Cyber risk & insurance: staying ahead in an evolving threat landscape

Cyber risk is evolving at an unprecedented pace, pushing many organisations and insurers to rethink resilience strategies. As businesses increasingly rely on consolidated platforms and cloud-based services, cyber criminals are adapting, launching more efficient and devastating attacks. Keeping ahead of them is the key challenge and with ever more inventive threats, including sophisticated extortion tactics, state-sponsored attacks and AI-driven cyber warfare, it’s an area of deep concern. 

Reacting to cyber incidents is no longer sufficient – anticipating and managing risks before they escalate is the only way to stay ahead of cyber criminals. 

As the cyber insurance market expands and adapts, leveraging innovative technologies and structured response strategies will be critical to ensure sustainable protection against ever-growing cyber threats, as well as to insurers’ success and growth.

At the recent Intelligent Insurer conference held early last month, with 250-plus attendees and more than 60 speakers, Ben Fielding (pictured), director, business development, KLDiscovery EMEA, gave his thoughts on how to build key strategies to enhance predictability, help prepare for cyber incidents and the benefits of having an experienced team and structured workflow in place when analysing and reporting on impacted data.

In his current role, Fielding advises corporate clients, lawyers and cyber incident responders on the management of evidence and use of technology in cyber incident response, litigation, arbitration and internal or regulatory investigations. He is highly skilled in data mining, ransomware, cloud storage, data recovery, legal compliance and ediscovery. 

Q: What are the key strategies that will build predictability into cyber incidents?

Ben: Cyber incidents are characterised by their unpredictability, creating significant challenges for insurers, insureds and affected individuals alike. The most pressing question that emerges in the aftermath of an incident is determining its scope and severity. Modern data analysis techniques (“data mining”) can transform this traditionally uncertain landscape into a more predictable process, particularly when assessing the volume and sensitivity of compromised personal information.

Exploring early-stage analysis of file types is an essential first step to ensure we can be more precise in the predictions of sensitive data at issue and the related impact on exposure, timelines for notifications and budgets. There is immense pressure to move quickly, but rushing past a thoughtful assessment of source data can lead to dramatic miscalculations, both in over or underestimating the scope at the outset. 

Cutting-edge technologies are revolutionising incident response predictability. Practical applications of machine learning algorithms can rapidly classify sensitive data, and automated data scraping significantly reduces manual analysis time and costs. Blending these technological capabilities with human expertise, it is possible to achieve greater accuracy in incident scope assessment, moving well beyond the traditional manual review processes that dominated the industry's past. 

Q: Is it possible to build strategies to cover all likely incidents?

Ben: While achieving complete coverage of all possible cyber incidents may seem like an impossible goal, particularly given the rapidly evolving threat landscape, it is possible to develop robust, adaptable frameworks that effectively address the vast majority of scenarios. The key lies in understanding that cyber incidents, despite their diverse manifestations, often share common underlying patterns in terms of data exposure, system compromise and business impact. By focusing on these fundamental patterns rather than trying to create specific responses for every possible scenario, it is possible to build resilient and flexible response strategies.

Adopting a modular approach to incident response combines advanced technology with human expertise in a way that can adapt to new threat varieties. Think of it as building with Lego blocks – while we can't predict every structure we'll need to build, having a well-designed set of standardised, interoperable components allows us to construct appropriate responses for novel situations. This approach involves creating standardised processes for data mining that can be rapidly reconfigured and scaled based on the specific characteristics of each incident while maintaining consistency in quality and effectiveness. The true power of this strategy lies in its learning capability – each new incident type encountered helps refine and expand the framework, making it more comprehensive over time.

Q: How are insurers keeping up to date with the latest cyber fraud methods?

Ben: Insurers are evolving beyond traditional threat intelligence gathering to adopt a more dynamic, multi-faceted approach to understanding emerging cyber fraud methods. The most successful are now combining data from their own claims experience with external threat intelligence, creating feedback loops that help identify new fraud patterns as they emerge. This approach involves close collaboration with incident response teams, forensics specialists and cybersecurity firms who are on the frontlines dealing with active threats, allowing insurers to understand not just what new fraud methods are being employed, but also their potential impact on different business sectors.

Q: What difference does early insight into incidents give?

Ben: Early insight into cyber incidents fundamentally transforms the entire incident response trajectory, much like how early detection in medical conditions can dramatically improve patient outcomes. When organisations gain rapid insights into an incident's scope and characteristics, they can make informed decisions within the critical first 48-72 hours that often determine the ultimate cost and impact of a breach. This early understanding enables organisations to properly scale their response efforts, accurately estimate notification requirements and deploy appropriate resources before the situation escalates into a more complex and costly event.

The financial implications of early insight are particularly compelling both for insurers and insureds. Our analysis shows that organisations with mature early detection capabilities typically experience 40-60% lower incident response costs compared to those that discover breaches later in the attack lifecycle. This cost reduction stems from multiple factors: the ability to contain data exfiltration before it becomes widespread, the opportunity to engage with threat actors before they can fully monetise stolen data and the capacity to implement targeted, rather than system-wide, remediation measures. For insurers, this early understanding enables more accurate loss reserving and effective deployment of panel resources, ultimately leading to better loss ratios and more stable pricing models.

Q: What’s the importance of data hygiene and what do you mean by that? 

Ben: Data hygiene has emerged as a critical, yet frequently overlooked, component of effective cyber risk management and incident response. In essence, data hygiene refers to the systematic maintenance of an organisation's data environment – ensuring that data is accurate, properly classified, appropriately stored and regularly reviewed for retention. Think of it as maintaining a well-organised library where every book is properly catalogued, stored in the right location and regularly assessed for relevance and condition. In the context of cyber incidents, poor data hygiene can transform a relatively contained security event into a catastrophic breach, while good hygiene can significantly reduce both the likelihood and impact of cyber incidents.

The practical implications of data hygiene become starkly apparent during incident response. Organisations with strong data hygiene practices are more likely quickly to identify what systems were affected and what types of data were compromised – critical factors in controlling costs and meeting regulatory requirements. In contrast, organisations with poor data hygiene often find themselves in a situation analogous to searching for specific documents in thousands of unlabelled boxes, leading to extended investigation timelines, higher costs and increased regulatory scrutiny. 

From an insurance perspective, data hygiene emerges as an underwriting consideration that directly affects premium calculations and coverage terms. Insurers are increasingly looking at factors such as data classification schemes, retention policies and access controls as indicators of an organisation's cyber maturity. There is a growing trend where insurers offer premium incentives for organisations that maintain demonstrably good data hygiene practices, recognising that these not only reduce the likelihood of incidents but also significantly decrease the cost and complexity of incident response when breaches do occur. 

For more information, reach out to Ben Fielding at ben.fielding@kldiscovery.com. https://www.kldiscovery.com

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.