Skip to main content
By Tom Goodwin

More than half of us expect our businesses to be the target of a cyber attack in the next year. Half of us also think if we were hit, we’d lack the ability to recover.1 Pile on other factors of the evolving threat landscape, and one begins to wonder how the CISOs of the world can get a restful night of sleep.

  • Geopolitical: Uncertainty from geopolitical events is when cybercrime thrives on uncertainty from geopolitical events. Case in point: it soared by 600% at the beginning of the COVID pandemic.2
  • Increasing stakes: The average cost of a data breach is $4.35 million,3 and ransomware payments average $570,000.4
  • Supply chain vulnerabilities: 19% of attacks are now caused by a supplier getting hit and this filtering through into other organizations.3
  • Inadequate planning: The first hours in an incident are crucial, yet 47% of companies haven’t tested the readiness of their designated incident response teams.5
  • Spiking insurance premiums: Cyber insurance premiums were up 92% in the last quarter of 2021 alone.6

Given the situation, I advise the CISOs I work with to prioritize two actions.

  1. Plan for the worst; expect regulation will continue to lag and insurance policies to devolve.
  2. Insist on proactive responsibility for operational resilience across your organization.
Regulation and insurance

Depending on what industry you are in, regulation will differ. But one fact remains consistent throughout: regulation sits far behind where we need it to be to mitigate risk.

The main issue with regulation is that new measures do not come in until after a world impacting event which requires it to do so. Before the devastating events of September 11, 2001, for example, some companies had one data center in the north tower of the World Trade Center and one in the south tower. Regulations now mandate data proximity between two sites so that they would not be exposed to the same regional risks.

Yes: regulation lags behind logical standards to mitigate threats, and we must educate the wider business to advocate action that goes beyond meeting the bare minimum.

Insurance companies already have taken notice. Hence the 92% rise in cyber premiums in Q4 of 2021 alone.6 Lloyds of London insurers announced to their underwriters that from the end of March 2023, state sponsored attacks will no longer be covered in cyber insurance policies.7

Some companies—such as water utility companies and chip manufacturers—find themselves increasingly uninsurable due to regulation sitting far behind where it needs to be and increasingly high demands from insurance providers on the standards they need to meet.

Too many companies completely rely on their insurance policies to cover costs of recovering from a cyber incident. If you are a CISO, it has never been more critical to start thinking about how confident you are in your ability to recover and the financial implications you would face from prolonged downtime, which now faces the very real threat of not being covered by insurance. 

Operational resilience  

Whether the threat is geopolitical, cyber, or environmental, business leaders need to realize that responsibility for the concentrated risk and operational resilience rests with us as CISOs, IT directors, and risk officers. (Not with regulators or insurers.)

According to Gartner®, “By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest and political instabilities.”8

I say it creates a massive opportunity to push for incremental progress—taking stock of where you are today and working to organizational and industry stability. Establishing a security perimeter is key. Most businesses also need to:

  • Invest in automating and orchestrating recovery processes, enhancing recovery time and recovery point objectives.
  •  Assess and establish how best to mitigate human error in restoring from backups.
  • Make a practice of continuously testing those incident response plans, running cyber simulation exercises to make sure you have confidence in their ability to act and recover at pace when the worst happens.  
Spillover impacts

According to Gartner, “By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.”9 Remember, 19 percent of attacks today are caused by a supplier being hit.3 That means any business you operate with is a potential liability to your own exposure, and vice versa.

In summary

The threats landscape continues to expand, with a growing volume of attacks that are increasing in sophistication, leading to longer downtime and rising recovery costs.

  1. There needs to be a realization that regulation lags behind where you need to be for mitigating risk, and that insurance policies are shifting that risk and responsibility back into your hands.
  2. Whether it’s a cyber-attack, geopolitical uncertainty, or an extreme weather event, your organization needs to adopt a culture of becoming operationally resilient to survive the evolving threat landscape.

Tom Goodwin is a Business Continuity Specialist at Kyndryl.

Half of global CISOs feel their organization is unprepared to deal with cyberattacks. Stone, B., TechRepublic, May 17, 2022
2022 Must-Know Cyber Attack Statistics and Trends. Embroker. August 2022
How much does a data breach cost in 2022? IBM. 2022
4 Extortion Payments Hit New Records as Ransomware Crisis Intensifies. Palo Alto Networks. August 2021
5 Cyberattacks are inevitable. Is your company prepared? Harvard Business Review. March 2021
6 Cyber Insurers Raise Rates Amid a Surge in Costly Hacks. Wall Street Journal. 2022
7 Lloyd’s to end insurance coverage for state cyber attacks. Computer Weekly. August 2022
Gartner Press Release, “Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23,” June 21, 2022
Gartner, “4 Third-Party Risk Principles That CISOs Must Adopt,” Luke Ellery, Sam Olyaei, 11 April 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved