In today’s business landscape, organizations increasingly rely on third-party solutions. While technology plays a pivotal role in modern business, it’s important to acknowledge that complete control over all IT systems companies rely on is often unattainable.
To address the multifaceted challenges of cybersecurity, we must shift our perspective beyond technology and awareness trainings. The question that arises is: How can we effectively tackle cybersecurity issues that can’t be mitigated through technology and training alone?
In recent months, a group of criminals managed to exploit a vulnerability in a file transfer app called MOVEit[1]. To provide a bit of context, the app is used by thousands of companies worldwide as a file transfer software solution.
That vulnerability allowed criminals to gain access to computer systems of companies using MOVEit, leading to reportedly hundreds of companies experiencing a data breach. The attack affected multiple industries, including banking, finance, insurance, professional services & consulting, airlines, healthcare & pharmaceutical, technology, utilities, leisure, retail, media, education, and many others. All the companies impacted by the attack, regardless of their size, cyber-security awareness, risk controls spending, and general level of digital sophistication had one thing in common. They all relied upon a system provided to them by a third party and none of them could defend themselves from what was coming before it was too late.
The interesting thing is that this angle of an attack (exploitation of a vulnerability in software provided to other companies) is not a new tactic used by the criminals. A similar scenario occurred in December 2021, where a vulnerability was found in Log4J[2], a widely used logging tool utilised globally by personal users, businesses and even governments. That vulnerability allowed hackers to gain access to the relevant systems, which could have led to serious consequences.
Of course, one can say that such vulnerabilities are getting patched accordingly. This is true, but in many cases, the patch will arrive too late to be of any importance to a victim of an already executed hack.
One solution is to invest in another layer of protection in the form of cyber insurance. Mindful that cyber risk cannot be eliminated entirely, regardless of the spending on training and technology, companies can invest in insurance to fill those gaps in their security with a well-constructed cyber insurance policy.
A well-crafted cyber insurance policy will offer cover in respect of malicious cyber-attacks (including cyber-extortion attempts) impacting a company’s computer system, regardless of whether the criminals attacked that computer system directly, or whether they accessed such system utilising a vulnerability in a piece of software supplied to the company by a third-party service-provider. Moreover, cyber insurance addresses the issue of the company’s liability related to data breaches occurring on the systems of a third party with whom the company entrusted such data or even the company’s own losses resulting from business interruption caused by their IT suppliers or non-IT suppliers being affected by a cyber event.
This does not mean that a cyber insurance policy is there to replace the technology or training. Such risk controls being in place improve the risk quality in the eyes of the insurers and might impact the terms of the policy and its pricing. Ultimately, cyber insurance is another layer of protection which may also ensure that the business survives the cyber event if they are so unfortunate to experience one.
