Milliman's Beck: Reducing Ransomware Threats Could Raise Other Vulnerabilities
Taking single-minded steps to reduce the risk of ransomware attacks could open companies up to other vulnerabilities, said Chris Beck, a managing director with Milliman.
Insider Engage spoke with Chris Beck at the Joint Industry Forum in New York.
Q: How would you describe the cyber risk landscape today?
A: The risk landscape in cyber is changing. It's changing quickly, and it's changing substantially. And that's meant that the insurance companies as well as the insured have had to make serious decisions.
One of the changes have been around ransomware. We've seen a precipitous rise in ransomware attacks on companies and other large organizations. From the insurance point of view, that means insurance companies are starting to make decisions on whether or not the insurance contracts they issue will pay in the event that the insured pays a ransom. That also means that the insured are making decisions about the types of insurance that they're buying, and other decisions about their risk and control landscape.
It's important to think of insurance as one of the tools that a company can use to either mitigate, certainly transfer risk. And it's also important to look at the other suite of key roles that they can use to reduce the potential impact and speed the recovery from a ransom attack. Definitely, it's important to look at this risk as an adversarial risk. And look at it from the point of view of the cyber criminals and cyber bad actors. In the event that insurance companies are no longer paying, if an insured pays a ransom, we come into a situation where the bad actor, being sophisticated cyber criminals and being in this with profit motive, are likely going to create smaller attacks that are easier for companies to pay, but still wanting to continue to have this be as lucrative of an industry if they can increase the number of attacks that we're seeing across the landscape.
Q: What should companies be doing?
A: Companies should be taking a holistic view of their cyber risks. So I mentioned insurance is one tool, but there are many others. So understanding their control environment, which controls are effective, which controls still need work is incredibly important. But then layering in the decisions being made by the bad actor, how would a ransomware attack manifest? Which decisions they made could help mitigate that, or speedy recovery? But also, how would other types of cyber attacks — data exfiltration attack, for example — because the types of controls that can lessen the impact of one attack might very well make them more vulnerable to another. [For instance] a simple way to reduce a ransomware attack is to duplicate your data in several areas. So if it's held ransom, the company can recover quickly because they have other copies of their data. Well, we just created a larger threat landscape for the bad actor who's looking at a data exfiltration attack.
If you understand that landscape, and what the total impacts could be, and you layer in the different decisions that a bad actor could be making, you're going to be able to make a more holistic decision — that could be investing in controls, and sometimes that could be looking to insurance contracts to help transfer risk.
Q: What's next for the insurance industry?
A: What's next for the industry is continuing to understand how these risks change, and the one of the sets of decisions that is closest to to the insured is what is going to happen over 2022. In 2022, we are hopefully very likely going back to a world where you have decisions to work from an office or work from a home that at some point and we will find out what the new normal looks like for our working environment. That's great for workplace decisions. That's great for personal decisions. It's great for the ability to travel. But it means that the threat landscape, the different attack vectors that we're going to see going forward are going to start to solidify this year.
We need to make sure that we're taking into account what sort of cyber risks those pose and what decisions bad actors are going to make. If we think about what we know and what the bad actor knows, we're walking through some of the the eventualities of those decisions. Companies are announcing quite widely how they're going back to work, if they're going back to work. Insurance companies are announcing quite publicly if they're going to be issuing contracts that will pay in the eventuality of ransom, or if they're not. Governments are beginning to make decisions and give advice about should you be paying a ransom or should you not. The bad actor has all of this information and we don't have all the information about what the bad actor is doing about that. So being prudent in how we're making those decisions, taking into account the different types of decisions a bad actor could make is going to help companies reduce their vulnerabilities and find that right set of controls and right set of risk mitigation and risk transfer strategies to go forward.