Vince Morgan, a partner at law firm Bracewell who represents corporate policyholders in many coverage areas, including cyber, offers his best advice for policyholders and insurers among the increasing cyber risk landscape during this episode of the Insuring Cyber Podcast.
"Communication is so important in so many aspects of life, and this is a great example of it," he says. "I think you're going to have to see management doing it. You're going to have to see business partners doing it - whether it's insured to insurer or insured to IT vendor. It's communicating about these things and how we can work together to solve a common problem."
Beyond communication, he says re-assessing vulnerabilities is equally important, particularly in the new work-from-home era due to the pandemic.
"It used to be a year ago, companies had a much easier time in protecting their networks and the information that they contain because most people went to a centralized office and the computers were all on one network, and it was easier to manage that," he says.
However, he says this is no longer the case with companies that now have hundreds or even thousands of employees working from home on a daily basis.
"That's hundreds or thousands of new network access points that can be vulnerabilities," he says. "So what we've been advising our corporate policyholder clients is, 'Look, you might've made representations about what your network security protocols were and those kinds of things. You need to revisit those today to find out: does [working from home] work for your cyber insurance?'"
Morgan's advice comes after 2020 saw some significant cyber attacks, particularly toward the end of the year when federal advisories were issued in October regarding a string of ransomware attacks on the U.S. healthcare system, the Twitter handles of several public figures were hacked and used to push a bitcoin scam in early December, and perhaps most top of mind was the SolarWinds breach announced in December.
According to a legal filing by the U.S. information technology firm, the breach, which is still being investigated, may have resulted in malicious code being pushed to nearly 18,000 customers after malware was inserted by hackers during an update to SolarWinds' Orion platform, which is a collection of products used to monitor the health of various clients' IT networks.
This came after cybersecurity company FireEye announced it had been breached, discovering bad actors gained access to numerous public and private organizations around the world through the trojanized updates to SolarWind's Orion IT monitoring and management software.
Karim Hijazi, founder and CEO of cyber intelligence company Prevailion, explains later in the episode that all of this points to the fact that no entity, even a cybersecurity company, is immune to an attack.
"There's a general sense that a security company should be absolutely the most equipped to handle these kinds of issues, or at least preempt them - a little bit like the dentist should have the best teeth out there - which, in some part, is true," he says. "However, this underscores the reality that no organization is effectively immune to these types of attacks, no matter who you are, be it a commercial organization, a cybersecurity organization like FireEye, or a government, for that matter."
He adds that in Prevailion's own analysis of cyber attack victims, it has discovered most believed they had the right protocols in place.
"A lot of these organizations that we've spoken with truly believed that they were secure. They thought they had everything buttoned up. They believed they bought all the right tools and technologies to protect them," he says. "There's sort of a new breed [of cyber criminals] forming here that is aware of what we effectively understand to be their tactics, and they're changing them. And that's what makes this so insidious. That's what's really concerning."
Listen to the rest of this episode to find out what else Vince and Karim had to say, and be sure to tune in for new Insuring Cyber Podcast episodes published every other Wednesday along with the Insuring Cyber newsletter.
Correction: This report incorrectly stated that ISACA's research ranked cyber attacks as the fastest growing crime in the U.S., with cyber crime damages expected to reach $6 trillion globally in 2021. This research is correctly attributed to the report Cyberwarfare In The C-Suite, published by Cybersecurity Ventures. Insurance Journal regrets the error.