riskandinsurance.com Open in urlscan Pro
2606:4700:3108::ac42:2b6f Public Scan

Back to summary

Submitted URL:
http://click1.email.riskandinsurance.com/nktyrpggffdnqfcwntbbhncpwbnjhbccjjzpkdtytjwdk_chcmqtchhftlggchcdhh.html?a=981500
Effective URL:
https://riskandinsurance.com/cyber-threats-will-never-cease-so-why-do-only-70-of-companies-have-adequate-security-measures-in...
Submission: On February 10 via api (February 10th 2022, 5:19:11 pm UTC) from US — Scanned from DE

Form analysis
1 forms found in the DOM

GET https://riskandinsurance.com

<form class="search-form" method="get" action="https://riskandinsurance.com" role="search" autocomplete="off">
  <div class="search-wrapper ">
    <div class="input-holder">
      <input type="search" name="s" class="search-input" value="" placeholder="Search">
      <span class="search-help">Type your search term above</span>
      <!---->
    </div>
    <!--<span class="close search-toggle"></span>-->
    <div class="result-container">
    </div>
  </div>
</form>

Text Content

2132
*
*
*

* Sections
* Critical Risks
* Risk Management
* The Insurance Industry
* Claims & The Law
* Workers’ Comp Forum
* Risk Insiders
* Sector Focus
* .
* Risk Central
* Power Broker
* Risk Matrix
* The Profession
* Risk Scenarios
* Risk All Stars
* Teddy Award
* Sponsored Content
* Magazine
* Digital Issue
* Issue Archive
* Subscribe
* Conferences
* Ergo
* National Comp
* Advertise
* Subscribe
* More
* Award Applications
* Newsletters
* &BrandStudio
* Privacy Policy
* About R&I
* Contact Us

* Trending Stories
* National Comp
* Power Broker
* Workers’ Comp Forum
* Risk Matrix
* Risk Central
* The Profession

NEWSLETTERS

The best of R&I and around the web, handpicked by our editors.

RISK CENTRAL

White papers, service directory and conferences for the R&I community.

GO TO RISK CENTRAL.

DIGITAL EDITION

Web replica of the print magazine.

VIEW DIGITAL EDITION.

Type your search term above

*
*
*
*

CYBER THREATS WILL NEVER CEASE. SO WHY DO ONLY 17% OF COMPANIES HAVE ADEQUATE
SECURITY MEASURES IN PLACE?

Aon's 2021 Cyber Risk Report looks at which industries are lagging in cyber
resilience and how to prioritize a healthy cyber budget.
By: Emma Brenner | February 5, 2022
Topics: Cyber | Risk Management

We are closing in on the second full year of life with COVID-19. Cyber risks,
established prior to the pandemic and having grown during its peaks, are likely
not done evolving.

Yet many organizations across several different sectors are still reported as
not being sufficiently equipped to deter, and respond to, a cyber attack.

This was a main finding in Aon’s 2021 Cyber Risk Report, which delves into which
specific industries are the most vulnerable, why organizations are not
prioritizing cybersecurity, and how these organizations can better position
themselves against the ever-evolving cyber risk.

THE REPORT’S CENTRAL TAKEAWAYS

The most alarming finding from the report could quite possibly be the
unpreparedness of so many organizations when it comes to cyber risk.

The report found that only two out of five organizations surveyed are prepared
to properly respond to cyber exposures.

Additionally, “only 17% [of the organizations reported] have the adequate
application security measures in place, [or 83% don’t],” said Jonathan Rajewski,
managing director at Stroz Freidberg, an Aon company.

This lack of preparedness comes after some of the most widely-known and
tumultuous cyber attacks occurred, which include the Colonial Pipeline and
SolarWinds attacks.

Specifically, ransomware incidents have dangerously increased, a 400% uptick
from the first quarter of 2018 to the fourth quarter of 2020, according to the
report. From 2019 through 2020, cyber claims rose by 336%.

Another takeaway is the fact that companies are currently facing what the report
calls a “rapid digital evolution,” and they cannot keep up.

“The accelerated digital adoption in business over the last two years, coupled
with the pace of change, makes it harder than ever for risk managers to identify
and quantify new exposures,” said Rajewski.

As these digital capabilities continue to evolve, so will the risks. If
companies are not prioritizing their cyber risk responses proactively, they will
never match the pace of risk evolvement.

“Simply put, companies need to concentrate on improving their controls,” said
Rajewski.

Which industries are behind the curve? The report listed eight sectors:
construction, energy, financial institutions, life sciences, manufacturing,
professional services, retail and technology.

Rajewski said many of these industries “didn’t think they had the same
perceived risk” as those industries that hold much more sensitive data, such as
personal identifiable information.

“With the [recent] headlines [of cyber attacks], it’s really been a wake-up
call.” Rajewski said.

