Just as we were preparing for the holiday season, security issues arose in Log4j. Security professionals around the world sprang into action to understand their risk levels, implement fixes to any internal software, and deploy updated versions of their vendors’ products. This will continue this year, based on conversations with CISOs and security teams.
Behind technical issues with the software supply chain and internal applications, there is also an element of business risk management – for example, how a company manages risk to its operations using tools such as cyber insurance to complete its security processes. If something goes wrong, cyber insurance should cover the costs of recovering data, rebuilding applications, and restarting normal operations.
What is the role of cyber insurance over time?
Cyber insurance is a large and rapidly growing industry – according to GlobalData, it was worth $7 billion in gross written premiums in 2020. The cyber insurance market is expected to reach $20.6 billion by 2025. At In recent years, the cyber insurance market was competitive, so premiums were low and policies were comprehensive. Over the past year, that has changed – the volume of claims has increased and resulted in more payouts, which has affected the profitability of insurance companies.
The Log4j issue will affect the way insurance and reinsurance companies write their policies in the future. Already, we are seeing discussions about excluding Log4j issues from reinsurance policies in 2022, as many policies were due for renewal on December 31, 2021. This will affect the policies that insurance companies can offer their customers. .
What does this mean for IT security teams? For practitioners, this will make their work more important than before, as preventing possible problems would be more valuable to the business. Implementing standard security practices such as asset inventory and vulnerability management will be necessary, while reviewing software bills of materials for these same issues will help on the security side of the software supply chain. These practices will also need to be highly automated, as organizations need to be able to obtain accurate insights in hours, not months, to address future threats while minimizing cost impact.
For those responsible for broader business risk, these developments around cyber insurance will present a bigger problem. Cyber insurance policies will still be available – and needed when needed – but the policies themselves will cover less ground. While past years had fairly broad policies that would pay on a range of issues, future policies will offer less coverage.
To read the full article, visit Dark Reading.