Category: IT Security

Building a Resilient Supplier Cyber Risk Management Strategy | Blog

Sharing sensitive data with outsourcing providers in today’s interconnected digital world has increased organizations’ vulnerability to cyberattacks, making it more important than ever to have an effective supplier cyber risk management strategy. To protect against threats, read on to learn the best practices for supplier cyber risk management.  

In today’s risky and interconnected environment, it has become essential for organizations to have a supplier cyber risk management strategy to identify, protect, detect, respond, and recover from supply chain cyberattacks.

The critical importance of relationships with outsourcing service providers has been amplified by the pandemic and recent geopolitical turmoil due to the Ukraine-Russia crisis. Outsourcing suppliers now play a vital role in running business operations, and these partnerships have grown more sophisticated.

With data sharing between the two parties increasing multifold, organizations have greater exposure to ransomware attacks, phishing, denial-of-service, and other cyberattacks.

Depending on the sensitivity of data shared with suppliers, the potential risk of data loss can impact an organization’s business operations – making it essential to develop a supply chain cyber risk management plan to protect from significant financial and operational impacts.

Not having a formal supplier cyber risk management strategy can cause compliance issues. With scrutiny on global supply chains intensifying, a lack of supplier insights can lead to government regulation violations, resulting in financial losses and tarnishing an organization’s brand.

As suppliers have access to sensitive and business-critical information, managing permissions and protecting data from unauthorized access, misuse, and data loss become crucial.

Further, many other risks exist from a supplier’s operational perspective, including issues related to geopolitics, bankruptcy, and macro risks. Organizations should have complete supply chain visibility to rapidly respond to susceptibilities and disruptions at the supplier’s end.

All of these factors can have a long-lasting impact on an organization’s image and reputation, potentially deteriorating customer loyalty and trust. Hence, having a resilient supplier cyber risk management strategy that includes visibility, transparency, clear communication, and collaboration has become non-negotiable for organizations.

The Everest Group risk management matrix

Let’s take a look at the different risk scenarios and their remedial measures below:

Picture2 1

Exhibit 1: Everest Group Supplier Management Toolkit: Risk Management in Outsourcing

Best practices for developing a supplier cyber risk management strategy

Developing a Supply Chain Risk Management (SCRM) program is indispensable for organizations as they become increasingly vulnerable to supply chain attacks.

Currently, the risk management focus in outsourcing is limited to compliance requirements such as the Sarbanes-Oxley Act (SOX), Service Organization Control (SOC) certifications, industry-specific compliances such as Health Insurance Portability and Accountability Act (HIPAA) and Health Information Trust Alliance (HITRUST), and criminal background verifications.

Other vital factors such as geopolitical and offshoring risks have not yet become key executive priorities. Further, as more companies lean on service providers to drive digitalization and corresponding transformation in their outsourced processes, organizations rarely try to identify potential risks and establish associated mitigation/contingency plans.

Some industry best practices such as ISO/IEC 27036:2013 and the NIST Cybersecurity Framework have been updated to include information security for supplier relationships, highlighting the importance of SCRM in corporate security. In terms of cyber security, this involves:

  • Defining cyber security requirements and measures that apply to suppliers based on their risk category
  • Enforcing these requirements via formal agreements (e.g., contracts) to ensure suppliers enter a binding commitment
  • Verifying and validating communication and access from and to suppliers
  • Ensuring effective implementation of cyber security requirements
  • Managing and supervising the above activities periodically

To optimally engage with and manage suppliers, the entire supplier life cycle should be organized into these three phases:

  1. Before and during the contracting phase – Screening suppliers before onboarding is essential for organizations to assess financial, operational, and reputational aspects. Procurement heads need to carry out background checks to ensure suppliers’ compliance status and performance viability. An exhaustive contract with legally binding responsibilities related to cyber security for both the organization and its suppliers should be created. This contract should define fundamental and high-level security requirements and privacy-based controls for supplier relationships at every point in the life cycle
  2. During the ongoing relationship – Once suppliers are onboarded, organizations must track all assets suppliers can gain entry to in a central repository. Customers should categorize suppliers into different risk classes based on how critical the information is to further define appropriate cybersecurity controls. These controls should be continuously evaluated to ensure adherence
  3. After the termination of the relationship – Offboarding a supplier requires disabling its logical and physical access, removing access to any data, and destructing it to ensure the supplier doesn’t hold any sensitive data. This phase also requires ensuring no severity incidents are pending and facilitating proper handoff between suppliers

Prevalence of risk management processes in the supplier life cycle

How common is it for organizations to have established risk management processes in each of the third-party life cycle steps? Our polling results show while most organizations have these safeguards in the first stage, fewer use them in later phases, as illustrated below:

Picture1 2

Exhibit 2: Everest Group’s Webinar Quick Poll (Could Your Business Partners Be Offering More Risk than Support?)

The supply chain for almost any organizational procurement activity can be the target of cyberattacks, either by going after the supply chain or the supplier’s/organization’s systems, once they are integrated.

More complex and sophisticated attacks are often left undiagnosed or unreported, making them potentially more disastrous for enterprises. At different points in the supplier management life cycle, stakeholders across organizations will have the primary responsibility for establishing and maintaining effective supplier cyber security controls.

Vigorous governance is required to ensure relevant stakeholders are responsible at the right time to guarantee optimal and best efforts are made to combat any cyber threats. To complement this governance, a strong collaborative culture across different departments is needed to drive continuous improvement.