COVID-19, INCREASED CYBER RISK AND SOPHISTICATED CYBER CRIMINALS

It’s no secret that the implementation of remote work has greatly changed the
magnitude of cyber exposure.

As employees worked from home and strapped individual cyber vulnerabilities onto
their backs, it became more difficult for employers to manage the risk on such a
wide scale.

As mentioned before, there is a link between the pandemic and an increase in
cyber claims. The severity of these cyber attacks has also escalated.

The report found that by the end of 2020, seven out of ten ransomware attacks
“involved the threat to leak exfiltrated data.” In some cases, these attacks
have led to whole servers being permanently wiped.

Severity of these attacks stem from a rise in sophistication of cyber criminals.

“It’s ever evolving. As technology evolves, [cyber criminals] will constantly
leverage technology in way that lets them do what they want to do,” Rajewski
said.

These added layers of cyber risk, that continue to change unexpectedly, are just
another reason as to why organizations need to establish a clear line of
defense. Organizations must have a clear response to deal with the unknown.

DEVELOPING A HEALTHY CYBER BUDGET

It’s imperative for organizations and companies to create a cybersecurity plan
that not only addresses any potential exposures, but that is cost-effective.
This is what developing and maintain a healthy cyber budget entails.

Rajewski said the development of a cyber budget depends on the size of each
company and any specific regulatory requirements or industry risks that the
company may have. However, Rajewski noted a few actions of companies who get it
right.

For one, a company’s cyber budget should “prioritize budget spending on having
the right people, processes and technology in place,” according to Rajewski.

Examples of this include an assessment team to gauge a company’s cyber
resilience and multi-factor authentication.

This also includes implementing educational programs for employees regarding how
cyber criminals can infiltrate a company’s systems and how to respond to
phishing emails, which has become a mainstream cyber attack approach.

This type of training can be a matter of a cyber attack resulting in success or
not, and Rajewski notes that these programs “may require some investment.”
However, prioritizing the investment is certainly worth the potential reward. &

Emma Brenner is a staff writer with Risk & Insurance. She can be reached at
brenner@theinstitutes.org.

SHARE THIS ARTICLE!

Click to Copy
Share
Tweet
Share

SPONSORED CONTENT BY NATIONWIDE

HOW TO TACKLE THE RISING TIDE OF RANSOMWARE ATTACKS

As cyber criminals become increasingly more sophisticated in their mode of
attack and ransom demands spiral, so businesses need to be more proactive in
preventing an attack and dealing with its aftermath.
By: Nationwide® | October 1, 2021

Ransomware is the single biggest risk facing businesses today.

Such attacks are becoming increasingly prevalent as the criminals develop
ever-more sophisticated methods and attack vectors. Increasing digital
interconnectivity, and the use of mobile devices and the Internet of Things have
provided the hackers with more touch points to attack. As companies grow further
and faster than before, so too are they leaving themselves more exposed to these
cyber threats, which are only increasing in severity and frequency.

The problem is exacerbated for larger firms with legacy systems and networks or
those undergoing mergers or acquisitions. Certain industries, such as
manufacturing and many in the public sector, are also less well prepared for
these new types of attacks.

Driving this rising tide of ransomware attacks are nation-state sponsored
hackers from countries such as Russia and Ukraine, who have only one aim: to
causing maximum disruption. Such is their growth that they have now become an
industry in their own right, with the criminals hiring out their services or
acting as a broker to return for a cut of the profits.

The costs go far beyond the initial loss too: they extend to business
interruption, forensics, recovery and restoration costs from the event. Added to
that, ransom demands are increasing as the hackers target higher value
organizations.

“Gone are the days of limited seven-figure ransom demands,” said Tim Nunziata,
Associate Vice President and Head of Cyber Risk at Nationwide. “Now we’re seeing
multi-million dollar demands regularly.”

The effects of such attacks on businesses can be ruinous, not just operationally
and financially, but also reputationally — something many small and mid-sized
firms don’t have the wherewithal to deal with. In worst-case scenarios, they can
be forced out of business.

AN INDUSTRY-WIDE RISK

Tim Nunziata, Associate Vice President and Head of Cyber Risk, Nationwide

One key challenge is that claims are no longer confined to specific industries.

In the past, claims were largely limited to data privacy and network security
breaches, so therefore, sectors such as banking, healthcare and retail were more
likely to be targeted.

Now, any business could fall victim to a ransomware attack. Consequently, a more
collective approach to controls, policies and procedures is needed to counter
the problem.

Given the global nature of ransomware, consistent data privacy and security
regulation is a big issue. Particularly, in the U.S. where firms may be
operating in multiple states, each with their own legislation.

“One challenge the industry faces is the lack of consistency. Not only is it a low bar for
certain requirements and regulations, often times the bar wasn’t there a
few years ago,” said Nunziata.

