A Q&A with Ben Hobby of Baker Tilly
Exploding ransomware, supply chain chaos, a global pandemic and increasing global instability. These are just a few factors wreaking havoc in the cybersecurity space. Advisory, tax and assurance firm Baker Tilly recently released its annual Cyber Predictions report, which looks at how some of these forces will shape the field in the coming months. I talked with U.K. Global Forensics Partner Ben Hobby about the predictions and how they may have evolved since the report’s release.
You’ve predicted that cyberattacks will get more sophisticated in 2022. How so?
Most of these hacking groups are actually getting more and more professional, using their “profit” from previous hacks to effectively create further investments in their technology and approach. That’s going to look even worse if they are nation-state-funded threat actors.
How might the conflict in Ukraine change or contribute to these predictions?
This situation has developed a lot since we first wrote the report. Here in the U.K., we had warnings about potential increases in hacking coming as a consequence of the Ukraine crisis. Even if cyberattacks are done by proxy, it will be difficult to link them back to the nation-state. If the risk of the big nation-state actors increases, it’s going to create problems for insurers because of the war exclusion that exists in most cyber policies.
On the ransomware front, the report predicts that legislative changes, such as the Ransom Disclosure Act and the Ransomware and Financial Stability Act, may finally regulate ransom payments and their insurability. What impact will this have on companies?
We imagine these proposals will get more headlines in 2022 but some of the bills are nothing more than politicians wanting to look tough on crime. They are not thinking about the consequences for a company that is legally prevented from paying a ransom and cannot access its data—many companies in this scenario would be dead in the water, which will lead to major job losses. On the other hand, the anti-money laundering laws targeting geopolitical threat actors may have more of an impact in stopping ransomware attacks, which may put more pressure on jurisdictions who aren’t doing the same.
Another prediction is that companies will be asked to comply with more cybersecurity frameworks. What are the concerns around compliance?
I think we have to recognize nowadays that given the integrated nature of supply chains, if you’re managing your own risks, you’ll want to get assurance from your suppliers that they’ve got adequate cybersecurity as well. The analogy I use is boxing: you’ve got multiple world championships— the WBC, WBA, IBF and the WBO, without any clarity as to which champion is actually the best. If you’re a company you may have to comply with many different frameworks to appease your customers, each of which has a different set of standards, with a similar lack of clarity as to which is the best or most appropriate. That is going to have a consequential impact from a cost perspective.
The insurance market has obviously changed a lot in the last 18 months. How does that affect companies right now?
We predicted that companies’ investments in cybersecurity will increase even more. By virtue of both more complicated risk (more remote workers; supply chain concerns) and a hardening market, companies will have to demonstrate a much greater degree of risk awareness and risk management to insurers.
In addition, as companies grapple with the challenges of getting an insurance program adequately supported by the market, we will likely see more opting to cover their risk in a captive insurer. Another big change is that we expect to see more remediation action by underwriters doing more due diligence. I call this a “flight-to-quality” trend where more underwriters are looking to get what they consider to be good quality risks as part of their portfolio.
In order to communicate risk and make themselves attractive to insurers, organizations need to take more responsibility for actually explaining their cybersecurity: not just what they do and what systems are protected but why; and the kinds of protections that are in place to prevent an incident in one part of the network from taking everything down.
In summary…
The cyber insurance industry that NetDiligence® supports will certainly be paying attention to the issues raised here by Mr. Hobby and we appreciate this thoughtful summary.
Breach preparation, as he mentions, is crucial. Breach Plan Connect® helps organizations build a thorough response plan that can be accessed from anywhere at any time. Learn more about Breach Plan Connect