Learn how to create an effective program for your organization in our executive brief on Cybersecurity Risk Management in the Supplier Life Cycle, part of our supplier management toolkit.

Please reach out to [email protected] to gain further insights on supplier cyber risk management or Contact Us.

Discover even more about cybersecurity in our current environment in our webinar, Cybersecurity: What You Need to Know to Find the Right Partner and Price.

Believe In Zero Trust – How a Familiar Yet Uncelebrated Model Can Protect Your Organization from Cyber Attacks | Blog

Given the meteoritic rise in ransomware attacks during the pandemic and persistent cybersecurity challenges, the need for effective measures to protect sensitive data and IT environments from rising assaults is greater than ever. While zero-trust security architecture offers many potential benefits, adoption of this long-talked-about framework has been slow for various reasons. But with even the White House hitting the gas on zero trust, the timing could be right for more widespread implementation. Read on to learn about how your enterprise can overcome the hurdles and move to zero trust.    

Zero trust, a framework for the design and implementation of IT security systems, has been in the market for quite some time now. First coined by Forrester, it gained popularity when Google announced the implementation of the zero-trust network through BeyondCorp after a series of cyber-attacks in 2009. Ever since the National Institute of Standards and Technology (NIST) formalized the approach in late 2020, the computer security approach has become mainstream.

But despite the entire industry being widely familiar with the terminology and underlying principles and architecture, why has enterprise-level adoption lagged when the benefits outweigh the investment? Before we dive deep into the reasons behind this reluctance in the market, let’s explore the core tenets of a zero-trust security approach.

The guiding principle for zero trust is “never trust but always verify” and is built upon the following assertions:

  • Every part of the network is potentially hostile
  • Both external and internal threats always exist on the network
  • Every device, user, and network flow must be authenticated and authorized and should not be trusted by default
  • Limiting excessive user privileges should be the fundamental motto
  • Micro perimeters/micro segmentation should be created around critical data, applications, and services

The key tenets of zero-trust security can be summarized as follows:

Picture1 1

Why hasn’t zero trust been fully embraced?

Even though security leaders across product vendors as well as analyst firms have been preaching the benefits of a zero-trust security approach across enterprise cybersecurity, adoption hasn’t picked up. Among the key enterprise challenges and the apprehensions by security leaders surrounding its wide-scale adoption are:

  • Misconception of zero trust as another technology solution: The most common problem that we have seen in enterprise cybersecurity teams is their belief that any new challenge can be best solved by implementing a new technology or solution. The love for a new solution is so strong that enterprise leaders often forget that zero trust is a concept that does not have a single solution. Enterprises are often lured by the marketing gimmicks of product vendors that provide some aspect of zero-trust security through the solution. This results in either lower or no effect of the promises made by the zero-trust security approach
  • Challenges of network micro segmentation: One of the key aspects of zero-trust security is focused on protecting the networks and the associated recommendations in the network architecture by breaking down the erstwhile monolithic perimeters into micro perimeters to concentrate on granular security controls and access. Given a large number of applications, their dependencies, services, and the users involved, it becomes challenging to implement and maintain micro perimeters. Enterprises with disparate security controls and network products are subsequently unable to provide end-to-end visibility
  • Complexity in brownfield implementations: There is no doubt that zero trust can be best adopted in greenfield security projects, given the existing IT landscapes are so vast and complex. But a single change can cause great havoc and a ripple effect across the enterprise systems if not implemented correctly. While enterprises are expected to take a step-by-step approach rather than a rip-and-replace approach, many organizations that started this journey were left devastated in their approach to rebuild the network by undertaking a massive one-shot effort. The challenge also comes in integrating existing capabilities with new solutions to implement new capabilities to extend zero trust across the enterprise IT
  • Myth that zero trust is for on-premises: Enterprises have been grappling with a long-running myth that the entire concept of zero-trust security is centered around the building blocks of enterprise IT if they are located within enterprise distributed control systems (DCS) as most of the existing research talks about not trusting everything within their corporate networks. Also, some enterprises still do not think of cloud security as a shared responsibility model with the hyperscalers and hence do not plan to extend the zero-trust security approach to the cloud, thus leaving their assets on cloud and multi-cloud architectures at risk

Six Key Considerations for Enterprises Moving Ahead in the Zero Trust Journey

Zero trust can offer many benefits beyond improved data protection and greater compliance, including greater visibility across the enterprise, security for the growing remote workforce post-pandemic, and an improved end-user experience.

Here are some recommendations for moving ahead:

  1. Take a step-by-step approach for a long journey: While zero trust adoption can lead to a significant business transformation, framework adoption does not necessarily translate into a radical overhaul of existing cyber capabilities. Enterprises must understand that zero trust needs to be thought of as a journey to implement the strategic changes
  2. Establish the current baseline: Just like other security implementations, understanding what and why is of the utmost importance to see the benefits of following this path. Start by identifying the crown jewels – data and workloads – and create a security policy and control framework. The idea is not to give hackers an opportunity to start an attack
  3. Leverage the existing cybersecurity stack: Reuse the existing investments made for threat detection, identity and access management, network, endpoint, and data security to integrate with the zero-trust security approach. Focus on preventing any cloud misconfigurations and put an end to visibility of data, policy, and communication between apps, infrastructure, network, and other components in the environment
  4. Understand that trust is never guaranteed: Enterprises must understand that trust is not guaranteed by any solution but needs to be verified at policy enforcement points before access is provided
  5. Combine zero trust with the broader digital transformation umbrella: Enterprises can combine zero trust transformation along with their IT digital transformation initiatives (including cloud and data center migration) to extract significant synergies and remove the hurdles of adopting zero trust in brownfield implementations
  6. Embrace the change: The entire journey will only be successful if all the stakeholders in the organization are ready to embrace the new ways of working in a dynamic and adaptive cyber organization with close collaboration between business and technology stakeholders

If the right cybersecurity measures are not implemented, attacks will only become more frequent and successful. Enterprises should put faith in zero trust as a security model that can provide greater protection in today’s high-risk environment.

