In the world of financial markets, the term capitulation is used to describe a period of ‘panic selling’ where there is arguably so much fear in the market that most investors ‘surrender’ and sell their positions ultimately resulting in a market bottom. Those who watch the financial markets look for capitulation to trigger a watershed moment, or positive turnaround, in stock prices.
In July 2019, we accurately predicted the need for change in the cyber insurance industry (The Next Phase in Cyber Insurance) based on our first-hand experience helping organizations respond to incidents.
Fast forward to 2021 and we are anticipating this year will mark a watershed moment, or turnaround, for how organizations of all sizes deal with cybersecurity. In recent months, MOXFIVE has witnessed a material shift in organizational behavior with regards to implementing security controls. The pandemic has resulted in a work-from-anywhere workforce. Enterprise-wide ransomware attacks have led to hundreds of millions, if not billions, in lost revenue.
Related, cyber insurance carriers suddenly transformed from a high growth and profitable line of insurance to an unprofitable business unit. To that end, we have seen cyber insurance carriers meaningfully increase the security requirements of their applicants beginning in January 2021. At MOXFIVE, we see these factors as the early signs of a market capitulation that will ultimately result in organizations prioritizing and increasing their investment in proper cybersecurity controls moving forward.
Economics Impact Behavior
The stigma of experiencing a data breach or security incident is no longer frowned upon to the extent it was just a few years ago. The fear of an expensive investigation and potential litigation as the result of such data breach also seems less daunting. Why? Because the fear of having operations shuttered and revenue lost due to a cyberattack – ransomware or otherwise – has become a much greater concern for organizations. It turns out the economics of today’s most prominent security threat have created a ‘big enough’ problem for a meaningful change in behavior to begin.
My first exposure to the cyber insurance industry came in 2015. At the time, cyber insurance was still a relatively new product in terms of market traction – $1bn-$2bn market depending on the source. However, I vividly remember meeting an insurance broker who commented, “Insurance (generally) creates the economic incentive to change behavior. Cyber insurance will be no different.” It certainly appears the comment was grounded in truth.
For a period of time, organizations could purchase a relatively inexpensive cyber insurance policy with a ‘low’ retention (deductible) for millions of dollars in coverage. It was a relatively straightforward method for organizations to manage their cyber risk. Those financial terms used to make sense for both policyholders and insurance carriers, but for most companies, those days are now in the rear-view mirror. Since the beginning of the year, we have seen cyber insurance carriers implement a variety of strategies after a generally unprofitable 2020, including (but not limited to) co-insurance strategies, ransomware sub-limits, and price increases (generally) ranging from 30-50% over the previous year. The result for many organizations (or policyholders) is the need to make an investment in their own security controls prior to even receiving a renewal quote. Said another way, many organizations now need to invest more in their own security just to get the same coverage they had the previous year for a price that on average is 30% - 50% higher.
In addition to a hardening cyber insurance market, the growing discussion regarding ransom payments and potential government involvement, notably warnings from the US Treasury Department's Office of Foreign Assets Control (OFAC) that organizations who pay ransoms risk violation economic sanctions imposed by the US government against cybercriminal groups or state-sponsored threat actors, seem to further amplify the potential for a watershed moment.
Maybe pandemic working conditions are driving some of the change – from employees needing to be more technologically savvy to new supplier requirements (including cyber insurance) from potential clients. More likely, organizational behavior is being driven by the severity and frequency of attacks in 2020 that have led to meaningful changes in the pricing of cyber insurance. Regardless the reason, the financial pain of cybersecurity in 2020 is impacting organizational behavior for the better thus far in 2021.
Control What You Can Control
So, how can organizations best navigate through all the challenges that may be impacting how they manage cyber risk? In life, I have often fallen back on the advice of “Control what you can control.” When things get tough, there may be no better mindset. Security is no different.
Attackers will continue to evolve their tactics and seemingly have more resources to overcome any defenses organizations put in place. And while that may be the case, it doesn’t change the fact that organizations do have some control over their own destiny.
Most organizations MOXFIVE helps in managing an incident response fell victim to an attack because somewhere along the way a seemingly simple decision or choice was overlooked. For this exact reason, when it comes to security, we encourage a “control what you can control” mindset with a focus on the basics to avoid letting yourself be the easy target. You’d be surprised how much the blast radius of an attack can be minimized when organizations focus on the basics and control what they can control.
At MOXFIVE, we encourage our clients to start with these solutions to build the proper security foundation.
No defense is bulletproof, but there’s no reason to let yourself be an easy target when the (generally affordable) basics provided above can minimize the threat to your business. If you would like to learn more about our philosophy on security or would like to speak with one of our MOXFIVE Technical Advisors, send us a message at email@example.com or through our website at www.moxfive.com/contact to get in touch.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.