Skip to main content
main content, press tab to continue
Article

The role of cyber insurance in the era of third-party systems dependency

October 3, 2023

How cyber insurance can complement your defence strategy
N/A

In today’s business landscape, organizations increasingly rely on third-party solutions. While technology plays a pivotal role in modern business, it’s important to acknowledge that complete control over all IT systems companies rely on is often unattainable.

Looking beyond technology

To address the multifaceted challenges of cybersecurity, we must shift our perspective beyond technology and awareness trainings. The question that arises is: How can we effectively tackle cybersecurity issues that can’t be mitigated through technology and training alone?

The solution: Cyber insurance

In recent months, a group of criminals managed to exploit a vulnerability in a file transfer app called MOVEit[1]. To provide a bit of context, the app is used by thousands of companies worldwide as a file transfer software solution.

That vulnerability allowed criminals to gain access to computer systems of companies using MOVEit, leading to reportedly hundreds of companies experiencing a data breach. The attack affected multiple industries, including banking, finance, insurance, professional services & consulting, airlines, healthcare & pharmaceutical, technology, utilities, leisure, retail, media, education, and many others. All the companies impacted by the attack, regardless of their size, cyber-security awareness, risk controls spending, and general level of digital sophistication had one thing in common. They all relied upon a system provided to them by a third party and none of them could defend themselves from what was coming before it was too late.

The interesting thing is that this angle of an attack (exploitation of a vulnerability in software provided to other companies) is not a new tactic used by the criminals. A similar scenario occurred in December 2021, where a vulnerability was found in Log4J[2], a widely used logging tool utilised globally by personal users, businesses and even governments. That vulnerability allowed hackers to gain access to the relevant systems, which could have led to serious consequences.

Of course, one can say that such vulnerabilities are getting patched accordingly. This is true, but in many cases, the patch will arrive too late to be of any importance to a victim of an already executed hack.

The myth

Battling cyber threats such as those described above, companies are faced with the difficult challenge of protecting their data and ensuring the continuity of their operations. A very common approach taken to tackle such threats is to invest in more technology-based cyber-security solutions. The two examples referenced above prove that while extra cyber-security spending should not harm any company, the belief that we can keep the computer systems and data completely safe solely by investing in technology could be misguided.

The reality

The reality is that regardless of their cyber-security spending, companies can still fall victim to a cyber-attack. The obvious examples for such scenario would be the Log4J and MOVEit hacks. Unfortunately, the risk of such stories repeating themselves is here to stay due to the unavoidable dependence on third party suppliers’ solutions and their systems.

Regrettably, such reliance on systems of third parties is not the only chink in the cyber-armour of companies operating in today’s era of digitalisation. It should be remembered that a dedicated criminal, even where not able to break the system or access it using the ajar door created by a given vulnerability, can always target the most vulnerable component of any IT system – its human user. No matter how well-trained the employees are, a targeted social engineering attack may still hit its mark.

Moreover, companies are increasingly reliant on third party supplied solutions and, in most cases, they still need human employees. Given the limited control over the systems that we are supplied with and the impossibility to control all the employees all the time, it can be safely said that, at least as of now, businesses will not be able to fully manage their cyber-security exposure simply by investing in more technology.

We need to look beyond the technology to find a more holistic way to properly address the issue at hand.

The solution

The question therefore is, what is the solution to address the cyber-security problems which cannot be addressed by more technology and more awareness training?

One solution is to invest in another layer of protection in the form of cyber insurance. Mindful that cyber risk cannot be eliminated entirely, regardless of the spending on training and technology, companies can invest in insurance to fill those gaps in their security with a well-constructed cyber insurance policy.

A well-crafted cyber insurance policy will offer cover in respect of malicious cyber-attacks (including cyber-extortion attempts) impacting a company’s computer system, regardless of whether the criminals attacked that computer system directly, or whether they accessed such system utilising a vulnerability in a piece of software supplied to the company by a third-party service-provider. Moreover, cyber insurance addresses the issue of the company’s liability related to data breaches occurring on the systems of a third party with whom the company entrusted such data or even the company’s own losses resulting from business interruption caused by their IT suppliers or non-IT suppliers being affected by a cyber event.

This does not mean that a cyber insurance policy is there to replace the technology or training. Such risk controls being in place improve the risk quality in the eyes of the insurers and might impact the terms of the policy and its pricing. Ultimately, cyber insurance is another layer of protection which may also ensure that the business survives the cyber event if they are so unfortunate to experience one.

Sources

  1. WTW Client Alert: MOVEit Transfer Application Under Attack. Return to article
  2. WTW Client Alert: Apache Log4J vulnerability. Return to article

Contact


Cyber Practice Leader - Canada

Contact us