Follow this space for our continued coverage of cybersecurity. To share your experiences and ask questions, please reach out to [email protected] or [email protected] or [email protected].

Future of Cybersecurity and Cyber Insurance | Blog

In our previous publication, Cyber Insurance Market Dynamics, we discussed cyber insurance market dynamics and the measures both insurers and enterprises are taking to improve capabilities, reduce risk, and curb overall claims losses. In this final article in the three-part series, we will explore what the future holds for cyber insurance for enterprises and insurers.

The COVID-19 pandemic has exacerbated the cybersecurity challenges for both enterprises and insurers. While it has exposed the limited cyber readiness within enterprises, it has also increased margin pressure on cyber insurers that are facing rising loss ratios. To address these challenges, manage cyber risk, and offset increases in premiums, enterprises are investing in new technologies like endpoint protection, network security, and application security, among others.

While these measures have worked for firms in the past, the evolving cyber threat landscape has unveiled the need for more robust plans. Insurers, on the other hand, are partnering with cyber risk analytics firms to actively work to improve underwriting prowess. They are also realizing the need of a sustainable policy that won’t pose an imminent threat to the industry profitability in the future.

Work from home security

The pandemic has made enterprises aware that it is possible to successfully run the business in a remote working environment. These businesses have implemented strong IT frameworks to enable employees to work remotely with few challenges or impacts on productivity. Enterprises have invested in network security and Identity and Access management tools that enable employees to work securely on any given network. With increasing cloud adoption, cloud-based security services will become a hot topic for enterprises to curb growing cyber-attacks.

Maintaining strict access control is likely to be the guiding principle for cyber policies in enterprises. Organizations will implement stringent hardware authentication measures to prohibit unauthorized access to systems. Automated and adaptive network scanning is also expected to be a key theme in the cybersecurity landscape. Enterprises will monitor and scan the connected networks to report any anomalies in real-time, thus enabling teams to proactively fix them. Learning and adapting to the new risk landscape will be an important aspect of enterprise cybersecurity teams. Using Artificial Intelligence/Machine Learning (AI/ML), enterprises will be able to identify patterns and help prevent repeated attacks by developing exhaustive threat intelligence. The use of AI is not only limited to scanning and pattern identification, but it is also expected to prove beneficial to combat social engineering, malware, and ransomware attacks.

We have mentioned in parts one and two of our previous publications (“Cyber Insurance Market Dynamics” and “Cybersecurity Risk Management in a Post-Pandemic Era”) that cyber threats evolve along with evolving technologies. The same is true in the case of quantum computing. While it is expected to bring its own set of advantages in the fields of analytics, cryptography, aviation, medical research, etc., it is also expected to impair our existing encryption methods.

Continued cyber insurance growth forecast

The global cyber insurance market has experienced strong growth in the past, and this trend is likely to continue in the near future. The continuous shift to advanced technologies like AI/ML, cloud and APIs, has compelled enterprises to include cyber insurance in cybersecurity plans. While it is not a panacea solution to the enterprise cyber risk problem, the insurance coverage does provide the necessary systemic risk sharing from potential attacks. Going forward, cyber insurance will transform from a “nice to have” product to a “must have” product for enterprises. Firms will actively look for coverages that include cybersecurity, cyber liability, and technology errors and omissions, among others. The bundling of value-added services in addition to cyber coverage has increased the attractiveness of cyber insurance for enterprises.  In addition to the necessary risk insurance, enterprises now have access to risk prevention and mitigation products and services from insurers.

In the remote/work-from-home world, the lines between commercial and personal cyber risk have become blurred. The need to have employees work from home is not likely to change in the short to mid-term, so insurers will offer enterprises personal cyber risk covers to shield consumers from any cyber-related risks. Recently, Chubb insurance introduced BLINK, an affordable insurance product with an embedded cyber protection cover that addresses the gap between those customers who are concerned about personal cybersecurity (80%-plus) and those who have cyber protection (16%).

As the market expands, insurer limits to risk-taking capacity may dampen the overall growth. While insurers are preparing for the impending cyber capital crisis that may emerge in the event of large-scale cyber-attacks, they are also thinking of innovative ways to address this challenge. Insurers are looking at capping lines of coverage and increasing rates while also diversifying current cyber risk portfolios of large enterprises. Increasingly, insurers will seek to offer coverages to medium-sized businesses as those organizations are becoming increasingly reliant on technology and are aggressively facing cyber-attacks. According to Verizon’s Data Breach Investigation Report, small and medium-sized businesses are at a high risk of data breaches and cyber-attacks. With a considerable proportion of medium-sized businesses seeking to purchase cyber insurance, insurers and brokers will look to tap into this target market.

