What can happen when a single cyber event triggers widespread disruption across multiple organisations? For your business, the answer will depend on the strength and preparedness of your cybersecurity and breach response.
Getting your Trinity Audio player ready...

Author: Johnty Mongan

null

The more connected our technology infrastructures become, the harder it will be to mitigate systemic cyber risks. We only have to look at the 2008 financial crisis or the COVID-19 pandemic to understand how quickly the landscape can change when so many elements of society are intertwined.

Translate this type of risk into today’s cyber world, and the ease with which catastrophes can cascade is truly alarming. Just one system failure or cyber-attack could be all it takes to wreak havoc on multiple entities in seconds — including your business. As organisations consolidate their IT infrastructure for convenience, their vulnerability to systemic attacks increases exponentially.

The genesis of systemic risk

My personal interest in systemic risk was piqued when a former colleague of mine left their cybersecurity business to venture into bug bounty programmes (where websites, software developers, and organisations offer financial rewards to individuals who find and report bugs, especially those relating to cybersecurity). This highlighted the lucrative nature of identifying vulnerabilities in technology platforms, with companies like Microsoft offering up to USD250,000 for a single exploit solution1. This revelation spurred a critical question: if a researcher could earn such rewards, how much more could a malicious actor gain by exploiting the same vulnerabilities?

The growing threat landscape

Today, most organisations are consolidating their IT providers for the sake of simplicity. However, this brings a significant risk: the more ubiquitous technology becomes, the more attractive it is to cybercriminals. A single vulnerability in a widely used platform like Microsoft, Google, or Amazon Web Services (AWS) can potentially impact millions of users. The odds are increasingly in favour of cybercriminals, who only need to find one exploitable flaw to wreak havoc on a massive scale.

Understanding CVEs and their impact

Common vulnerabilities and exposures (CVEs) are identifiers for specific security flaws in software. Each CVE is scored based on its severity and the likelihood of exploitation. With approximately 80 new CVEs discovered daily2, the challenge for organisations is immense. Traditional vulnerability scanning once a month is no longer sufficient; continuous monitoring is now essential to stay ahead of potential threats.

Systemic cyber risk in action

Major software company, SolarWinds, experienced a breach that demonstrates a prime example of a systemic cyber incident. An update to SolarWinds' software contained malicious code and allowed unauthorised remote access to numerous organisations and government agencies. Despite the availability of patches, organisations that failed to respond promptly faced significant disruptions3. Another historical example of a systemic cyber-attack is the WannaCry ransomware attack that affected thousands of businesses globally, including 40 UK hospitals4. This led to delayed treatments and surgeries, cancelled appointments, and a huge wake-up call for directors to the dangers of IT vulnerabilities.

Gallagher’s Cyber Defence Centre and the importance of speed

The difference between organisations that successfully mitigate systemic risk and those that suffer from it often boils down to speed. Rapid identification and remediation of vulnerabilities are crucial. To combat systemic risk, Gallagher has developed the Cyber Defence Centre, with automated tools and continuous monitoring capabilities designed to ensure that organisations can address vulnerabilities as soon as they are discovered.

By continually scanning for vulnerabilities, Gallagher’s Cyber Defence Centre can provide real-time updates and fixes, enabling organisations to respond swiftly to cyber incidents. We can help ensure that your organisation is not only aware of potential threats but is also equipped to address them swiftly and effectively.

How Gallagher can help

Gallagher’s Cyber Defence Centre is an ongoing package of support and is available here to explore as a one-month free trial*. We can also conduct an open-source intelligence search to double-check what is currently known about your organisation’s network and potential vulnerabilities. Please contact us for details.

Author Information

Sources

1 Incredible talent and creativity in the security research community in India: Jarek Stanley, Microsoft, accessed 17 July 2024.
2 Kovacs, Eduard. Vulnerability Handling in 2023: 28,000 New CVEs, 84 New CNAs, SecurityWeek, 8 January 2024.
3 CVE-2020-10148 Detail, National Vulnerability Database, accessed 17 Jul 2024.
4 Holley, Kenneth. The Ripple Effect: Understanding the Broader Impacts of Cyber Incidents, Silent Quadrant, accessed 02 Aug 2024.
*Terms and conditions apply. Promotional Period: 00:00 15 April 2024 to 23:59 15 April 2026. Open to businesses based in the United Kingdom and the United States of America who do not currently have a CDC subscription and have not already received a free trial. You can access the free trial via the link. Full terms and conditions can be found here.

Disclaimer

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

Stay connected with the company that’s connecting the dots with what’s happening in the industry and around the world
Related Articles