Day zero – time to prioritise cyber security

By Eden Winokur, Alison Baker and Sam Tempone

Companies that have not already done so need to invest in cyber security and make it an organisational priority.

With the increase in cyber crime and the hardening of the cyber insurance market, it is more important than ever for companies to be informed of current trends and ensure that they have good cyber security hygiene.

Current trends

In the 2020/21 financial year, the Australian Cyber Security Centre confirmed that self-reported losses from cyber crime totalled more than $33 billion. This was an increase of nearly 15% in ransomware cyber crime reports compared to the previous financial year.

Things appear to be getting worse.

Aon Insurance Brokers predict that the global cost of cyber crime is estimated to total between $2 to $6 trillion annually in 2022. These costs include business interruption, theft, data destruction, increased vendor costs (such as legal fees, cyber attack response services, public relations services and ransom negotiators) and the cost of restoring hacked data and systems.

Allianz Insurance’s Risk Barometer report lists cyber incidents such as cyber crime and data breaches as the biggest concern for companies globally in 2022. This beat out business interruption, natural catastrophes and pandemic outbreak.

Cyber crime concern is not only shared by companies and risk management experts. In 2021 the United States, United Kingdom and Australia published a joint cyber security advisory, which outlined that there had been an increase in sophisticated, high-impact ransomware incidents. A worrying trend in the United States is that cyber criminals appear to be shifting away from ’big-game’ hunting (ie Colonial Pipeline Company and Kaseya Limited) and moving towards targets in the corporate market.

Regulators are watching

Regulators are increasingly taking an interest in cyber, which has created an enhanced risk environment for organisations and their directors and officers.

In its August 2021 Corporate Plan, the Australian Securities and Information Commission (ASIC) listed cyber resilience and security of regulated entities as one of its highest priorities. This follows the commencement of legal proceedings by ASIC in August 2020 against Australian financial services license (AFSL) holder, RI Advice Group Ltd, in what has been dubbed Australia’s first cyber security case. ASIC alleges that RI Advice breached its AFSL obligations by failing to implement adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cyber security and cyber resilience. The case is listed for trial in April 2022 and the outcome will provide helpful guidance on the court’s approach and expectations of AFSL holders in relation to cyber security.

In November 2021, the Australian Prudential Regulation Authority (APRA) released a media statement putting directors on notice that the need for boards’ ongoing due diligence in the cyber space is greater than ever. APRA expects boards to have the same level of confidence when dealing with cyber security issues as they do when governing other business issues.

The interest of regulators in cyber has coincided with an increase in the frequency, impact and sophistication of cyber attacks.

How did this happen?

Historically, cyber criminals infiltrate systems using compromised credentials, often obtained through ‘phishing’, which is when malicious emails sent by a threat actor are used to trick an individual into sharing sensitive information such as usernames and passwords.^[1] Once inside a network, cyber criminals have perpetrated various types of attacks, including deploying ransomware, stealing data and social engineering fraud.

As organisations have developed defences to traditional methods of network compromise, the cyber crime economy has evolved in its sophistication. Cyber criminals are increasing using ‘0-day exploits’ to attack organisations. A 0-day exploit occurs when malware is deployed to exploit a vulnerability in a piece of software, or an application used by a company or consumer to immediately launch an attack. A widely publicised recent example is the log4j incident that affected millions of computers worldwide using online services.

Defending against 0-day exploits has challenges. Applications and programs often require updates to patch vulnerabilities. Generally, there is a lag in time between when a vulnerability is identified, when a patch is developed and when organisations install the patch. This provides a window of opportunity that cyber criminals are taking advantage of. Once inside a network, infiltrators may be able to install additional malware to facilitate long-term access to a victim’s environments.

0-day exploits are just an example of how the cyber crime space is evolving, and why companies need to invest and make cyber security an organisational priority.

Impact on insurance market

The current trends in cyber crime have significantly impacted the cyber insurance market.

Marsh reports that cyber insurance pricing in the US has increased an average of 96% year-to-year. They consider that increased rates are primarily due to:

• a significant increase in loss ratios due to rising frequency and severity of ransomware claims;
• an increase in supply chain attacks and software exploitation meaning a single event can affect several insureds;
• the demand for reinsurance capital remaining greater than available supply; and
• available capital, which has caused some insurers to reduce the amount of capital deployed on any given risk to limit their own portfolio’s exposure.

The hardening of the cyber insurance market increases the importance of risk selection and underwriting criteria for insurers.^[2] In fact, insurers may refuse issuing a policy on the basis that your company is not doing enough to protect itself from cyber incidents. For example, several insurers now require multi-factor authentication to be enabled for all users logging in remotely.

Current trends make it clear that it is more important than ever for companies to invest in and have a plan for cyber security.

What should I do?

Investing in cyber security systems and training employees are the best defence against cyber criminals.

The 2021 Microsoft Digital Defense Report states the best way to minimise the impact of attacks is to practice good cyber hygiene, implement architectures that support the principles of ‘zero trust’ and to ensure cyber risk management is integrated into every aspect of your business. Zero trust principles assume that hackers are already in your system and so no user should be inherently trusted without proving their identity.

Microsoft suggests that basic security hygiene protects against 98% of attacks from cyber criminals. It considers basic security hygiene to include:

• enabling multifactor authentication, making it harder for threat actors to utilise stolen or phished credentials;
• applying least privilege access, which limits user access with just-in-time and just-enough-access, risk-based adaptive policies and data protection;
• keeping your applications up-to-date to mitigate the risk of software vulnerabilities or exploitation;
• utilising anti-malware services; and
• implementing information protection best practices such as applying sensitivity labels and data loss prevention policies.

While it is critical to invest in cyber security systems, the systems are only as good as the people that use them.

Employee training about cyber risk and your company’s security protocols is paramount. It is not enough to treat cyber security as something that is self-contained within your IT or security team.