In-house expertise for insurers to grow

Historically, insurers have largely relied on third-party cyber risk analytics firms for underwriting cyber risk. However, that is expected to change. Insurers are building in-house capabilities and hiring IT experts to strengthen cyber underwriting practices. Going forward, we also expect insurers to build a cyber insurance ecosystem to successfully underwrite cyber risk and consequently generate long-term profitable growth. With this, insurers can bring significant value to the enterprises while also enhancing underwriting capabilities by leveraging real-time threat intelligence. This will provide insurers with new data sources and insights to drive better risk evaluation and, in turn, build a more resilient cybersecurity landscape. Industry regulators will also play a key role in risk underwriting with the introduction of regional cyber insurance risk frameworks as best practices for managing cyber risk.

In the future, the evolving cybersecurity and cyber insurance landscape will demand proactive measures from both enterprises and insurers alike. As enterprises adopt new and emerging technologies, they will need to strengthen their cybersecurity position with new-age solutions like cloud application security and AI/ML-based automated security. Insurers will leverage new data sets for cyber risk underwriting and create a cyber insurance ecosystem that will provide them with the capability to act as coverage providers and also position them as strong risk advisors.

For more insights on cybersecurity, please see the first blog in this series, Cybersecurity Risk Management in a Post-Pandemic Era, or the second blog in the series Cyber Insurance Market Dynamics.

If you’d like to share your observations or questions on the evolving cybersecurity and cyber insurance landscape, please reach out to Barbara Beller ([email protected]), Supratim Nandi ([email protected]), or Mehul Khera ([email protected]).

Cyber Insurance Market Dynamics | Blog

In our previous publication, Cybersecurity Risk Management in a Post-Pandemic Era, we discussed the implications of increasing cyber-attacks on insurers and enterprises in a post-pandemic world. While insurers are actively taking measures to improve cyber risk underwriting to contain overall claims losses, enterprises are strengthening their cybersecurity capabilities by investing in the right set of technologies and talent levers.

The increasing severity of cyber-attacks, accelerated adoption of digital technologies, rise in digital touchpoints, consumerization of IT, and convergence of Information Technology and Operational Technology environments have made the traditional security services models obsolete, according to Everest Group PEAK Matrix reports.

Enterprises are seeking security strategies based on their specific business context, business maturity, geography, and other parameters. One way they are doing so is by partnering with third-party providers to align enterprise security initiatives with broader goals. They are also conducting risk assessments of critical functions and laying out cybersecurity improvement and investment plans for their organizations.

Increasing enterprise investments in cybersecurity

Enterprises are actively investing in endpoint protection, network security, cloud application security, secure web gateways, internet security, Identity and Access management tools, and other avenues to adequately shield businesses from cyberattacks. The endpoint threat detection and response market alone has been growing by more than 20% each year, primarily driven by the increasing number of devices attached to networks owing to the current remote working landscape. Additionally, the rise in the demand for mobile security solutions has further propelled the growth of endpoint threat detection systems. Cloud application security is another area that has recently observed traction from enterprises, as many move to cloud solutions to ensure business continuity in remote/work-from-home environments. In 2020, the cloud security market was estimated to have reached US$35 billion owing to this rising adoption of cloud computing services.

The response from insurers

Insurers are investing in two key areas:

  • Strengthening underwriting capabilities to accurately assess cyber risk and, in turn, to control claims losses
  • Partnering with cybersecurity providers to offer value-added services to customers while also effectively managing risk

Insurers are heavily investing in Artificial Intelligence/Machine Learning (AI/ML) and scanning tools to automate their cyber risk underwriting, resulting in dynamic policy rate scenarios. Many insurers have invested in cyber scanning tools that can be tweaked based on potential cyber vulnerabilities of the client. This has resulted in a market where there is limited consistency in pricing. Additionally, insurers are moving towards API integration to facilitate updates in pricing, coverage limits, and policy terms, instantly based on the insurer’s underwriting and claims experience. This has resulted in sub-limits imposition for certain coverage options such as social engineering or ransomware attacks.

Insurers are partnering with cyber risk analytics firms to improve underwriting capabilities and better understand portfolio risk exposure. For instance, leading insurers such as Chubb, Munich Re, and Hiscox have partnered with risk analytics firms to better understand the systemic risks in their cyber portfolios. Insurers also are using these cyber risk analytics platforms to analyze client cyber exposure, thus providing for detailed underwriting of cyber risks.

The cyber insurance industry also is garnering attention from regulatory authorities. Regulatory authorities are calling on insurers to strengthen underwriting processes, as cyber-attacks pose significant levels of aggregate risk for the industry. Most recently, the New York Department of Financial Services has asked insurers to take stringent measures in underwriting cyber risks.

Insurance innovation

Apart from implementing underwriting discipline, the broader insurance market is headed towards product innovation. Insurers are bundling standalone insurance offerings with risk management services as they reposition from an insurer to a risk guardian, Everest Group analysis has found. They are increasingly offering tailored risk solutions and value-added services that enable customers to reduce risk exposure. Insurers are partnering with cybersecurity providers to offer business protection services to customers to bolster their cybersecurity. For example, Swiss-based Zurich Insurance Group has partnered with Israeli cyber firm CYE to offer Zurich cybersecurity services along with its standalone cyber policy. The new product addresses cyber risks by helping businesses define and implement effective cyber risk management programs.

