Blog Post
Preparing for a Cyber Catastrophe With a Data-Driven Risk Appetite
October 25, 2023
Working with third-party service providers is part of doing business. Even before the digital revolution, entrepreneurs enlisted logistics and shipping providers, payment processing services, and other outsourced companies to help them streamline operations and reduce costs.
Today's marketplace is no different, although the available third parties have evolved to fit organizations' growing digital needs. These entities offer a wide range of services, from cloud hosting and software solutions to IT and supply chain management. Many third-party service providers also help companies fortify their defenses amidst the increasingly exploitable cyber landscape.
While these partnerships offer numerous benefits, they also introduce underlying, typically overlooked risks. For instance, if a third-party service provider falls victim to a cyber event, it can spark a chain reaction that leads to catastrophic consequences for the global economy.
When assessing cyber risk, it's critical to account for the risk as a whole, including its first party (direct exposure) and third parties your organization employs, and develop a thorough understanding of an attack's many potential negative consequences. By doing so, you can better equip your organization to determine a realistic risk appetite, ensuring minimal overall impact in the case of a cyber catastrophe.
What Is a Cyber Catastrophe?
A cyber catastrophe is an infrequent cyber event that causes severe loss, injury, or property damage to a large number of organizations. It originates with a disruption within either a third-party service provider or technology and unfolds by replicating this disruption whenever and wherever possible.
These disruptions encompass significant data breaches, ransomware attacks, supply chain vulnerabilities, and other cyber threats that impede operations, compromise sensitive information, and result in significant financial losses.
Rather than affecting a single organization, a cyber catastrophe originates within a third-party service vendor. From there, the cyber attackers leverage the vendors' connections with other companies, exploiting their vulnerabilities and relevant data and creating a domino effect of disruption.
Exploiting the Third-Party Service Attack Vector
Third-party vendors, such as SolarWinds, are pivotal in helping organizations manage and mitigate cyber risk. They offer specialized cybersecurity services that drastically reduce the likelihood of a detrimental event.
The paradox is that working with these cyber-risk-reducing third-party service providers adds a new level of risk to an organization's environment. Indeed, bad actors are known to specifically target these entities due to their global interconnectivity. Once these hackers gain access to the system's central node, the opportunities for exploitation are endless.
SolarWinds: A Catastrophic Case Study
SolarWinds is a US-based software company that specifically provides IT management and network monitoring solutions. One of its most noted products is the Orion Platform, which many businesses, government agencies, and other various organizations worldwide once utilized.
A series of Orion software updates that were infected with malware were released between March and June 2020. This unfortunate oversight enabled cyber attackers an easy access point into SolarWinds customers' networks, allowing them to install more sophisticated bugs into thousands of endpoints.
The cybercriminals gained access to a myriad of sensitive data and the IT environments of roughly 18,000 clients, including governmental bodies and private corporations. The US Departments of Homeland Security, State, Commerce, and Treasury were compromised, as were global enterprises Microsoft, Intel, Cisco, and Deloitte.
While the ultimate goal of the attack remains relatively unclear, as no ransom was ever demanded, the incident caused financial losses that amounted to millions of dollars. Emails were deleted, confidential information was acquired, and companies suffered from irreparable reputational damage.
The effects of the SolarWinds cyber breach are still unfolding today.
A Wide-Scale Phenomenon
The attack on SolarWinds' Orion customers is today's most well-known and far-reaching catastrophic incident in the cybersecurity industry, likely due to its consequences for such a high number of institutions, including the US government. However, it is by far not the only one to have caused such widespread losses.
Kaseya VSA Ransomware Attack
Kaseya is an American software company that provides remote monitoring and IT management solutions. Kaseya VSA is one of the organization’s platforms, used primarily by managed third-party service providers to handle IT responsibilities, such as email, firewalls, and networking equipment.
In July 2021, Kaseya VSA published a hotfix infected with a ransomware payload, spreading to the company's servers. From there, hackers bypassed the servers' web interfaces and subsequently encrypted thousands of data points belonging to hundreds of organizations.
REvil, the malicious cyber group that exploited the vulnerability, posted a ransom of $5 million for each of the Kaseya VSA clients affected. They also demanded $70 million from the parent company to obtain a master key for decryption. Ultimately, over 50 MSPs and roughly 1,500 organizations were attacked, suffering severe losses.
Other Major Catastrophic Cyber Events
While there, fortunately, have only been a handful of major cyber events that have led to worldwide mayhem, they are nevertheless critical to examine for developing strong resiliency programs. Some of the other, more well-known, disastrous cyber events include:
NotPetya Attack: Data Deletion
The June 2017 NotPetya attack targeted computers primarily in Ukraine but rapidly spread to infect systems globally, causing significant and far-reaching consequences. The malware exploited a software update mechanism to encrypt files on thousands of systems. Unlike traditional ransomware that aims to extort money, NotPetya was designed to destroy data.
The total financial damage of the attack has been estimated at over $10 billion and affected companies like Maersk, Modelez, and Merck.
Log4Shell Vulnerability: An Ongoing Threat
The Log4Shell vulnerability, known in the tech world as CVE-2021-44228, was discovered in late November 2021. It existed within Apache Log4j, a popular coding framework thousands of global businesses utilize. The Log4Shell defect is a zero-day vulnerability, making it easy for malicious parties to exploit and run remote code execution, resulting in widespread data theft, spying, and the spread of malware.
Although a patch was released, the vulnerability remains prevalent, and catastrophic potential runs high, with a whopping 72% of organizations worldwide still at risk.
