Cyber Risk is a Business Issue
Earlier this month at RISKWORLD, I attended two educational sessions, specifically “Cutting Through the AI Hype to Better Manage Cyber Risk” and “Through the Looking Glass: Cyber Insurers Become the Target.” These sessions demonstrated how cyber risk continues to evolve and how, when it materializes, it can create serious consequences for any organization. I previously mentioned in my “Why Cyber Risk?” post that as technology advances, it is up to the discretion of an organization to decide what technologies are worth adopting. Every organization utilizes a different mix of hardware, IT systems, third-party tools, and business processes. These technologies support daily operations, but they also create dependencies. In some circumstances, a critical dependency can become a single point of failure, where one compromised system, vendor, or process can hinder an organization’s ability to operate and fulfill their promised performance of a good or service to their clients.
As artificial intelligence is increasingly integrated into everyday business functions, organizations must understand exactly how these tools support their work and how they can be used against them. This awareness is significant for resilience and business continuity. During the session “Cutting Through the AI Hype to Better Manage Cyber Risk,” the speaker described AI as a force multiplier for cyber risk and subsequently expanding the attack surface. AI can make attacks more convincing through deep-fake enabled fraud, increase the speed of vulnerability discovery, and lower the barrier to entry for individuals attempting to compromise an organization’s assets.
Organizations may transfer some of this risk through cyber insurance, but insurance does not remove the risk entirely. Insurance acts as a mechanism that helps organizations recover from financial costs or liabilities after an incident. It’s important to note that the amount that can be recovered by impacted organizations depends on their cyber policy and security posture. Organizations with weak controls in place may be viewed as higher risk by cyber insurance carriers. These entities may face higher premiums, higher deductibles, limited coverage, and stricter policy requirements. Organizations must not expect to transfer all cyber risk onto insurance carriers. Cyber insurers are not immune to the same risk environment. These carriers handle sensitive policyholder information and claims data, which makes them incredibly attractive targets for threat actors. This adds a layer of complexity for organizations. If a cyber insurer is compromised or operating at reduced capacity, organizations relying on them can face delays in claims and incident response support. With cyber risk, it’s not a technical issue. It’s a business issue that influences continuity, operations, and trust.
A line that was particularly memorable to me was from Coalition’s Shawn Ram during his “Through the Looking Glass: Cyber Insurers Become the Target” session, “As defense, you need to be right 1000% of the time. The adversary only needs to be right once.” In theory, all organizations should prioritize their security posture with the proper awareness and management of the risks present, regardless of cost. When cyber risk is poorly considered, organizations may face damage to client relations and trust, operational disruption, and revenue losses. We must carefully consider that every business has varying levels of resources available with constraints that are unique to them. We cannot expect them to devote the majority of their resources to one facet of their business. Cyber risk management is not about eliminating every risk, but about identifying the risks present, determining what risks should be prioritized, and allocating the appropriate resources toward controls that best protect critical assets and support the resilience of IT systems.