Effective management of cyber insurance claims losses is critical for both insurers and enterprises. Without it, it is expected the market will witness decreasing margins and a decline in risk capacity. Going forward:

  • Enterprises must implement firmwide cybersecurity policies that are engrained in governance to ensure a robust defensive strategy
  • Insurers must work with third-party data providers and develop a solid ecosystem that includes internal and external experts to bring forward the best solutions

In our upcoming third and final edition of this article series, “The Future of Cybersecurity and Cyber Insurance,” we will explore what the future holds for cyber insurance for enterprises and insurers; emerging ways of underwriting cyber risk; and the role insurers and enterprises will play in battling the cybersecurity challenges over the coming few years.

If you’d like to share your observations or questions on the evolving cybersecurity and cyber insurance landscape, please reach out to Barbara Beller ([email protected]), Supratim Nandi ([email protected]), or Mehul Khera ([email protected]).

Cybersecurity Risk Management in a Post-pandemic Era | Blog

The intensity and severity of cyber events has accelerated during the COVID-19 pandemic as more and more people are working remotely and from home. This increasing frequency of cyberattacks has brought volatility to the already spiking claims losses causing many to wonder how enterprises and insurers can manage cyber risks in this new era. Our three-part blog series will explore this as well as initiatives to deal with cyber insurance challenges and what the future may hold for the cyber insurance market and its impact on enterprises.

The global cyber insurance market currently stands at nearly US$7.8 billion and is expected to grow at more than 20 percent CAGR over 2020-25, driven by the increasing number of cyber-attacks, the increasing need for IT compliance and regulations, and massive financial and non-financial losses (such as reputational loss system downtime, reduced efficiency, etc.). McAfee has reported that in 2020 these losses reached nearly US$1 trillion, increasing about 50 percent from 2018. To put this in perspective, the losses account for nearly 16 percent of the global insurance premium volume.

Pandemic forces change

The pandemic has forced enterprises to rapidly shift to a remote/work-from-home format, compelling them to re-think their cybersecurity strategies, reassess their cyber threat exposures, and develop cyber policy plans that can adequately manage any potential threats.

Enterprises are not alone. Insurers have been significantly impacted by the rapid growth of cyber-attacks and burdened with the dramatic increase in claims losses from the policies sold. In 2020, the insurance industry is estimated to have faced more than a 27 percent increase in the number of claims, primarily driven by the increasing intensity of ransomware and phishing attacks, according to a report by insurance company Allianz. As these threats evolve and their severity increases, insurers are constantly facing the challenge of controlling these claims losses.

While the global pandemic has accelerated technology adoption, at the same time, it exposed cyber vulnerabilities and under-preparedness in enterprises, an analysis of the World Economic Forum’s Global Risks Report 2021 found. As the adoption of complex technologies such as AI/ML (artificial intelligence/machine learning) tools, IoT (Internet of Things) devices, and cloud infrastructure has increased, so too has the complexity of cyber-attacks. While cyber-threats such as phishing, ransomware, trojans, and botnets have remained prevalent, risks exist for more evolved and unknown strikes such as industrialized social engineering attacks.

With the growing sophistication of cyber-attacks, the average cost per attack for firms has also gone up. According to a survey conducted by McAfee, 67 percent of the surveyed companies reported that the average cost per attack was more than US$500k. Addressing the threat of cyber risk and plugging these losses is a critical priority for business leaders. However, efforts to back up IT resources and data and set broader cyber response plans have been limited due to a lack of expertise.

Cyber risk measurement and analytics needed

Today, we are observing an increase in demand for cyber risk measurement and analytics capabilities as organizations look for the right cybersecurity talent and technologies to help address these challenges. Insurers are trying to provide enterprises with the right cyber insurance policies to help curb these losses. However, they face their own set of challenges, including the underwriting of cyber insurance policies. A lack of historical data limiting their ability to accurately model risks, drive precision in pricing risks, and create coverage loss limits. Some cyber events go unreported, challenging insurers to get adequate information on cyber-attacks. Without an accurate cyber risk assessment, these policies may be ineffective, exposing insurers to significant losses in a major cyber event.

Another key challenge for insurers while underwriting cyber risk is ‘accumulation risk.’ While dealing with cyber risk, insurers must be aware of the increasing interconnectedness within networks that lead to dependent vulnerabilities of the commonly used systems that may translate into an untargeted spread of the attack to the adjacent networks. This adds a layer of complexity to underwriting, taking into consideration an unplanned impact on a larger number of clients.

Mounting claim losses raises concern

Growing claims losses due to increasing frequency and severity of attacks is another key concern for insurers. In mid-2020, an American GPS and fitness tracking company was a victim of a ransomware attack where a demand was made for US$10 million to get its systems back online. Similarly, in other cases companies have faced large monetary and non-monetary losses that translated into an increasing loss ratio for insurers. In the US, the average loss ratio for the top 20 insurers (who offer standalone cyber insurance policies) by Direct Written Premium in 2019 increased to 48.2 percent from 34.5 percent the prior year, according to a report on the US cybersecurity insurance market. For 2020, these loss ratios are expected to shoot up dramatically, given that the industry has already started calling 2020 a loss-making year for cyber coverages.

