Cyber Risk in 2023: Our Top 10 Predictions
As pandemic and economic pressures continue to accelerate digital transformation efforts, those involved in measuring, assessing, and managing cyber risk must continually evolve how they approach building cyber resilience. According to ZScaler, ransomware attacks continued to increase at a rate of 80% in 2022, with no indication of slowing down.??
Resilience’s security and insurance team members combined their expertise to create this list of ten predictions they believe will most impact enterprises over the next year. We believe successful organizations in 2023 can’t just be cyber-covered or cyber-secure; they need to be cyber-resilient.
1: Social Engineering Attacks Will Evolve as Hacker’s Points-Of-Entry Grow
Points-of-entry for organized threat actor groups grow in line with organizations' human capital. IT services that support individual employees such as SaaS services, work-related mobile devices, and third-party IT providers increase the entry points for organizations to be hit with social engineering attacks, just like email. Previous years have shown that breaching users directly leads to the most successful attacks, and bad actors will continue to repeat what has been successful in the past. According to HelpNet Security, in 2023 we will see persistence in tactics such as targeting vulnerabilities in software and third-party software, SMS phishing attacks against mobile devices, and breaching trusted vendors that support critical business functions like HR and finance.?
Cyber attacks are also becoming more damaging as their impact grows. Organizations will need to stay on alert and engage in regular security training to manage their cyber risk as these actors become more disruptive. “Bad actors continue to evolve and hone their tactics to attack through new means, such as attacks against smart contract systems (etc) while using tactics that persist in proving successful,” said Justin Shattuck , CISO at Resilience.
2: Securing and Managing SAAS Applications and Third-Party Vendors Will Be a Priority
Software as a service (SaaS) security solutions will become more popular than application programming interfaces (API) security solutions in 2023. SaaS security received massive funding and attention from investors in 2022, which will continue into 2023. World Wide Technology interviewed executive security advisor Todd Hathaway who agrees as organizations continue to sell their products “as a service,” SaaS Security Posture Monitoring (SSPM) services and building infrastructure to monitor the security of software applications will become a new priority for organizations.?
Managing the security of your business’s third-party software, applications, and vendors as a whole will become a key component in fostering cyber resilience. “Organizations need to rethink what they consider ‘their attack surface’ as it is too easy to limit it to just the assets within your environment,” said Justin Shattuck, CISO at Resilience. “Instead they need to consider the additional vulnerabilities presented by their vendors and partner relationships that could contribute to their overall attack surface.”
Businesses will seek to partner with vendors who can prove their strong security posture. Those who can’t will not only be at risk of an attack but also of losing valuable clients.
3: Supply Chain Attacks Will Be a Primary Concern, Particularly in a Recessionary Environment
Supply chain attacks are growing more popular amongst organized threat actor groups. Attacks like the Solarwinds breach show the power that leveraging a trusted partner can provide to an adversary who then rides into more secured victim networks. Legacy vulnerabilities like Log4Shell can also present continued avenues for attacks through vendors, even long after the targeted organization has fully patched its own systems.?
“We will continue to see supply chain attacks increase as ‘supply chains’ grow more complex across industries. It's hard to stop these types of attacks because, simply speaking, supply chains provide attackers and adversaries with more impact by throwing fewer stones,” said Justin Shattuck.
4. The CISO’s Role and Responsibilities During an Attack Will Be Increasingly Highlighted and Spotlighted in the Media
The role and liability of CISOs will be spotlighted in the coming years. Following some of the past year’s most notorious incidents, such as the massive data breach at Twitter in July of 2022 and the conviction of Uber CISO Joseph Sullivan, HelpNet Security agrees that the role of the CISO will become more understood and ultimately scrutinized by the media and the general public as society grows more concerned about the security of their data.
The nature of cyber-attacks is unpredictable and ever-evolving, and even the most ethical and secure organizations with highly trained CISOs can experience a damaging attack. However, responsibility for an effective attack from the public's perspective will fall on the organization's CISO.?
In addition to staying up-to-date on security events, continuously educating themselves, and maintaining current licenses, Resilience experts encourage CISOs to focus on understanding risk transfer and managing and assessing cyber risk holistically. “CISOs should be encouraged to speak up to their insurers. Share your organization's risk management strategy,” said Justin Shattuck, CISO at Resilience. “One of the best ways an underwriter can understand an organization’s security strategy is by having it clearly articulated by the security leaders. Don't feel limited to promoting your security controls and strategy in a paper application only.”?
5. Societal and Political Factors Will Drive the Insurance Phenomenon Dubbed “Social Inflation” in Cyber Insurance?
According to an article by Hinshaw Law, in 2023 cyber insurers will increasingly experience the impact of “social inflation” and the rising costs of handling and defending claims. The phenomenon of social inflation is traditionally associated with the casualty/liability business, and it refers to the rise in claims costs beyond economic inflation. Reuters noted that this inflation is typically the result of society’s evolving values, perspectives, and trends.?
