Cyber hygiene is needed to manage the tentacles of software supply chains

One of the more perplexing findings from this year’s Risk and Resilience research is that, compared with our 2021 survey, business leaders appear to be less concerned about cyber risk than last year.

While cyber still tops the rankings within the ‘cyber and technology risks’ group, the proportion of UK and US business leaders putting cyber risk top of their list has reduced since last year, down by nearly a fifth to 28% of survey respondents.

While businesses put in a lot of hard work in 2020 to upgrade cyber controls for the new exposures thrown up by remote working during the pandemic, cyber criminals quickly adapted to the new reality. Indeed, phishing attempts tripled from early 2020 to the end of 2021¹ and cyber-attacks involving ransomware doubled globally last year².

As society becomes increasingly dependent on technology, the tentacles of the software supply chain continue to multiply. The challenge that both risk managers and underwriters now face is identifying technological interdependencies that could present a systemic risk to business ecosystems.

Hospitals and healthcare systems have suffered repeatedly from cyber-attacks in the past, but this risk has also begun to impact food and energy supplies, with attacks on oil supplier Colonial Pipeline³ and Australian-owned meat-processing firm JBS⁴ resulting in ransom payments being made to the hackers in both cases.

Against this backdrop, cyber security has become more of a board-level issue, but the reality is that unless companies have actually experienced an attack and have either come through it relatively unscathed, or have enacted strong remediation efforts following a loss, they run the risk of being dangerously over-confident about their exposure and resilience to cyber risk.

Recent experiences such the attack on SolarWinds, whose Orion resource management software is used by Microsoft and several US government agencies, and the zero-day vulnerability in Apache’s Log4J applications, which left millions of users open to data exfiltration, have shown how cyber risk can permeate an entire technology ecosystem.

A significant number of businesses still use legacy software and hardware systems that they have neglected to upgrade or replace - whether for reasons of cost or business disruption. Such legacy systems could well be ‘end of life’ applications that, without continued vendor support, will become increasingly exposed to cyber-attacks.

With an increasing number of businesses entirely dependent on cloud computing networks, a major cyber-attack on a single cloud provider could have huge repercussions. When you consider that the platforms run by three of the world’s largest companies by market capitalization - Amazon Web Services, Microsoft Azure and Google Cloud – host around two-thirds of global cloud computing capacity⁵, the potential disruption to businesses by a hit on any one of these providers is enormous, threatening a ‘black swan’ event for cyber insurers.

While insurance is an important part of managing cyber risk and improving resilience to cyber-attacks, what many clients are looking for is a partnership with their insurers and security advisors to help them pro-actively assess and mitigate their exposures.

As a risk carrier, we see our role as highlighting which controls and risks in clients’ systems correlate with the wider claims activity, in order to help clients improve their risk posture. Even our more sophisticated clients can derive value from these insights, based on the sheer volume of cyber incidents that we handle.

Companies may balk at the expense and effort involved in undertaking extensive cyber hygiene, but in the face of an evolving threat landscape they need to do it. There will come a time when installing cyber controls in a company’s systems is as automatic as installing locks on the front door.

¹ Phishing Hits All-Time High in December 2021; Attacks Triple Since Early 2020 | APWG/GlobeNewswire
² There’s a huge surge in hackers holding data for ransom... | Fortune
³ One password allowed hackers to disrupt Colonial Pipeline, CEO tells senators | Reuters
⁴ Meatpacker JBS says it paid equivalent of $11 mln in ransomware attack | Reuters
⁵ Q2 Cloud Market Grows by 29% Despite Strong Currency Headwinds | Synergy Research Group