Systemic cyber resilience requires a risk based approach
IT security teams, insurance buyers and risk managers must move beyond a compliance driven approach to cyber security.
Compliance with cyber frameworks can create a false sense of security against a changing threat landscape
In today's interconnected world, organisations face an ever-growing threat of cyber-attack. Cyber is one of the top concerns for Chief Executive Officers[1].To mitigate the risks, organisations often implement security measures based on compliance frameworks to ensure their systems and data are protected.
However, cyber compliance is not the same as managing cyber risk. Compliance is an essential component of a comprehensive cybersecurity strategy, it does not guarantee immunity from cyber threats.
Cyber compliance is necessary but not sufficient to manage cyber threats
Cyber compliance is about the adherence to specific regulations, standards, and guidelines set out by industry bodies, and governing authorities. Frameworks, such as Cyber Essentials, the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), or General Data Protection Regulation (GDPR), outline specific security requirements that organisations must meet to ensure the protection of sensitive information.
Compliance involves implementing controls, conducting audits, and ensuring the organisation's policies align with the frameworks. It provides a baseline for security practices by ensuring organisations meet minimum security standards.
Compliance is a necessary aspect of cybersecurity, but it does not provide a comprehensive picture of an organisation's risk posture. Compliance frameworks focus on specific regulations and standards, often resulting in a tick-box mentality where meeting minimum requirements is prioritised over managing their risk exposure.
Cyber attackers are constantly evolving, finding new ways to exploit weaknesses and bypass compliance controls. Simply meeting compliance requirements does not guarantee protection against such threats. Compliance frameworks are set at a point in time and often don’t reflect emerging threats and vulnerabilities.
Cyber underwriters also now look far beyond compliance, so it is important for insurance buyers to consider a risk-based approach to develop cyber resilience, by identifying and prioritising risks specific to your organisation.
Risk-based approaches allow an organisation to respond to emerging threats
A risk-based approach will consider the likelihood of an attack occurring and the potential impact it can have on an organisation through financial loss, reputational damage, operational disruption, data breaches, and the impact on critical assets.
It considers various factors, including the organisation's threat landscape, vulnerability management, incident response capabilities, and security awareness training. These assessments go beyond compliance requirements and provide a more accurate understanding of an organisation's risk exposure. This helps Chief Information Security Officers (CISOs), IT security teams and risk and insurance managers understand the risks and develop appropriate controls. Developing cyber resilience prior to purchasing cyber insurance will likely have a positive impact on premium, and most importantly, the cover available.
Organisations should prioritise risk management and compliance activities
Compliance frameworks can be a valuable starting point. A risk-based approach goes beyond this by using regular risk assessments to implement appropriate controls, and continuously monitor and update security measures that align with the evolving threat landscape.
Adopting a risk-based approach allows organisations to identify and mitigate potential threats before they materialise. It enables informed decisions about the allocation of scarce resources based on your risk appetite.
When buying insurance underwriters rely on questionnaires and in-depth calls with CISOs or IT security teams to build an overall view of an organisation’s cyber resilience. There can be significant benefits to organisations being proactive and able to discuss their cyber risk journey with insurers, which can make negotiations run smoothly and ultimately lead to a cyber policy that matches your needs closely.
Cyber Essentials is a good baseline but does not fully protect against advanced cyber threats
Limitations of Cyber Essentials
Limited scope: Cyber Essentials mainly addresses technical controls and basic cybersecurity hygiene. While these controls are crucial, they only scratch the surface of a comprehensive cybersecurity strategy. Cyber threats are continually evolving through social engineering, advanced persistent threats, zero-day vulnerabilities, and more. Ignoring these areas will leave your organisation vulnerable to sophisticated attacks.
Lack of continuous monitoring: Cybersecurity requires constant monitoring and adaptation. Cyber Essentials provides a point-in-time snapshot of compliance. As threats emerge and evolve rapidly, new vulnerabilities are discovered. Cyber Essentials does not prescribe mechanisms for continuous monitoring, threat intelligence, or proactive defence strategies. Your organisation needs to go beyond a static snapshot to respond to dynamic threats.
Insufficient emphasis on people and processes: Cybersecurity is not just a technological challenge. People and processes play a significant role in your organisation's security posture. Cyber Essentials does not adequately address controls such as security awareness training, incident response planning, supplier risk management, or user access management. Neglecting these can create significant vulnerabilities.
Inadequate risk assessment: Cyber Essentials does not explicitly require organisations to conduct comprehensive risk assessments tailored to their specific industry, size, and threat landscape. Risk assessments help identify vulnerabilities, evaluate potential impacts, and prioritise investments. Without a robust risk assessment process, your organisation may overlook significant risks or fail to allocate resources effectively.
Implementing proactive cybersecurity measures
To enhance cybersecurity resilience your organisation should adopt a more comprehensive approach that goes beyond compliance with standards. You should:
- Review core controls: cyber underwriters typically expect you to have Multi-Factor Authentication (MFA), appropriate privileged access management controls and procedures, vulnerability and patch management processes, use of monitoring and detection tools (e.g. SOC, SIEM, EDR), incident response planning and testing, and evidence of a robust and regularly tested backup solution.
Adopt risk-based approach: conduct regular risk assessments to identify and prioritise cybersecurity risks. This allows tailored security strategies, effective resource allocation, and addressing vulnerabilities specific to your operations. - Implement advanced security measures: go beyond the basic controls outlined in Cyber Essentials and implement advanced security technologies and practices. This includes investing in intrusion detection systems, encryption technologies, security information and event management (SIEM) solutions, and employee training programs that focus on phishing awareness and incident response.
- Emphasise continuous monitoring: establish mechanisms for continuous monitoring and threat intelligence to detect and respond to emerging cyber threats promptly. This involves implementing security monitoring tools, conducting regular vulnerability assessments, and staying up-to-date with the latest threat intelligence reports.
- Cultivating a cybersecurity culture: prioritise cybersecurity awareness and education programs to foster a security-conscious culture among employees. Regular training, simulated phishing exercises, and incident response drills can significantly reduce the risk of human error and strengthen the organisation's overall security posture.
Measuring cyber compliance is a necessary part of any cybersecurity strategy and ensures adherence to regulatory requirements and industry standards. However, compliance alone does not guarantee protection against cyber threats. Effective management of cyber risks requires organisations adopt a risk-based approach.
By conducting comprehensive risk assessments, identifying vulnerabilities, and implementing proactive security measures, your organisation can enhance its resilience to cyber-attacks and protect valuable assets. It is the combination of compliance and risk management that creates a strong foundation for robust cybersecurity practices in today's everchanging threat landscape.
We can help
Zurich Resilience Solutions (ZRS) cyber team provide specialist risk management services to support you develop cyber resilience.
For further information or to discuss the issues raised in this article contact zrs.enquiries@uk.zurich.com or visit here for more information.
About our authors
Ben Watson - Ben Watson is a Senior Cyber Underwriter currently working for Zurich Insurance Company. He has over 8 years’ experience in the cyber insurance market, including previous roles at Beazley and a Lloyd’s Members’ Agency. He works predominantly with middle market and large corporate customers across a broad range of industries and territories.
Arunava Banerjee - Arun is the Cyber Risk Consulting Lead for Zurich Resilience Solutions and chair of Zurich’s Cyber Global Risk Engineering Technical Centre. He provides consultancy for organisations to improve cyber resilience. Arun has over 15 years of experience in Cyber, Project Management and IT Operation within various industries including insurance, health, public sector and consultancy.
