In the ever-evolving world of cybersecurity, claims data can teach us a lot about the state of digital risk.
The Resilience Mid-Year 2023 Claims Report gave us a fascinating glimpse into how cybercriminal tactics are morphing in the face of enhanced security measures by businesses worldwide.
Attackers have been upping the ante as businesses beef up their cyber defenses. This cat-and-mouse game revealed a strategic pivot to encryption-less ransoms and a resurgence in targeting high-value entities (ie – “Big Game Hunting.”) This shift not only underscores the adaptability of cybercriminals but also flags third-party risk as a critical vulnerability point.
Reviewing data from the past year, we can begin to make predictions for cyber claims in the coming months, such as the continued growth in third-party attacks, more convincing phishing messaging, and more stringent rules around incident reporting. As we enter 2024, the cyber insurance industry must work to stay ahead of these trends to continue supporting their clients and their portfolios.
1. The Domino Effect of Third-Party Vulnerabilities – A Growing Risk for Interconnected Businesses.
Given the successes of third-party attacks, it’s likely 2024 will see more breaches of third-party suppliers in order to scale the impact of attacks against multiple enterprises. Businesses of all sizes increasingly rely on Third-party and SaaS products for critical IT processes, with the average organization in 2022 using up to 130 SaaS products for front and back-office services. Unfortunately, one weak link in the supply chain is all it takes to cause even the most secure organizations to experience a damaging incident.
Threat actors can gain wide access to multiple organizations when a SaaS provider is breached, increasing their likelihood of a successful ransom demand. This makes these kinds of attacks both appealing and economical for threat actors. In the first half of 2023, third-party vendor risk became the leading cause of loss that impacted Resilience claims. As a result, Resilience predicts this trend will remain a top cause of loss and point of failure in 2024.
Organizations must thoroughly audit their third-party providers as these attacks grow more common. Third-party cybersecurity and insurance protocols must meet the same objectives and standards as the organizations that use them to avoid gaps in their attack surface. Continuous monitoring and evaluation of this extended attack surface will be critical to managing this increasingly challenging threat.
2. The Double-Edged Sword of AI – New Tech Almost Always Presents New Challenges in Cyber.
As the world begins to change with the widespread use of large language models (LLMs) and AI, social engineering-based cyber attacks will become more proficient and difficult to detect. Previous tip-offs of phishing messages, such as grammatical errors or unusual sentences, will become less effective in determining a false message. The use of AI in human engineering attacks will elevate the believability of these messages in ways we have never seen before, creating a need for even more stringent cybersecurity training. “The reality is there will always be a human in the chain somewhere,” said Tom Egglestone, Global Head of Claims at Resilience, “that is why it is vital that business leaders adopt an approach that considers both the technical and the human elements of cyber risk management.”
Resilience experts predict that the advancement of AI will have a two-fold impact on claims in 2024, with an increase of successful social engineering attacks as well as a continued growth in supply chain and third-party breaches conducted through weaknesses within systems powered solely by AI. Organizations should be cautious of an overreliance on automated systems, which have the potential to be easily exploited in their early phases. Businesses using AI within their supply chain must remain vigilant and keep a human in the loop to manage and monitor these processes as we come to better understand the vulnerabilities they create.
3. Navigating the Regulatory Maze – New Rules Lead to New Cyber Risk Management Strategies.
2023 saw significant changes and additions to global legal frameworks around cyber risk management. With these changes, we will likely see an increase in cyber claims across the insurance industry. In 2023, seven new US states finalized amendments and passed comprehensive legislation around data privacy. As similar regulations are more widely implemented, the definition of a privacy breach will continue to develop, potentially resulting in more claims being filed.
Resilience predicts that the new SEC rules for public organizations may also lead to increased reporting and a critical differentiation in how organizations respond to cyber incidents. The rules require public companies to “disclose any cybersecurity incident they experience that is determined to be material” and to “periodically disclose their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats.” Going forward, public business leaders will need to consider these elements in a more strategic and holistic way to prepare for this annual disclosure.
4. SEC Rules Altering the Cyber Playbook – Shifting Behaviors for Businesses and Threat Actors.
The introduction of new SEC rules has already begun to shift threat actor behavior, and Resilience experts predict this will continue. In late 2023, the ransomware group BlackCat/ALPHV leveraged the SEC’s new rules against a victim organization that neglected to notify the SEC within its designated timeframe. When BlackCat realized their breach had not been reported, they contacted the SEC themselves and filed a complaint against their victim for failing to follow the new rules. Fortunately, the impacted organization had not broken the rules because they had not yet taken effect. However, this brazen move is further evidence of the lengths some threat actors will go to elicit a ransom payment, playing both cop and robber in forcing an organization to react.
The new SEC rules will also impact how public companies approach their cyber risk management protocols and procedures. Organizations will need to shift strategies to remain in legal compliance. Part of the new rules requires annual articulation of cybersecurity risk management strategies, governance, and processes.
To comply with this requirement, many organizations will need to build more cyber expertise within their executive team. An expert who can articulate strategies, governance, and processes while bridging the gaps between security and insurance will become increasingly necessary to create and manage “a defined program which operates on a standalone basis, with trusted and repeatable outputs.”
5. Evolving Requirements of Cyber Insurance – The Latest Rules of Resilience
2023 was an extremely progressive year for cybersecurity regulations. Given these new security requirements, public cyber insurance clients are likely to change their behaviors to remain in security compliance. Considering the SEC’s new rules for regulation and accountability, publicly traded and even private organizations are likely to shift their approaches to incident reporting, articulating risk management strategies, and incident response planning. “While the new regulations apply specifically to be publicly-traded companies, we anticipate it will heavily influence private companies and how they manage their cyber risk,” said Egglestone.
Despite new rules around security, it will be key for public and private organizations alike to remember that a solely compliance-focused risk management strategy could create security gaps that invite the potential for a cyber incident. Resilience recommends instead taking a risk-focused strategy, which means identifying pivotal risks and working backward to maintain compliance while securing what matters most.
Remaining Cyber Resilient in 2024 will require even further vigilance around human engineering attacks, third-party incident monitoring, and managing compliance standards. Resilience offers tools to help our clients thoroughly address every aspect of their cyber risk while monitoring the threats that matter most to their environment.
