Beyond Cyber Insurance: Preparing for Black and Gray Swan Events

The landscape of cyber risk is ever changing, and what worked in the past is quickly becoming inadequate. Today, organizations need more than cyber insurance; they need operational resilience.

Most people have heard of a black swan: a rare, unpredictable event that occurs without warning and is almost impossible to fully prepare for. Conversely, a gray rhino is the black swan’s counterpart: a predictable threat that can be easily identified and dealt with if the proper steps are taken.

But there is a third type of event, less discussed, that sits somewhere between the two that can be equal parts confusing and damaging. A gray swan is an event that is predictable and can be easily seen — but one that organizations lack the understanding to handle.

This is the first in a series of BDO’s examination of Risk and Resilience. Be on the lookout for the next article coming soon.

When faced with a gray swan, such as a data breach or ransomware attack, companies will find themselves in one of two scenarios: uncertain panic or decisive action. Professionals who are properly trained and prepared don’t panic. They don’t hesitate, act recklessly, or question what to do. Instead, they move quickly, work decisively, and proceed calmly. Before organizations can properly respond to a major event, it is important that they understand the current state of cyberthreats, and that resilience extending past IT and more broadly focused on the operations is an important — often overlooked — component to successfully navigating the issue.

Only 20% of Organizations Have Enough Coverage. Do you?

Industrial organizations alone faced an 87% increase year over year in ransomware attacks in 2022. According to the U.S. Treasury Department, $1.2 billion in payments related to ransomware were identified by financial institutions in 2021. While organizations are taking steps to enhance cybersecurity, handle data more responsibly, hire forensics experts, and purchase insurance coverage, they still fall into a trap. They believe by checking those boxes, they’ve taken all the necessary steps to handle the gray swan looming before them. 

The truth is they aren’t even close. 

Swiss Re AG estimates that half of all organizations have some form of cyber policy, but fewer than 20% of those have enough coverage to meet the average ransomware demands made by cybercriminals.

The current market presents several potential pitfalls organizations may fall into, including complacency. Ransomware attacks and payments are currently in a period of decline, and it can be tempting to believe this trend is going to become the new normal.

It’s not. Organizations that believe cyberattacks will continue their downward trajectory leave themselves susceptible to a black swan event. They increase their exposure to unnecessary risk by not maintaining resilience programs and best practices for the time when the lull ends and cyberthreats increase again.

Even for organizations that don’t fall into the trap of complacency, there is another issue. Many leading and trusted cyber insurance models do not factor in the cost of ransomware attacks, business downtime, and property damage caused by them. The current models are antiquated and use record count to estimate exposure to loss. Using the wrong modeling to make risk treatment decisions will lead to misinformed decisions on how best to protect the organization.  

In other words, current modeling isn’t painting an accurate picture of the real-world costs and losses businesses suffer when they’re crippled by a ransomware attack and operations are shut down. It also means that current models don’t properly quantify business continuity losses, so any organizations relying on their projections are being given inaccurate, incomplete data.

Organizations Need More Than Cyber Insurance To Handle a Breach

There is, however, a better way to understand what is not included in the impact models. By properly understanding breach scenarios, the impact they cause, and the cost of the impact forensically, companies can better prepare themselves for a world where cyber insurance simply isn’t enough. Instead of relying on cyber insurance as a first line of defense, there are practices organizations can follow that make the difference between dealing with a data breach effectively or being left scrambling.

Expect the breach: Hackers are cunning, and no company is completely safe from the ever-evolving toolkit of bad actors. In order to prepare, organizations should have a playbook ready that outlines what steps to take as soon as a data breach is discovered. It lists who’s in charge of handling what tasks, who needs to be alerted, and provides guidelines for command and control of a rapidly developing, chaotic situation.

Organizations also need to be prepared for a world where cyber insurance doesn’t exist in its current form — or even exist at all. Insurers are placing greater scrutiny on proper cyber hygiene, and those who fall short of the requirements can face higher premiums or the inability to obtain coverage at all. At the same time, some insurers create their own check-the-box problems by requiring organizations to have a crisis management plan, but subsequently not defining what than plan should entail. Without an industry standard for what a crisis management plan should look like, some organizations will inevitably operate under a false sense of security when their plans are, in fact, inadequate.

Also, insurers and organizations emphasize IT resilience without proper consideration for operational resilience. This includes creating a cyber policy with governance, communications, protocol, and reporting. Companies should also assess their existing cyber capabilities while evaluating where they stand against the industry and their peers. Operational resilience also requires having a roadmap for implementation of the program throughout the organization and a system of ongoing maintenance to ensure it remains up to date.

Ransomware and other cyberthreats are the gray swan. Organizations can see them coming, but most don’t know how to properly handle them. The recent downward trend of ransomware attacks is unlikely to continue, so it’s more important than ever to take the necessary steps and prepare for a major event now. While cyber insurance remains a key component of preparing for the worst, a full, comprehensive plan requires a framework of operational resilience.