Zero-day vulnerabilities: The hidden threat to the insurance industry
These stealthy, sophisticated security gaps can have devastating consequences for insurers, vendors, partners and policyholders.
As the digital landscape changes rapidly, so do the potential risks to insurance organizations.
Insurers and their partners are responsible for vast amounts of highly sensitive information, with no shortage of household names to target. It follows that the insurance industry has seen its cyber risks skyrocket in recent years.
At the heart of these risk concerns are zero-day vulnerabilities, or sophisticated security gaps that, if exploited, can have devastating consequences for businesses. They represent a pivotal issue transcending IT departments, reaching the wider realms of business operations, reputation, and financial health.
However, many insurance companies find it difficult for their clients to fully understand the zero-day threat landscape — let alone build proper zero-day risk detection and prevention methods.
With that in mind, here are several key factors that insurance companies need to share with their clients in order to strenghten their zero-day preparation and response plans.
What is a zero-day vulnerability/?
A zero-day vulnerability refers to a software security flaw unknown to those who should be interested in its mitigation — including the software vendor. The term “Zero-Day” is derived from the fact that developers have ‘zero days’ to fix the problem once the vulnerability becomes known. Even more concerning: This also means that cybercriminals have potentially exploited the security hole before the software creator even learns about it.
What is a zero-day attack?
In late January 2023, CL0P, a Russian ransomware group, launched a zero-day vulnerability attack campaign targeting the widely used third-party provider, the GoAnywhere platform. The group claimed to have exfiltrated data from the GoAnywhere MFT (Managed File Transfer) platform that impacted approximately 130 companies over 10 days.
The organizations’ security programs did not identify lateral movement into the victim networks from GoAnywhere. Over the next several weeks, as the group parsed the exfiltrated data, ransom notes were sent to upper-level executives of the victim companies, likely identified through open-source research. The ransom notes threatened to publish the stolen files on the CL0P data leak site if victims did not pay the ransom amount.
In May 2023, CL0P exploited another zero-day in another common third-party provider, MOVEit, and was able to infiltrate numerous private and government networks. The full financial, reputational and legal impact of these two zero-day events alone will take months to fully understand.
The problem with zero-day vulnerabilities
The very nature of zero-day vulnerabilities makes them problematic. First, they are difficult to detect due to their unknown status until they are either discovered by a security researcher or exploited in an attack. Second, due to their unknown nature, organizations cannot prepare for specific Zero-Day attacks, making them a wild card in the threat landscape.
The impact on insurance businesses
Business operations: Zero-day vulnerabilities can bring business operations to a grinding halt. When exploited, these flaws can lead to data breaches, causing disruption in daily operations, or worse, complete shutdowns. Depending on the scale of the breach, businesses may need significant time and resources to recover fully, affecting productivity and operational efficiency.
Reputation: Trust is the foundation of any business relationship. A breach due to a zero-day vulnerability can erode that trust rapidly. Customers expect their personal and financial data to be secure. If that trust is broken, regaining it can be an uphill battle, leading to potential loss of customers and difficulty in attracting new ones.
Financial: The financial implications of zero-day vulnerabilities are severe. From direct losses due to theft, fines from regulatory bodies for not securing customer data, to the costs of remediation and reinforcing security infrastructure — the cumulative monetary effect can be overwhelming. Indirect costs, such as loss of business due to reputational damage, further compound the financial strain.
Why it’s not just an IT problem
Considering the widespread implications, it becomes clear that zero-day vulnerabilities are not just an IT problem; they are a business-wide risk-management concern. The potential damages cut across all departments, from customer service dealing with disgruntled clients to marketing struggling to restore the company’s image, finance grappling with unexpected costs, and operations inability to produce.
Further, cybersecurity should be a part of the company’s risk management strategy. Just as an organization prepares for other business risks, so should it anticipate and prepare for cyber threats. A collaborative approach between the IT department and other divisions will enable a comprehensive and cohesive defense strategy against zero-day threats.
Zero-day vulnerabilities represent a substantial risk in the contemporary digital environment. The significant operational, reputational and financial implications underline the necessity for businesses to recognize and address these threats at all levels of the organization. Effective management of these risks requires the involvement of all stakeholders, reinforcing the idea that cybersecurity is not just an IT problem but a business-wide responsibility. By acknowledging this, businesses can better safeguard their operations, preserve their reputation, and protect their financial stability in an increasingly digital world.
Managing zero-day risks
To enhance resilience against zero-day attacks, organizations must adopt a proactive and multifaceted approach encompassing various cybersecurity aspects. Here are several key steps an organization can take to bolster its defenses and mitigate the impact of zero-day attacks:
- Incident response planning: Develop and regularly test a comprehensive incident response plan that specifically addresses zero-day attacks. Define roles and responsibilities, establish clear escalation procedures, and ensure the availability of necessary resources for effective response and recovery.
- Vendor relationships: Foster strong relationships with software vendors and leverage their expertise and support. Engage in vendor discussions, seek clarification on security practices, and understand their vulnerability disclosure and patch release processes. Promptly apply vendor-supplied patches and updates.
- Third-party risk management: Evaluate your third parties’ security practices and controls (e.g., GoAnywhere and MOVEit). This includes conducting due diligence to understand their security posture, including their vulnerability management processes, incident response capabilities, and adherence to industry standards and best practices.
- Stay informed: Establish a robust threat intelligence program to monitor emerging threats and stay updated on the latest vulnerabilities and exploits. Engage with industry-specific information sharing platforms, subscribe to security advisories, and collaborate with trusted cybersecurity partners to gather actionable intelligence.
- User education and awareness: Conduct regular cybersecurity training and awareness programs to educate employees about the risks posed by zero-day attacks. Teach safe browsing practices, the importance of strong passwords, and how to identify and report suspicious activities. Encourage a culture of cybersecurity vigilance and ensure employees understand their role in safeguarding sensitive information.
- Continuous evaluation and improvement: Regularly assess and update your security posture by conducting vulnerability assessments, penetration testing, and red team exercises. Stay abreast of emerging technologies and evolving best practices to adapt your defenses to the changing threat landscape.
Insurance organizations can significantly enhance client resilience against zero-day attacks by adopting these measures. It is important to recognize that zero-day vulnerabilities can never be eliminated, but a proactive and comprehensive security approach can minimize the risk and impact of such attacks.
Jeffrey Wells (jeffreywells@s7risk.com) leads Cyber Risk and Intelligence, and Jeff Esper (jeffesper@s7risk.com) is vice president of Risk Solutions at Sigma7, a risk information and services provider to corporations and the insurance industry.
See also: