The Growing Threat of Cyber Attacks

In the face of all the grim predictions, remember that myriad tools can protect businesses against and mitigate the impact of cyber-related events.

cyber

As cyber criminals’ methods become increasingly sophisticated and their ability to launch attacks with seeming impunity continues, the repercussions for businesses, from the smallest to the Fortune 50, cannot be overstated. Potential targets are not limited to those that have personally identifiable information, personal health information or customer credit card data. In fact, some of the largest cyberattacks over the last two years have not involved the mining of such information at all. Rather, these attacks have either shut down or materially interrupted vital infrastructure, health systems, financial companies and all means of the manufacturing process, including construction, supply chains, distribution and sales.  

The FBI and Department of Homeland Security’s Feb. 17 warning of anticipated cyberattacks against U.S. (and Ukrainian) governmental and commercial networks in the wake of Russia’s invasion of Ukraine, which has now come to pass, highlights the dire circumstances being faced worldwide. Any business that interacts with or depends on the internet for its existence is a target, regardless of size.  

The impacts of such attacks take any number of forms, including: malware, including ransomware (which disables the ability to access IT systems until a ransom is paid); business interruption (income lost because of the inability to access systems); data restoration (reconstructing “lost” company and customer data); social engineering/phishing (loss of money based on the impersonation of a colleague, client or vendor); regulatory fines and penalties; liability to third parties if their information is compromised; and reputational harm. Estimates for losses for these events runs anywhere from $20 billion in ransomware costs alone for 2021 up to trillions of dollars being spent by 2025 to respond to and fight all manner of these attacks.

The Tools to Mitigate Cyber-Related Events 

Despite (or perhaps because of) these grim predictions, it is vitally important to remember that myriad tools can protect businesses against and mitigate the impact of cyber-related events.

Internal Controls

Due to the sheer number of attacks, cybersecurity experts have been able to identify many of the key vulnerabilities that criminals manipulate to gain entry into computer systems, and how to fix them. That list includes:

  • Multi-factor authentication tools to safely access internal computer systems
  • Robust desktop security protocols, including: virtual private networks, data encryption, complex passwords, firewalls and restricted access to admin rights
  • Active management of systems and configurations
  • A continuous hunt for network intrusions and third-party exposure threats
  • Immediate updating and upgrading of software
  • Development and use of a system recovery plan, including regular testing of backups for data integrity and restorability and preparation and annual testing of incident response/ business continuity plan

As this list indicates, system and information security is the key to avoiding (or at least mitigating) cyber-related risks. Whether through dedicated in-house personnel, engaging with an outsourced cybersecurity firm or having those groups work in tandem, companies can see many vulnerabilities and address them as an enterprise-wide project. While there is no “one size fits all” approach, and it is a true investment of both capital and manpower, companies must at least do an initial assessment of their cybersecurity policies and procedures. The biggest mistake companies make is believing that they are not a target because of their industry, their size, their revenue or their footprint. Everyone is a target, so these issues simply cannot be ignored.  

See also: Tips for the Hybrid Work World

Insurance

Another key mitigation tool is purchasing a cyber insurance policy, which allows businesses to transfer risks associated with cyber-related security breaches to first-party reimbursement (e.g., loss to the company itself) and third-party indemnity (e.g., liability claims against the company and regulatory proceedings). A robust cyber policy is structured around helping the company recover and handling the costs that are associated with an attack.

The purchase of insurance will often also act as a catalyst for implementing the tools and processes described above. Cyber insurance carriers are increasingly demanding that many of the items described above be in place or be on track to be put in place before they will even issue a quote outlining the costs and coverages potentially available. Carriers will assess: possible risks pertaining to the company; the strength of cybersecurity controls; and compliance with legal and industry standards. Companies must be transparent during this application and review process, so issues do not arise in the event of a claim.  

No insurance policy is worth the premium paid if it is not available in the event of a loss. As ransomware emerges as one of the more profound financial and operational interruptions affecting businesses and insurance companies worldwide, it’s imperative to seek an independent risk advisor who can serve as a sounding board and help navigate through the various and sudden risks facing enterprises globally.


Kimberly Patlis Walsh

Profile picture for user KimberlyWalsh

Kimberly Patlis Walsh

Kimberly Patlis Walsh is president and managing director of Corporate Risk Solutions.

She brings over 20 years of insurance underwriting, program structuring and multinational client risk advisory representation to her CRS engagements. Prior to joining CRS in 2003, Patlis Walsh served as SVP of AIG's mergers and acquisitions group, structuring insurance and financial solutions to a variety of corporations (publicly traded and privately held) to limit or transfer liabilities within corporate transactions, recapitalizations, bankruptcies and other M&A situations. While at AIG for over 11 years, she held various positions within various underwriting groups to non-traditional risk transfer/finance insurance to address known risks as well as serving as relationship point to a number of global investment clients. Previously, Patlis Walsh was in investor relations at a NYSE-listed apparel company and a paralegal at Fried, Harris, Shriver & Jacobson.


Michael Gallagher

Profile picture for user MichaelGallagher

Michael Gallagher

Michael F. Gallagher is senior vice president and general counsel at Corporate Risk Solutions.

Gallagher is an attorney and adviser with extensive, hands-on experience solving complex legal problems and enhancing business outcomes for clients throughout the U.S. and internationally. At CRS, Gallagher is involved in all aspects of the business, as well as engagements with clients, including analysis of clients' risk and indemnity exposures, insurance contract negotiations and advice on claims advocacy and enterprise risk issues.

Prior to joining CRS, Gallagher was a member of Katten Muchin Rosenman's insurance and risk management practice group for 18 years. Gallagher has handled complex insurance coverage and defense litigation matters, representing both policyholders and insurance companies, involving, among other areas, directors' and officers' liability, errors and omissions claims, intellectual property claims, fidelity and crime coverage, property and casualty claims and business and contingent business interruption claims. He also conducted internal investigations on behalf of clients' boards of directors and independent audit committees, as well as represented several international corporations in complex commercial arbitrations in matters arising in the Middle East, South America and Europe. Prior to joining Katten, Gallagher was an assistant district attorney for Westchester County, New York.

He holds a juris doctorate degree from Fordham University School of Law and a bachelor of arts degree from Fordham University.

Read More