In the world of cyber, large scale data-breaches, where personal data is compromised, are more often resulting in lawsuits against organizations. For example, when Equifax was breached and 147 million Americans’ data was compromised in 2019, the resulting settlement was a hefty $700 million. Resilience’s International Claims Leader, Tom Egglestone ACII , suggests that social inflation plays a large role in incidents like this. “[Social inflation] is affecting the world of data privacy as corporations and individuals grow to mistrust how their data is handled,” said Egglestone. “While a number of socioeconomic and jurisdictional factors make the US more susceptible to this phenomenon, things are shifting in other jurisdictions, including the UK.”?
领英推荐
6. The Softening Insurance Market Will Drive Competition and Innovation?
The next phase of development in the cyber insurance market will focus on integrating new analytics to drive better risk insights on individual companies. According to McKinsey & Co., as technological analysis capabilities grow, so will the core processes of next-generation cyber insurers looking to place capital more efficiently. Investors and clients will want to buy into cyber insurance organizations that don't have long legacy timelines for change as the cyber landscape grows in complexity. Digitally focused insurance providers will lead the way, as success in the ever-evolving landscape of digital transformation will rely on advanced tech and fast learning capabilities to maintain continuous data.?
Due to the increased desire to collect risk data, insurers in 2023 will feel compelled to build stronger customer engagement platforms and smarter insurance products to compete in a soft market and provide increasingly valuable services. McKinsey claims the top 5 innovations that will drive change in the insurance industry are applied AI, distributed infrastructure, the future of connectivity, next-level automation, and trust architecture.?
7. Insurers Will Need to Evolve Their Approach to Insuring Cyber Risk
Ransomware attacks are growing more frequent, damaging, and costly. As we move into 2023, cyber insurance organizations will need to reassess the way they underwrite cyber policies, with large-scale attacks in mind. The Geneva Association determined that the cyber insurance industry as a whole has grappled with how to deal with these costly events, even considering excluding them from policies entirely.?
To protect organizations from ransomware attacks, underwriters and brokers need to grow their knowledge of cybersecurity as a whole. Currently, risk mitigation and risk management operate in silos, causing disconnects between risk managers, CISOs, and executives. Resilience’s solution to the growing cost of ransomware attacks is taking a holistic approach instead of relying only on industry benchmarks.
“Innovation in cyber insurance has been focused on lowering acquisition costs by delivering scalable digital delivery,” says Resilience’s International Chief Underwriting Officer Kyle Bryant . “While this is a strong tactic, pressure to remain competitive in a softening market will lead insurers to differentiate through underwriting guidelines built on a foundation of security expertise.”?
8. The Rising Cost of Cyber Attacks Could Possibly Drive US Government Intervention in Cyber Insurance
As systemic cyber risk becomes a growing concern for cyber insurance providers, the US Treasury Department is looking at how to support the market. Bloomberg Law agrees that the growing frequency of cyber-attacks has raised the concern that a catastrophic cyber attack could seriously impact the entire market and drive insurers to reduce their exposure to systemic loss-type events, particularly those that might be launched by nation-states as an act of war against critical infrastructure.
Resilience’s VP of Communications and Policy, Davis Hake agrees that government cooperation with the insurance market in better identifying these events could provide increased clarity on cyber risks and even lead to greater capital available in the market to support insureds. “Cyber insurance has the tremendous opportunity to help companies transfer risk and encourage better cyber hygiene,” said Hake. “Resilience will continue to collaborate with government and industry partners to help drive the market in this direction.”
9. World Governments Will Need to Continue to Collaborate to Fight Bad Actors?
Protecting critical infrastructure (CI) will continue to be a top priority for European and US governments as the conflict in Ukraine persists into 2023. Warnings from the US Government about Russian actors targeting CI have grown louder as the war has escalated over the past year, claims CISA. The World Economic Forum declared cyberattacks a top concern on global CI back in 2020, citing that industries such as healthcare, transportation, manufacturing, and energy are at high risk for attacks in the coming years.?
Information sharing is a pivotal tactic for understanding the ever-evolving landscape of cyber threats. However, too much information without actionable context can become a distraction and burden for defenders. “As critical industries continue to experience damaging and politically motivated cyber attacks, global governments and industries must work together to cut through the noise and work operationally to prevent and remediate attacks against CI,” said Hake. “European and US governments will need to increase their collaboration and share information to stay ahead of our mutual adversaries in 2023.”?
10. Organizations Will Need to Become Cyber Resilient to Keep Up with These Changes?
Finally, Resilience’s insurance and security experts agree that 2023 will see an increase in organized threat actor activity due to economic trends driving reductions in staffing and increases in automation. Doing more with less will be a key theme as security teams work to keep up with increasingly sophisticated criminal actors and complex geopolitical threats.?
As hackers’ techniques become more advanced, organizations need to manage and assess their cyber risk holistically. Risk managers, CISOs, and CFOs need to collaborate when budgeting to secure their data or transfer risk they can’t mitigate. Building Cyber Resilience means establishing a proactive strategy that combines changing human behavior, increasing financial insights, and investing in technology to prepare your organization to withstand and recover from an attack without causing a material impact on business operations or value to your customers.??
While national governments work to manage global threats and cyber criminals, it is the responsibility of risk managers, CISOs, and all of us individually to stay educated on trends and best practices in cybersecurity to become cyber-resilient this year.?