Cybersecurity remains top concern for businesses

November 29, 2023 6:24 AM

di-travelers-031317 — The Travelers Insurance Co. logo office building stands in Hartford, Connecticut on Feb. 6, 2015.

The Travelers Risk Index survey highlights cybersecurity as a top concern for U.S. businesses, as well as medical cost inflation, broad economic uncertainty and increased employee benefit costs.

More than half, 54%, of the participants think it is inevitable that their business will experience a cyber incident.

Tim Francis, enterprise cyber lead at Travelers, spoke with Digital Insurance about cybersecurity and steps businesses can take to reduce potential exposures.

DI: What are the biggest concerns for business owners in 2023?

TF: This was the 10th annual survey that we've done and as much as all sorts of things have changed over 10 years, what remains constant is cyber and the concerns and threats of cyber events affecting businesses of all sizes.

It's always been a top concern of our customers and I think rightly so. It is something they should be concerned about and aware of, but there's also some steps they can take to reduce their potential exposures and impacts.

There's still a fairly significant gap in having a concern and really doing even the most basic things to prevent that concern from becoming a real live event.

They're not sure that they've got the controls in place or not, or they think they do. Some of it is a little bit of we don't think it can happen to us. Some of it is, we're busy running the operation, and we'll get to that when we get to that. So, it's a combination of those factors. I think in a lot of ways, though, and one of the things that we've done over the years, that's been really helpful is to not only just create awareness of the issue, but to have really practical advice that we can recommend to our customers and in some cases through either our risk control team or other partners, walks the customer through, not just what to do but how to do it. So things like multi-factor authentication, which don't need to be terribly complicated. They still might be somewhat complicated for a typical small business. And so we can help that customer implement the right controls.

DI: What do you suggest to businesses to improve cybersecurity?

TF: At a high level, a couple of things, one is we would recommend using endpoint detection and response or EDR software using associated multi-factor authentication. Even things that are as simple as having an incident response plan.

About half of the responders say that they actually have an incident response plan, and are doing an assessment of vendors and other customers that they're interacting with to understand not just how their own environment is working, but how either a vendor or a customer might impact their environment or whether they're moving data from a vendor or allowing the vendor to have access to the data, how they're securing it.

Having patching on their systems, having a process to patch and following that up with a regular cadence, not using software that's been at what's called end of life, software that's no longer supported by the manufacturer.

DI: Has there been an increased adoption in cyber insurance?

TF: It's interesting because even though most of the respondents have cyber as a top concern when it comes down to it, are they purchasing insurance? Only about 75% say that insurance is important, but only 60% of them actually buy it. So 40% aren't buying and actually again, there's really no reason no matter what size customer you are. There's a cyber insurance solution that's available for you. So small customers may buy insurance a little bit differently than large customers and large customers may buy a little bit differently than, you know, fortune 100, but there are different solutions out there depending on what industry you are in and what size you are.

DI: How has the landscape of cyber risk changed in the last few years and has awareness of that risk increased?

TF: I think there's more awareness because frankly, there's just more events that are taking place and if more and more organizations are reporting that they've suffered a cyber event, and even if they haven't, for sure they know a company like them that has and so that's helped create awareness.

I think there is still this sense of, well, even though I know it can happen they're not fully appreciating the amount of impact that these events can have on an organization from just a financial impact to a business disruption impact. They can be catastrophic, particularly to small businesses and even medium-sized businesses. I think really what we've seen over the last couple of years is a movement from what used to be purely, what we would call a data breach or the exfiltration of data, which is certainly still happening to businesses, to ransomware attacks, where threat actors are monetizing these attacks in really different ways and when fully deployed, will essentially encrypt and disrupt the entire operating system, which causes the impacts to be much worse in terms of the longevity of it and the financial impact.

DI: Generative artificial intelligence can be a helpful tool for hackers, is this something you’ve been thinking about?

TF: The threat actors are generally relatively sophisticated. And for them, this is a business right? And so like any business, they're looking to understand how they can operate more efficiently and have more productivity. If AI is a tool that can help make their jobs easier, they're going to leverage it and in some respects, they're almost uniquely situated to do so. They're familiar with technology and often experts in technology, they're obviously using it for nefarious purposes, but they have some means to leverage AI.

On a positive note, AI can be potentially deployed as a security measure. So, it's not all negative. And we're really in the early days of understanding kind of how either side is really going to use AI.

There is no way to know every potential area of failure. Often the root cause of those failures is a human problem. So, somebody misclicked on an email that they shouldn't have clicked on or thought they had pulled MFA but didn't on all systems. So that element will always exist. I think one of the changes that we've seen that's very relatively new to our market is the use of third-party data, where we as insurers can see some of the vulnerabilities that our customers might have. For example, sometimes the customers will have open ports and what's called the Remote Desktop Protocol, RDP port. That's open and exposed to the internet. And in many cases they saw the legitimate business purpose for that, but these are also things that the threat actors can see. Threat actors will simply try to see those vulnerabilities and exploit malware through that vulnerability. So, if we can see that first, we can reach out to the customer and say, 'Hey, we think we see something that you might want to fix on your network,' and we can help them take a potential problem and remediate it at no cost and then no event takes place.

So that ability to leverage data and to see things that are happening in our customers' environment is relatively new and something that we think is very powerful in our ability to help our customer. Our interests are mutually aligned, they don't want to have cyber events and we don't want them to have cyber events. So working together we can get ahead of these things before the insurance policy necessarily even comes into play or has to come into play.

DI: What role does an insurance agent play in cybersecurity?

TF: A lot of insurance agents have become very good and knowledgeable about cybersecurity exposures and ultimately, like any other insurance product, the agents are going to have to be the ones who are recommending coverage to the customer.

It starts with understanding the exposures and how that particular customer feels about risk tolerance and risk transfer and so the agent has to be the expert to guide them through that and it starts with understanding cyber threats and vulnerabilities. The agents play a role in being the first course of action to understand where a customer might make their systems and processes better. And the better they are, the better off they are when they go to secure insurance because it might make the premiums lower, might make more coverage available. So all of that kind of works hand in hand with the agent side and the carrier side, helping the customer understand their exposures and how to deal with them

If they're really starting from scratch, I would say either reach out to your insurance agent and and start there and understand even what questions you should be asking. If you don't want to start with the insurance agent, you can certainly start with the carrier. And even if you don't contact the carrier directly just go to Travelers.com and we've got various links that a customer can kind of plug into and start to get a sense of what cyber insurance is all about, what it covers and what it doesn't cover. But again, go to the agent, start asking the questions, start asking the agents how to think about exposures and the agents will then be in a good position to start making some recommendations for what that customer ought to do, relative to the purchase of its cyber insurance policy.