The recent introduction of new laws aimed at setting the standard for
cybersecurity and data privacy practices has at least provided the framework for
a broader approach to tackling the problem. New York State Department of
Financial Services’ Cybersecurity Regulation, the California Consumer Privacy
Act, the European Union’s General Data Protection Regulation and China’s
Cybersecurity Law, all aim to step up cyber and data privacy.

Insurers are also reacting to the ransomware threat. The primary markets are
significantly increasing retention, raising rates by as much as 400% in some
areas, supplementing coverage, tightening terms and putting limits on certain
extensions.

“It was a soft market for a long time,” said Nunziata.

“But primary markets are increasing retentions substantially and restricting
certain coverage extensions, because the ransomware incidents have become more
common and complex.”

PREPARING FOR AN ATTACK

Businesses need to prepare for a ransomware attack by putting appropriate risk
management controls and policies in place. They must also have an incident
response plan, which includes secure and reliable backups on separate networks
that are updated regularly and data segmentation in the event of an attack.

Companies should be in regular contact with their insurer to discuss the risk
mitigation strategies they are taking to address the problem both before and
after an attack. They also need to work with their IT and network security, and
cybersecurity teams to constantly test and update their systems and protocols.

Given that ransomware attacks stem from unauthorized access to a system or data
and the fact that more staff are now working from home, organizations need to
focus on their management controls to ensure that access is restricted to only
those who need it to perform their duties. They also need to implement and
reinforce remote desktop working protocols.

“The majority of incidents are self-inflicted,” said Nunziata.

“Whether it’s social engineering or phishing, an employee clicks on a link that
takes them through to a website set up to capture their data or they work in an
unprotected network, the employee is an organization’s biggest vulnerability.”

THE CYBER INSURANCE SOLUTION

Companies, with the help of their broker, need to make sure that their insurance
is comprehensive enough to cover them in the event of an attack. Too often, they
assume that they will be covered under their property, liability, or crime
policies, yet, in reality, they aren’t.

Firms, therefore, need to have a standalone cyber insurance policy in place to
guard against potential exposure.

For those that have property and casualty policies too, insurers are now
explicitly stipulating in their terms whether cyber is included or excluded to
avoid any confusion and gaps or overlaps.

“As insurers examine increased loss history and claims data, they are able to
better assess and price for the risk, and provide the affirmative coverage the
client needs,” said Nunziata.

“That will translate into more comprehensive coverage at a rate which more
accurately reflects the risk and makes sense for the client.”

Nationwide has been at the forefront of cyber insurance for the last 10 years.
The company has built a portal that provides its brokers and clients with
training modules, news and updates on industry trends, and a business
interruption calculator to enable them to get a better understanding of the
risk, as well as access to a list of vendors in the event of an attack.

Nationwide’s Enterprise Cyber Insurance product is designed to improve
organizations’ cyber risk profiles. It provides policyholders with access to a
range of loss prevention tools and services, breach response and remediation
expertise, and an experienced claims team.

No matter how good your cybersecurity is, the criminals are always one step
ahead. That’s why you need to act now to make sure you are taking all the right
precautions to avoid an event happening in the first place.

“Network security and cybersecurity used to be just a conversation that
organizations would have,” said Nunziata.

“Now, they are doing everything in their power to protect customer data,
particularly in light of the rise in ransomware attacks, increased regulatory
scrutiny, and generally more aware and savvy customer base.”

For more information, visit
https://mls.nationwideexcessandsurplus.com/fs/products/cyber-and-professional-liability/.

ABOUT NATIONWIDE
AM BEST RATED A+ XV | S&P A+ | FORTUNE 100 COMPANY
PRODUCTS UNDERWRITTEN BY NATIONWIDE MUTUAL INSURANCE COMPANY AND AFFILIATED
COMPANIES. NOT ALL NATIONWIDE AFFILIATED COMPANIES ARE MUTUAL COMPANIES, AND NOT
ALL NATIONWIDE MEMBERS ARE INSURED BY A MUTUAL COMPANY. HOME OFFICE: ONE
NATIONWIDE PLAZA, COLUMBUS, OH. NATIONWIDE, THE NATIONWIDE N AND EAGLE, AND
OTHER MARKS DISPLAYED ON THIS PAGE ARE SERVICE MARKS OF NATIONWIDE MUTUAL
INSURANCE COMPANY, UNLESS OTHERWISE DISCLOSED. © 2021 NATIONWIDE MUTUAL
INSURANCE COMPANY.

This article was produced by the R&I Brand Studio, a unit of the advertising
department of Risk & Insurance, in collaboration with Nationwide. The editorial
staff of Risk & Insurance had no role in its preparation.

Nationwide, a Fortune 100 company, is one of the largest and strongest
diversified insurance and financial services organizations in the U.S. and is
rated A+ by both A.M. Best and Standard & Poor’s.