Cyber attacks are sadly a part of our lives . . . can we make them go away?
24 March 2021
Today we learned that CNA was hit by major cyber attack. Their website has been down all day and says “On March 21, 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems, including corporate email.” They immediately engaged a team of forensic experts to investigate and determine the full scope of the attack. Law enforcement was also alerted. They also said that “out of an abundance of caution, we have disconnected our systems from our network, which continue to function. We’ve notified employees and provided workarounds where possible to ensure they can continue operating and serving the needs of our insureds and policyholders to the best of their ability.” They are concerned about the “security of our data and that of our insureds’ and other stakeholders” and will notify those impacted directly.
This is of course not the first time we have seen this happen. Celent’s recent research has shown that the amount and magnitude of cyber attacks has drastically increased over the past few years and accelerated last year with more companies leveraging a working from home model. In its 2020 Global Risks Report, the World Economic Forum ranked cyber-attacks just behind environmental risks in terms of impact and likelihood. Celent’s 2020 report Cyber Threats and Insurance: The Two Sides of the Coin looked the frequency and the nature of cyber threats companies face globally. The report also defines cyber threats and categorizes them and discussed the challenges posed by cyber risks. Our second report Insurers Fight Against Cyber Threats: Preparing for a Long-lasting War provides insights on insurers’ recent experience around cyber attacks as well as CIO plans for protecting their internal operations. It also provides thoughts on how insurers should define and quantify risk scenarios as well as recommendations for defining a proper action plan and organizing internally.
Celent doesn’t have the panacea to avoid them sadly, but education can help. It’s imperative to understand how technology choices increase exposure to cyber threats. And how preventative controls can be taken to prevent access to assets.
Cyber Risk Scenario Manifestation
Source: Oliver Wyman
Insurance company CIOs are increasingly investing in cyber security, identity, and trust technologies. On average, insurers dedicated between 7 and 9% of their total IT budget to cyber security in 2020 and 78% of CIOs we surveyed said that cyber security would have a moderate to high impact on their 2021 plans. Yet, the cyber attacks are still happening, which means insurers have to know what to do when the attack happens. That’s where CNA is now: taking responsive controls and trying to understand its losses. Cyber losses fall into three categories: affirmative (those specified in their cyber coverage), silent (business interruption loss) and direct (hardware, software, and network losses). Cyber insurance will help CNA limit their affirmative losses; silent and direct losses will need to be quantified and will take time to recoup. CNA’s experience is not unusual sadly. To prevent cyber attacks, every company must acknowledge that cyber security is the responsibility of every employee, and human behavior is the most basic line of defense. Institutions cannot hesitate in the goal to educate their employees, third parties, and customers on how to stop them.