How the Cyber Risk Landscape Changed in 2022 – and What’s in Store for 2023
Companies recognizing bottom-line impact will spend more on cybersecurity
Friday, January 13, 2023
By Bob Kolasky
From Log4J to the Russian invasion of Ukraine, the events of 2022 have demonstrated that cyber incidents are a very real threat to the functioning of critical services and need to be taken seriously. Here are six ways that cyber risk trends will be developing, and requiring awareness or vigilance, in the year ahead.
1. Business-impact metrics
By the end of 2022, “cyber risk needs to be thought of as a business risk” was almost a cliché. The risk that companies face from ransomware attacks has been made abundantly clear and forced integration between network defense and business continuity planning and boardroom engagement.
Treating cyber risk as a threat to the bottom line will lead to companies spending more money on cybersecurity in future. In fact, 63% of organizations surveyed by research firm CS Hub say they are spending either slightly or significantly more than they did in FY 2021.
When something gets the attention of corporate leadership, accountability increases – particularly accountability on demonstrating results linked to costs. Although there is still relative immaturity in cyber metrics used in the C-suite and associated enterprise risk management processes, there is a lot of innovation in that space. In 2023, we can expect to see movement toward more standard business-impact metrics for cyber risk.
2. Advanced insurance policies
With the continued surge in claims related to ransomware attacks, the cyber insurance market was significantly stressed in 2022. As more companies recognized the need to insure against ransomware, insurance companies increased their exposure to risk. This has led to the cyber insurance market setting conditions around insurance policies that rely on tighter cyber controls by firms, and where the firms have to respond to those conditions to get desired coverage.
Despite fear that there would not be a viable cyber insurance market, investment in cyber insurance continues to increase, and better data on effectiveness of security controls and correlation of loss shows promise in pricing risk.
More people and tools will be required to keep “Shields Up,” Exiger’s Bob Kolasky writes.
In 2023, insurance claims and coverage are likely to continue to increase, and with that, how the market operates will mature further. One issue that needs to be reviewed is the exceptions by insurance providers based on “acts of cyber war” and how broadly those exceptions will be applied.
High-profile court cases related to the 2017 Russian NotPetya attack have indicated that courts may not agree with the way insurance providers currently try to enforce war exclusion, which will create more exposure for those companies. There will also be continued policy debate on whether there is a need for a federal “backstop” to protect the cyber insurance market from systemic risk. Establishment of that backstop is unlikely, however, given the expectations for gridlock in Congress.
3. Integration of cyber operations and war
The phrase “cyber war” has been bandied about for years, and debates over whether cyber attacks are “acts of war” are not new. Still, 2022 was the first time we saw two countries waging a physical war, while also engaging in open cyber conflict. The Russian government clearly deployed cyber attacks as part of their war plans. They were directed at Ukrainian critical infrastructure, other command-and-control targets, as well as via social engineering to try to undermine Ukrainian citizenry support for their government. However, Russia’s cyber offense operations had limited success.
While cyber attacks can cause harm, kinetic weapons still dominate the battlefield and are significantly more dangerous. Countries are likely to continue to integrate cyber operations into their warfighting plans, but they have yet to be deployed in a way that fundamentally alters warfare.
In the near future, we can expect a deeper study on how Ukrainian cyber defenses, coupled with support from allies and non-governmental organizations, performed in stymying Russian cyber weaponry. Cyber “battlefield tactics” will evolve based on lessons learned – lessons which could become particularly important if tensions continue to rise around China’s saber rattling against Taiwan. Therefore, this is an urgent issue for the U.S. national security community.
4. “Shields Up” fatigue
In November 2021, the U.S. government began classified-level meetings with critical infrastructure companies to alert them of concerns about Russia invading Ukraine and the potential for spillover via cyber – or other types of – attacks on U.S. interests, including critical infrastructure. By January, much of this discourse was taken out of classified settings, with these warnings amplified publicly by administration officials. My then-colleagues at CISA brought back the previously used idea of Shields Up to highlight the need for companies to be at their peak performance for network defense.
The consensus is that this has been effective messaging, that proactive strategic warning by the U.S. government can drive private defense practices, and that governments can declassify intelligence for defensive purposes. Despite the worst-case scenario not yet occurring, officials believe the risk remains and have therefore urged a kind of permanent Shields Up posture, given the geopolitical situation. At some point, however, this is likely to stress the cyber defense community, and it will be hard to maintain high postures of security in perpetuity without surges in workforces and tools.
5. Increasing cyber requirements
The Cyber Incident Reporting for Critical Infrastructure Act mandated that critical infrastructure companies report cyber incidents within 72 hours to CISA. The Securities and Exchange Commission also took actions to require additional cyber reporting, while the Biden administration and its European and Australian counterparts continued to suggest that additional security requirements should be placed on critical infrastructure companies with focus on key “lifeline” functions. It has become clear that policymakers are not going to accept a purely voluntary approach to industry cybersecurity and are going to continue to look for ways to place more requirements on companies, especially those that own and operate critical infrastructure.
As I have written previously, increasing requirements only works if the requirements make sense, can be linked to measurable outcomes, and are dynamic to emerging threats. This is a high bar to clear – it requires collaboration between industry and government in implementation and focus on security outcomes rather than compliance costs. In 2023, we’ll see these administrative details fleshed out and a better sense of whether cyber requirements can be effectively designed and implemented.
6. Software supply chains: the next security frontier
By no means have organizations learned to fully secure their core information technology and operational technology systems, so it seems unfair to layer a new challenge for network security. That being said, the ubiquity of third-party software use for core business operations has introduced a significant new risk. Software supply chain attacks proliferated in 2022 as a back door into operational targeting, and accounting for managing software supply chain risk is now a core part of cyber security.
Managing software vulnerabilities requires deeper knowledge of critical software, the development processes associated with that software, active vulnerability management, and the ability to automate processes. The tools to perform all of those are not widely deployed, meaning that controls are likely inadequate. In 2023, initial federal requirements for software bill of materials and software development processes will come to fruition, which will drive the marketplace and innovation in tooling. It remains to be seen if additional transparency will significantly reduce software supply chain risk, but it is certainly a necessary step.
Bob Kolasky, formerly assistant director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), joined supply-chain and third-party risk management solutions company Exigerlast year as senior vice president of critical infrastructure.