Managing cybersecurity risk is all about anticipating loss and building a sound strategy and plan to both prevent and quickly respond to threats by taking these actions:

  • Enterprises must beef up cybersecurity capabilities and invest in the right set of technology and talent levers to bolster cyber risk assessment capabilities
  • Insurers must identify the full set of dependencies to assess the complete severity of the attack

Failure to embrace cyber risk management could have severe consequences and leave organizations so far behind that they may be unable to catch up. To address these challenges, enterprises and insurers must proactively work together to mitigate cybersecurity risk.

Next in this three-part series is Cyber Insurance Market Dynamics, where we will discuss the measures taken by both enterprises and insurers to address these challenges. While enterprises are investing in Identity and Access Management (IAM) software, endpoint encryption, and other technologies, insurers are putting their money into bolstering underwriting efforts to model cyber risks more accurately.

If you’d like to share your observations or questions on the evolving cybersecurity and cyber insurance landscape, please reach out to Supratim Nandi ([email protected]), Mehul Khera ([email protected]), or Barbara Beller ([email protected]).


Next-generation Security Operations Centers | Blog

The rapid pace of digitalization has increased enterprise exposure to a diverse and evolved range of cyberattacks. However, many enterprises make security an afterthought rather than a part of their digital transformation journey. While they’ve always had a daunting task to make their business resilient, the COVID-19 pandemic has only added to their woes. A global shift toward remote working and the sudden expansion of the enterprise perimeter has contributed immensely toward enterprise challenges.

Here’s a quick snapshot of some high-level security-related challenges that enterprises will continue to face in 2021:


To overcome these challenges, which are associated with speed and scalability of security services delivery, enterprises rely on security operations centers (SOCs) to monitor systems and defend against breaches. As the frequency and severity of breaches continue to rise, traditional SOCs and Security Information and Event Management (SIEM) systems based on signatures and rule-based automation are quickly becoming obsolete, as they make it immensely difficult for security analysts to stay on top of internal and external threat-related data.

Consequently, SOCs need to transition to an “Aware” state that is underpinned by cognitive capabilities that help detect, prevent, and resolve incidents at scale to keep pace with evolving adversaries.

What is Aware SOC?

Simply put, an Aware SOC is underpinned by next-generation SIEM and cognitive technologies – AI and ML along with decision automation – to deliver intelligent security operations. The Aware SOC is built on a single platform that seamlessly integrates solutions from multiple vendors to augment existing capabilities. Designed to secure distributed enterprise architecture, an Aware SOC brings together the best of human + machine capabilities to help enterprises fight against the rising tide of sophisticated cyberattacks.

The table below shows how enterprises should think about an Aware SOC as an amalgamation of best-of-breed technology and talent:


Security operations done right: Moving to a platform-driven Aware SOC

The pandemic has been a major change agent for enterprises, significantly impacting their security operations. To incorporate speed and scalability in their security operations, enterprises are now re-thinking their SOC architecture. The platform that an enterprise chooses for its security operations has started to become a pivotal element of its overall security infrastructure, becoming the de facto operating system for other point-based security tools. The shift to a platformized cloud-first approach, underpinned by SaaS-based tools for monitoring, threat hunting, vulnerability assessment, and incident resolution is expected to be the springboard of security transformation for medium and large enterprises.

Here’s our view of an architecture for a platform-driven Aware SOC:


Enterprises can find significant value through platform-driven Aware SOC, where it can break systems down into building blocks and bring in modularity that allows them to scale and manage security controls across environments. The elements of platform, spanning data lake and network traffic analysis, also give enterprises enriched insights related to their existing and to-be security estates.

Advantages of investing in a platform-driven Aware SOC

Investing in an Aware SOC is a highly strategic decision. Beyond economic benefits, a platform-driven Aware SOC produces a number of other benefits, including speed, scalability, resiliency, and efficiency. The benefits discussed below are not an all-encompassing list but instead a starting point for exploring the benefits of investing in platform-driven Aware SOC:

  1. Automated security across the enterprise IT estate – ingest alerts across multiple environments and execute automated workflows/playbooks to speed up incident response
  2. Break team silos – playbooks for real-time collaboration capabilities that enable security teams to solve for existing and new threats and breaches
  3. Expedite incident investigations – enables standardized response for high-quantity attacks such as DDoS attacks. Also helps security analysts adapt to sophisticated one-off attacks.

Whether an enterprise is thinking of outsourcing security operations or bolstering them internally, it needs to future-proof its overall cybersecurity strategy. While charting the broader cybersecurity strategy, an enterprise needs to keep a firm sight on its short-, mid-, and long-term business goals. This is where a platform-driven Aware SOC can help. A platformized approach to Aware SOC that stitches the entire security fabric together will go a long way in ensuring that the enterprise’s cybersecurity strategy aligns with business goals such as speed, scalability, and resilience.

Follow this space for more blogs on cybersecurity. Meanwhile, please feel free to reach out to [email protected] and [email protected] to share your experiences and ask any questions you may have.

Self-aware Data – Securing Data across its Life Cycle | Blog

Increasingly costly data breaches in recent years have shown the importance of data protection and privacy in the age of the data economy. While organizations have accelerated their pace in adapting to the increased levels of security and data sharing, much still needs to be done. IBM’s 2019 Cost of Data Breach Report showed that the global average cost to an organization of a data breach was US$3.92 million, a 12% increase over five years. The latest attack on the European Medicines Agency (EMA) – in which hackers successfully penetrated and stole important information regarding the COVID-19 vaccine – is just one of the many examples of ever-increasing cyberthreats.

