatly assist in forecasting risk and pricing eventualities.

Outside the insurer/insured relationship, it is important that organisations share information on detected vulnerabilities with other organisations and government agencies. Cyber criminals are constantly finding new software vulnerabilities and more complex methods for exploitation. It is reported that some Eurasian ransomware groups have adopted a collaborative approach by sharing victim information with each other, diversifying the threat to targeted organisations and enabling them to be one step ahead. Proactive information-sharing about attacks, vulnerabilities and mitigation strategies builds resilience across organisations and can improve reactivity to potential threats.

4. A collective approach is needed for cyber eco-system strength.

Like natural ecosystems, the cyber ecosystem consists of a variety of diverse participants including governments, the private sector, individuals and devices (Internet of Things) that continuously interact, dependent on masses of data. Whilst technology continues to push the boundaries and keep us more connected than ever, this exponential potential of interconnectivity is hampered by the equally rapid growth of points of vulnerability on the network and the scale of data being collected.

Cyber threats are global and so geographical borders and physical national defence mechanisms are, in essence, immaterial. As a result, cybercrime is a global problem and coordinated combative efforts between governments, the private sector and international organisations may provide the only defence. A multi-national approach and strong global political will help promote cyber resilience, which is critical to ensuring a stronger cyber eco-system.

Efforts may include disrupting ransomware networks, developing cohesive and consistent multinational policies and enabling the rapid tracing and interdiction of virtual currency proceeds.

There have been positive steps in this direction in 2021, with international enforcement efforts resulting in the arrest of two members of the REvil group under the coordination of Europol and Eurojust. The trilateral AUKUS security partnership with the joint cyber security advisories issued is also another step in the right direction.

Cyber security is a global issue that requires coordinated action and collective willingness to build a stronger cyber eco-system. It is only when we build up cyber resilience globally that the far-reaching impacts of cyber attacks can be properly minimised.