Just when we were getting ready for the holiday season, along came the security issues in Log4j. Security professionals across the world jumped into action to understand their risk levels, implement patches on any internal software, and deploy product versions from their suppliers that had been updated. This will continue this year, based on conversations with CISOs and security teams.
Behind the technical issues around the software supply chain and internal applications, there is also a business risk management element — for example, how a company manages risk to its operations using tools like cyber insurance to complement its security processes. In the event of a problem, cyber insurance should cover the costs to recover data, rebuild applications, and get operations running as normal again.
What Is the Role for Cyber Insurance Over Time?
Cyber insurance is a significant industry and growing fast — according to GlobalData, it was worth $7 billion in gross written premiums in 2020. The cyber-insurance market is expected to reach $20.6 billion by 2025. Over the past few years, the cyber-insurance market was competitive, so premiums were low and policies were comprehensive. Over the past year, that has changed — the volume of claims has gone up and led to more payouts, which affected the insurance companies' profitability.
The Log4j issue will affect how insurance and reinsurance companies write their policies in future. Already, we're seeing discussions about Log4j-related issues being excluded from reinsurance policies in 2022, as many policies came up for renewal on Dec. 31, 2021. This will affect the policies that insurance companies can offer to their customers.
What does this mean for IT security teams? For practitioners, it will make their work more important than before, as preventing possible issues would be more valuable to the business. Carrying out standard security practices like asset inventory and vulnerability management will be needed, while examining software bills of materials for those same issues will help on the software supply chain security side. These practices will also need to be highly automated, as business must be able to gain accurate insights within hours, not months, to deal with future threats while reducing the cost impact.
For those responsible for wider business risk, these developments around cyber insurance will present a more significant problem. Cyber-insurance policies will still be available — and necessary where needed — but the policies themselves will cover less ground. While the past few years had pretty wide-ranging policies that would pay out on a range of issues, future policies will deliver less coverage.
Similar to real-world medical insurance where previously known conditions are excluded, cyber-insurance policies will be more stringent. The Lloyd's Market Association, responsible for guidance to insurance organization Lloyd's of London, already published guidance in 2021 around model clauses for insurance companies around cyber warfare and attacks. This includes any actions taken by hacking groups linked to nation-states, as happened with the NotPetya attack targeting organizations in the Ukraine in 2017, which then spread to affect global companies.
These changes around cyber insurance will make it harder to manage business risk in context. While the IT team might carry out their tasks, they won't be able to control everything that the companies in their software supply chain are responsible for. According to Google Security, more than 17,000 packages in Maven Central included Log4j on Dec. 19, 2021, so it's widely embedded in software. Of these packages, around a quarter have updated versions available. This should improve over time, but there will be many that either can't be updated or are orphan packages that don't get fixed. Any incident due to Log4j in the software supply chain could affect the business despite the IT security team's best efforts.
Planning Ahead on Risk Management
To get ahead of this, businesses should look at their overall risk management approach. How much do they rely on cyber insurance as part of their risk strategy compared with their internal processes, and how will this change this year? Over time, cyber insurance will cover a reduced scope and getting a claim approved will be harder.
In order to cope with this, CISOs must think about getting security basics right as part of their overall risk management strategy. This will only be achieved through collaboration with the wider IT department and the business itself. For example, the modern CISO needs to look at security vulnerabilities across all corners of the business — think data centers, cloud deployments, software-as-a-service applications, etc. — and this data needs to be presented in the context of risk to the business by department and division. This makes it easier for businesses to get an accurate picture of their security, and put it into business context.
Additionally, these risks should be prioritized with business impact. For example, if a high-severity vulnerability like Log4j is detected in a core business application and needs patching fast, everybody will be aware of the justification and will support the change request at speed. The board and business leadership team will know the impact on the business that carrying out this kind of rapid response will have, and also the risk from not carrying it out. This makes it easier to get support for better security across the organization, reducing risk over time.
This will help in two ways. First, should reduce the potential for security issues leading to successful attacks like ransomware in the first place, as issues are fixed before exploits are available. Second, it should demonstrate that the organization has effective best practices in place and prioritizes security across its operations. This can help make getting a reasonable cyber-insurance policy easier, as well as ensuring that any policy will pay out when it's needed.