Where are the gaps?

Indeed, the key ways in which organizations still fail to secure data – even after so many advances in cybersecurity – have been highlighted by the rising number of data breaches during the COVID-19 pandemic, including such examples as:

  • Organizations secure the transport layer in which data is transferred rather than securing data itself
  • The controls and policies lie within an organization’s IT estate rather than with the data owner
  • There is a lack of centralized visibility into data movement and assets across the organization
  • It takes too much time and effort to implement policy changes across the organization
  • Employee awareness of, and preparedness for, security is generally the weakest link in cyber defense; a majority of breaches can be traced back to human negligence

Moving toward self-aware data

This situation is precisely where self-aware data can help. Self-aware data refers to data that is intelligent and can protect itself from intrusions. Each piece of self-aware data can defend itself at any place, continuously, during its lifespan and does not rely on securing the communication tunnel, which is the common security method. The approach is based on democratizing data security, which includes a process by which the data owner sets up policies related to accessing their data. It treats the root cause of data loss rather than the symptoms.

Let’s take a closer look at how organizations can implement self-protecting, self-aware data:

  • Focus on data rather than the communication channel – The core focus should be on securing data. A wrapped layer of security protocols across data enables the user to freely send the data across media without the worry of data loss. The data owner sets these protocols, and only users who meet these protocols can access the data.
  • The owner controls the data asset throughout its life cycle – Once the owner creates the data and establishes access-related policies, that owner should have complete control of the data until it is deleted. Even if copies are made on any devices or stored across locations, the owner should be able to control the files with the same policies.
  • Seamless data movement and interoperability across platforms – Self-aware data needs to be operable across platforms, devices, applications, operating systems, cloud services, and data centers. It must be universally deployable and interoperable to provide real-world protection across today’s diverse environments.
  • Built-in log analysis – Organizations need to implement built-in log analysis across the data life cycle, from creation to storage, until destruction. Self-aware data should be able to provide proof of possession, custody, and control. It needs to provide this information back to its owner for every copy or instance from anywhere.
  • Ability to upgrade policies on the fly – To adapt to the dynamic cybersecurity regulations, owners should have the feature set to apply any new policy regulation across all files at any time.

Future-proofing data

In a rapidly changing digital world, there is also an increasing need to future-proof intelligent data. We thus recommend the following actions to safeguard self-aware data from the next-generation threats of AI-/ML-powered cyberattacks:

  • Implement geo-fencing and geo-location capabilities – Such policies can ensure that the data stays within the organization’s geographical presence, which is especially helpful as we increasingly see a rise in hacker groups from specific geographies.
  • Detect and safeguard related data pieces – Organizations should also ensure that the protection rules or protocols are able to replicate themselves wherever that data or any part of it flows. For example, if the protocols allow certain users to access an Excel sheet containing a sales data table, these protocols should be replicated automatically if any row of that sales table is used in any other document or Excel file to ensure end-to-end data safety.
  • Foolproof data against any augmented intelligence approach – Data masking and Generative Adversarial Network (GAN)-based techniques to generate synthetic data have been a boon for training AI/ML models. Self-aware data, if masked or even synthesized to generate new synthetic data, should be able to recognize the base parent file and initiate the same set of protocols on the new files created.

When combined with a zero-trust architecture, self-aware data can act as an invulnerable armor for the valuable data assets that organizations possess. To capitalize on the opportunity, some startups have already started work on tools and solutions to enable self-aware data in the hopes of making data breaches irrelevant.

If you have any questions regarding how self-aware data can help secure your existing data landscape or would like to share your inputs on the broader cybersecurity landscape, please write to us at [email protected] and [email protected].

Digital Trust – the Key to Secure Customer Engagement and Stickiness | Blog

In an age of pervasive cyberthreats and attacks, enterprises increasingly realize that ensuring trust and privacy is vital in the customer journey. In fact, CXOs now view cyber risks as business risks that can prevent them from establishing strong customer relationships, and they are proactively trying to find ways to address privacy or security gaps in their customer engagements.

In this context, the goal of digital trust is to instill confidence among enterprise customers, business partners, and employees in an organization’s ability to maintain secure systems, infrastructure, and perimeters, as well as to provide a secure, reliable, and consistent experience. Today, digital trust underpins businesses’ success directly by creating confidence among customers and other stakeholders.

Users at the core of digital trust

Establishing digital trust goes beyond the creation of a secure application or enforcement of stringent regulations to avoid cyberattacks. It is about leveraging the right combination of tools and technologies to create a superior digital experience for users that not only protects their privacy but also exceeds their service expectations.

To create such an unparalleled and smooth user experience through their digital transformation initiatives, enterprises should ensure and embed digital trust seamlessly in their processes and systems. Organizations need to understand that they can achieve 360-degree trust only if they keep the user at the center of digital transformation initiatives and build enterprise security controls around user attributes such as device, data, applications, and user environment.

To make digital trust a reality, enterprises should comply with privacy regulations to have the right data security controls across environments, employ usage-based security controls across the IT estate, provide secure access to user devices, understand user behavior through behavior and entity analytics, and monitor user activity to create secure access across applications, devices, and networks.

