Just as we were preparing for the holiday season, security issues arose in Log4j. Security professionals around the world sprang into action to understand their risk levels, implement fixes to any internal software, and deploy updated versions of their vendors’ products. This will continue this year, based on conversations with CISOs and security teams.
Behind technical issues with the software supply chain and internal applications, there is also an element of business risk management – for example, how a company manages risk to its operations using tools such as cyber insurance to complete its security processes. If something goes wrong, cyber insurance should cover the costs of recovering data, rebuilding applications, and restarting normal operations.
What is the role of cyber insurance over time?
Cyber insurance is a large and rapidly growing industry – according to GlobalData, it was worth $7 billion in gross written premiums in 2020. The cyber insurance market is expected to reach $20.6 billion by 2025. At In recent years, the cyber insurance market was competitive, so premiums were low and policies were comprehensive. Over the past year, that has changed – the volume of claims has increased and resulted in more payouts, which has affected the profitability of insurance companies.
The Log4j issue will affect the way insurance and reinsurance companies write their policies in the future. Already, we are seeing discussions about excluding Log4j issues from reinsurance policies in 2022, as many policies were due for renewal on December 31, 2021. This will affect the policies that insurance companies can offer their customers. .
What does this mean for IT security teams? For practitioners, this will make their work more important than before, as preventing possible problems would be more valuable to the business. Implementing standard security practices such as asset inventory and vulnerability management will be necessary, while reviewing software bills of materials for these same issues will help on the security side of the software supply chain. These practices will also need to be highly automated, as organizations need to be able to obtain accurate insights in hours, not months, to address future threats while minimizing cost impact.
For those responsible for broader business risk, these developments around cyber insurance will present a bigger problem. Cyber insurance policies will still be available – and needed when needed – but the policies themselves will cover less ground. While past years had fairly broad policies that would pay on a range of issues, future policies will offer less coverage.
Like real-world medical insurance where previously known conditions are excluded, cyber insurance policies will be stricter. The Lloyd’s Market Association, responsible for advice at insurance organization Lloyd’s of London, has already published in 2021 advice on standard clauses for insurance companies relating to cyber warfare and attacks. This includes all actions taken by hacking groups linked to nation states, as happened with the NotPetya attack targeting organizations in Ukraine in 2017, which then spread to affect global businesses.
These changes around cyber insurance will make it more difficult to manage business risk in context. While the IT team can perform their tasks, they won’t be able to control everything that the companies in their software supply chain are responsible for. According to Google Security, more than 17,000 packages in Maven Central included Log4j on December 19, 2021, so it is widely integrated into software. Of these packages, about a quarter have updated versions available. This should improve over time, but there will be many that can’t be updated or are orphaned packages that aren’t patched. Any incident due to Log4j in the software supply chain could affect the business despite the best efforts of the IT security team.
Plan ahead on risk management
To anticipate this, companies need to review their overall approach to risk management. How much do they rely on cyber insurance as part of their risk strategy versus their internal processes, and how will that change this year? Over time, cyber insurance will cover a reduced scope and getting a claim approved will be more difficult.
To deal with this, CISOs should think about putting the foundations of security in place as part of their overall risk management strategy. This will only be achieved through collaboration with the broader IT department and the business itself. For example, the modern CISO must examine security vulnerabilities in all areas of the business – think data centers, cloud deployments, software-as-a-service applications, etc. – and this data must be presented in the context of risk. to the company by department and division. This makes it easier for companies to get an accurate picture of their security and put it into a business context.
Additionally, these risks must be prioritized with business impact. For example, if a high-severity vulnerability like Log4j is detected in a core business application and requires rapid remediation, everyone will be aware of the rationale and support the change request quickly. The company’s board and management team will know the impact on the business that achieving this type of rapid response will have, as well as the risk of not doing so. This makes it easier to get support for better security across the organization, reducing risk over time.
This will help in two ways. First, should reduce the potential for security issues leading to successful attacks like ransomware in the first place, as issues are resolved before exploits are available. Second, it must demonstrate that the organization has implemented effective best practices and prioritizes safety throughout its operations. This can help make it easier to get a reasonable cyber insurance policy, as well as ensure that any policy will be paid out when needed.