Colonial Pipeline Ransomware: Gas Shortages
In May 2021, Colonial Pipeline, one of the largest fuel pipeline operators in the US, fell victim to a ransomware attack. Although a targeted attack, it nevertheless had catastrophic consequences. The gas pipeline shut down, which led to panic buying, fuel shortages, and long lines at gas stations. It disrupted fuel flow to critical sectors, including transportation, logistics, and aviation, which ultimately affected other supply chains and the broader business economy.
On top of the resulting financial impacts, Colonial Pipeline also had to pay the $4.4 million ransom.
A Hypothetical But Likely Impending $3.5 Trillion Cyber Catastrophe
In an attempt to help others better prepare for the unfortunately imminent global catastrophe, organizations have simulated various cyber scenarios and assessed their impact. Although purely hypothetical, the insights gleaned equip businesses to develop data-based mitigation initiatives.
Lloyd's of London, colloquially known as Lloyd's, recently conducted such a hypothetical risk assessment. Lloyd's is a leading insurance vendor, providing cyber policies among offerings, and its team was interested in gauging the global economic ramifications of a wide-scale event.
Using the Gross Domestic Product (GDP) of countries worldwide as its primary metric, Lloyd's determined that a severe cyber attack on a global payments system would, on average, result in $3.5 trillion in losses over five years.
This figure's size is indeed astonishing. More importantly, however, it underscores the interconnectivity of cyber activity, its potentially devastating consequences, and the urgency of organizations' preparations for one of these unprecedented events.
The Role of Cyber Risk Appetite in the Digital Age
What Is Cyber Risk Appetite?
Cyber risk appetite is the amount of risk relative to its expected impact that an organization is willing to tolerate or "absorb on its balance sheet." Every aspect of an organization's cyber activity should be accounted for when determining a risk appetite, including but not limited to industry regulations, digital assets, and human error.
Once agreed upon, executives will set aside a specific amount of money into the capital reserve, ensuring that if a cyber catastrophe ensues, they will have enough financial resources to keep the business afloat. Other critical reasons for a well-defined cyber risk appetite include:
- Overall business strategic alignment
- Data-driven risk prioritization efforts
- Streamlined communication and accountability
The Dangers of Overlooking Third-Party Service Provider Risk
Unfortunately, companies will often overlook the third-party services they integrate into their systems when developing their appetites. It's an understandable oversight, as, generally speaking, the risk levels of those we engage with don't necessarily impact our own.
However, on a business level, this assumption can prove fatal. If the cyber risk of a third-party service provider that has direct access to an organization's infrastructure is not accounted for, a risk appetite cannot be accurately quantified. Indeed, without evaluating the risk of their vendors, organizations might not have enough funds stored away to withstand an incident.
How to Assess a Third-Party Service Provider’s Risk
After understanding that third-party risk is inherent when partnering with outside entities, it's crucial to factor them into the equation and assess the vulnerabilities they might bring to your organization. To do so, security teams should evaluate the vendor's cybersecurity practices and policies and consider its track record in managing cyber risks and events.
An organization can conduct this assessment independently or leverage on-demand cyber risk quantification (CRQ) models that factor in real-world objective data about these third parties. For example, Kovrr's CRQ evaluates thousands of data points regarding third-party service providers, such as:
- Platform outages
- System events that have impacted related companies
- Vulnerabilities in the platform that have led to a cyber event
- The loss of data held on a platform and why
- I.e., misconfiguration of the cloud's platform's security settings
- Ransomware that has spread to cloud assets and other data
When assessing third-party risk, it’s crucial to establish a practice of continuous activity and cybersecurity posture monitoring. A third-party vendor’s cyber exposure can change quickly, given the dynamic nature of the cyber landscape, and harnessing the latest data is critical for an accurate understanding of risk.
Acknowledging the Unknowns
Given their relative novelty, the industry lacks the same data on cyber catastrophes that it has on other events. Many uncertainties exist regarding how a catastrophe might originate, penetrate the software, and spread to other systems.
Many common theories are that this type of incident may result from a prolonged system outage or new, particularly destructive malware. Regardless, the limited information makes it all the more important to leverage hypothetical scenarios and what we already know, ensuring objectively drawn, data-based conclusions.
Implementing Third-Party Risk Strategies
After gathering the necessary data, companies can then leverage their insights to establish relevant strategies in the face of third-party risk.
Redundancy and Contingency Planning
Defining a cyber risk appetite falls under the scope of this strategy, as an organization is preparing financially for the worst-case scenario. You can also use this as an opportunity to search for alternative vendors to minimize downtime in case the original third-party service provider cannot resume its service.
Incident Response Planning
Another way to mitigate third-party risk is to develop and test incident response plans for those events that are more likely to occur. (You can gauge the expected likelihood and severity of a third-party event with Kovrr’s CRQ platform.) Security leaders can establish internal protocols to secure data and create communication mechanisms with vendors in the event of a breach.
Cyber Insurance
Although the cost of cyber insurance premiums is rising, given the increase in catastrophic third-party cyber events, cyber insurance can nevertheless be a cost-effective choice with the proper terms and conditions. Leveraging a financial cyber risk quantification solution enables your company to compare the expected severity of an event with the insurance policy, allowing you to negotiate better rates accordingly.
Mastering Your Cyber Risk Appetite and Preparing for a Worst Case Scenario
Understanding and managing third-party risk is the cornerstone of a resilient cyber risk appetite in the complex, interconnected digital landscape. By comprehensively assessing third-party risk, you can develop strategies for fortifying defenses against the impact of a cyber catastrophe and equip your organization to thrive in a global market in which cyber risks are increasingly sophisticated.
If you’re ready to bolster your cyber risk management program and develop a cyber risk appetite that accurately reflects your relationship with third-party vendors, sign up for Kovrr’s CRQ free demo or contact sales today.