Building digital trust the right way

In a 2019 Everest Group survey of 200 CIOs, about 71% said they believe that they lacked centralized visibility across their IT estate, almost 42% said they were unable to measure and quantify end user experience, and 53% were unable to leverage essential technologies to improve end-user experience. About 70% of enterprises still lacked the capabilities of a unified threat detection system to prevent, detect, and manage unknown threats. These figures point to the glaring gaps in enterprises’ IT security infrastructures and understanding of their users’ experiences.

The concept of digital trust ties together business objectives and business resilience goals and ensures that the right user with the right intent is granted the right set of access and permissions for the right purpose. To build digital trust among users, organizations need to consider specific action items for different cybersecurity segments to create 360-degree digital trust, as outlined in the exhibit below.

Digital Trust – the Key to Secure Customer Engagement and Stickiness

Instead of implementing discrete security controls across the organization, enterprises need to take a holistic, outcome-oriented approach to cybersecurity. When organizations approach cybersecurity with the objective of creating a seamless user experience, it facilitates a sense of mutual and complete trust.

Digital trust in the age of COVID-19

The COVID-19 pandemic has led to a massive shift from offline to online channels. Such digital business extensions have created unprecedented security concerns worldwide. Users are concerned about the security of their private data and how organizations handle it. To build trust, enterprises must focus on building an empathetic and secure organization. If they can get this right, they will be able to win customer loyalty and trust, thereby laying the foundation of a future-proof sustainable business. As the world fights the pandemic, digital trust could well be the glue that binds customers to them.

To learn more about the need to think of IT security as the key enabler of digital trust among users and customers, please see our latest report, Digital Trust – The Cornerstone of Creating a Resilient and Truth-based Digital Enterprise. You could also reach out to us directly at [email protected] or [email protected] to explore this concept further.

Anti-financial Crime Talent Imperatives in the Digital Age | Blog

For years, financial institutions have struggled to attract and retain quality anti-financial crime (AFC) talent, which remains a compliance program’s most vital asset. And the situation is only getting worse.  Why? First, both the importance and application of anti-money laundering (AML) and fraud risk management are increasing. Second, the requirements and expectations of regulators are snowballing. And third, demand for AFC talent is skyrocketing while unemployment remains low. It’s a perfect storm.

Perhaps most importantly, the AFC workforce must now be able to work with artificial intelligence and machine learning technologies. Financial institutions that can’t adapt their workforce to the demands of this new augmented human intelligence era simply won’t survive. Knowing what talent to look for – and how to attract, manage, and retain it – is key.

The changing definition of talent and the rise of “bilinguals”

In the past, whenever new compliance initiatives or regulations arose, banks tended to staff up operational teams to address them. Now banks realize that hiring operational staff isn’t enough. Instead, solving for the underlying problem – be it “Know Your Customer” remediation, reducing incidences of fraud, or ensuring better AML compliance – is the answer.

To do this, banks are breaking up their talent pyramid into tasks. Those tasks that are manual and repetitive (and therefore subject to a high degree of automation) sit at the bottom of the talent pyramid. And those requiring a high degree of judgment that can be handled only by skilled employees sit at the top. As a result, talent must now be “bilingual,” possessing not only the domain and operational expertise to drive judgments but also the technology expertise to help automate repetitive, mundane tasks.

Attracting talent

If a bank has bilingual workers, it’s not letting them go, so finding such talent at scale through hiring practices alone is unlikely. Instead, the challenge is to identify skilled workers from either a domain or technology background and train them to develop the skills they lack.

One solution is partnering with universities. For example, recognizing that ready talent is not necessarily available in the marketplace, some service providers partner with universities to identify suitable individuals for entry-level positions and then train staff in those positions on AFC fundamentals.

Developing talent

At the same time, the half-life of professional skills is decreasing at an alarming pace. Regulations and technology are constantly changing, so talent agility is key. Organizations must create an environment of innovation, training, and enabling people to do their jobs faster and better, including enabling them with access to the right tools, be they bots or data libraries.

Firms are increasingly using techniques such as micro learning, which breaks information into bite-sized pieces, and spaced learning, which identifies the right moment for intervention so that trainees retain more information. Gamification is another technique that makes learning fun and increases retention.  Through a combination of these approaches, firms can train employees and develop talent much more efficiently.

Retaining talent

Today’s banks are losing employees not only to other banks, but also to techfin firms. Amazon, Apple, Facebook, and Google are all making forays into banking, and they’re always on the lookout for people who can help their engineering teams understand the financial payments and risk disciplines. To retain talent, it’s important to drive workers’ aspirations.

Keeping employees engaged is essential to retention. Engagement can be accomplished through creative challenges and contests that instill sustainable change and help employees use their skills beyond their day-to-day work.

When it comes to AFC talent, it’s a battlefield out there. To learn more about how financial institutions can attract, manage, and motivate AFC talent to achieve the best balance between human and technical intelligence, check out the webinar I recently conducted with Genpact on this topic.

Key Issues For Enterprise IT Spend Decisions In 2020 | Blog

When considering your company’s IT spend decisions for 2020, it’s helpful to know what your peers and competitors expect for IT spend this year. What are their top investment priorities? Their biggest challenges? Is their focus different for 2020 than it was in 2019? How will their plans change if the economy strengthens or if it weakens?

Read my blog on Forbes

Request a briefing with our experts to discuss the 2022 key issues presented in our 12 days of insights.

Request a briefing with our experts to discuss our 2022 key issues

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

  • Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.