2023: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

Our contemporary business environment and, by extension, entire society face several technological challenges. Since the COVID pandemic, the digital transformation has accelerated, which also raises new security concerns. After all, virtually every company and organisation uses a multitude of technology products or services from both large technology players such as Microsoft or SAP, and service providers for a particular sector. 

Larger attack surface  

This context obviously involves major implications for the cybersecurity of these organisations. “Companies spend a lot of time securing their own data, but then interact with others, distributing some of that data to service providers or third parties. By increasing the attack surface, this also increases the risk of cyberattacks,” states Debbie Janeczek. She is Chief Security Officer at Swift, an international banking cooperative providing services related to the execution of financial transactions and payments  worldwide. “It is evident in actuality. For example, third-party breaches at large companies have continued to increase, and are commonly acknowledged to be a problem in the industry." 

Coupled with the reality that cybercrime is now an industry in itself, driven by economic motives, it comes as no surprise that third-party risk management has become a constituent part of a cybersecurity strategy. “In practice, you will notice that this is a starting point when devising cybersecurity policies. Today, for instance, potential partners extensively question one another on cybersecurity, before engaging with each other. The questionnaires are increasingly robust.” 

This increase in maturity can also be extended to the handling of vendors and to the internal operations of large companies, which are progressively operating to set standards when considering possible collaborations with third parties. “In summary, this evolution should mainly be understood as a shift from reactive to proactive policies in terms of dealing with third parties within cybersecurity. In fact, it has become a basic requirement for anyone who wants to do business. The financial sector, which historically has been at the forefront of technology, has played a leading role in this shift,” clarifies Janeczek, who immediately stresses that this approach can only exist in a world where there is a constant focus on knowledge sharing and collaboration. 

Embracing new technologies  

The trend is by no means new. “It is fundamentally different from AI, which has taken the world by storm in 2023, and currently occupies the entire cybersecurity sector. The latter, however, also offers clear opportunities around third-party risks. Thus, in the future, it cannot be ruled out that AI could be used structurally as a means of third-party management.” 

For Debbie Janeczek, this structural embrace of new technologies is no less than a minimum requirement for the future. Only by doing so, will we be able to keep up with the increasingly complex security challenges: “The further developments around quantum computing are tantamount to the arrival of a totally new reality, once again requiring us to completely rethink security and cyber risks. Conversations on the subject are already in full swing and will only increase,” she concludes.  

As Belgium’s largest insurance broker, Vanbreda Risk & Benefits has a good overview of the cyber risks that Belgian companies are confronted with. The broker’s portfolio of insurance policies against cybercrime increased by 20 percent in 2023, to 15.6 million euros. “We are seeing an increase in both the number of customers and the cost of current policies, causing the premium volume to rise. That should not be surprising, because hackers are increasingly bold. Any company can be a target. Insurance is therefore not a luxury,” says Tom Van Britsom. 

Cyber insurance remains a relatively new concept for the sector. “Many insurance companies struggle with correctly estimating a premium. As a result, there are big price differentials in the market, and a premium can be expensive,” Tom explains. “That is why it is important to be transparent about your situation:  giving a good picture of your company, your suppliers and your customers. The size of the company, its activities, the number of employees, the claims history, the turnover, the cybersecurity maturity of the company, etc., determine the pricing.” 

Stricter acceptance rules 

In some cases, the insurer refuses to grant a company a policy against cyber risks. “That has to do with their acceptance rules. For an insurer, the balance sheet must be in balance over several years. In other words, the premiums received must continue to reimburse claims. This explains why certain insurers focus on specific sectors or sizes of companies.” 

One of the factors playing a role in acceptance is third-party risks. Tom Van Britsom: “Insurers are increasingly taking third-party risks into account in their underwriting policies. They need a good assessment of the digital dependency and connectivity between companies. Today, companies may use common systems or be dependent on a service provider. Manufacturing companies need logistics companies, which in turn transport goods to warehouses, etc. Because every company plays a crucial role in the supply chain, a cyber incident rarely affects just one organisation.” 

Working on the human firewall 

The fact that insurance is becoming more expensive and sometimes more difficult to obtain should not stop companies from insuring themselves against cyber risks, Van Britsom suggests: “The exercise of considering an insurance can be instructive. Furthermore, it is better not to postpone the decision: the world is evolving so quickly that we will always be confronted with new cyber challenges.” 

In addition - and this is often a misconception - cyber insurance is about much more than compensation for the damage incurred. “For example, the insurer’s helpline is also important and valuable, because it will guide you through the entire incident, including the recovery process. That is why it is important to look at how the helpline is structured and which experts you will be able to call on.” 

The cyber expert of Van Breda Risk & Benefits concludes with one final piece of advice: “In addition to insurance, companies must continue to invest in the human factor, and point out the dangers to their employees. Insurance and prevention go hand in hand. Don’t forget that human action is still the basis of 90% of cyber incidents.”  

While Mastercard has long enjoyed global recognition for its role in payment solutions, its more recent commitment to cybersecurity is less widely acknowledged. “Through our payment cards, we’ve established a strong foundation of trust. This trust is what we aim to replicate in our cybersecurity solutions. As a prominent player in the global financial sphere, we understand that we are among the most targeted companies worldwide, giving us substantial experience with cyberattacks,” explains Maikel Ninaber. 

In pursuit of this objective, the company is dedicated to, among other initiatives, comprehensive research and analysis of the existing cyber landscape. “Our research indicates there will be a significant transformation within the cyber ecosystem in the upcoming years. Approximately 75 percent of employees will interface with technologies operating beyond their traditional IT systems. Consequently, third-party risks will surge, both in quantity and scope. This will inevitably lead to both a substantial escalation in cyber risks and in the repercussions of incidents, with breach costs potentially increasing as much as sevenfold,” Ninaber continues.  

Reimagining security: examining each “ingredient” 

At present, however, effective security measures involve continuous monitoring to mitigate risks that might not be entirely clear. “The truth remains that, for numerous services, we lack comprehensive insight into all the involved entities and systems. And adapting to this reality will require a change in approach. In current day-to-day practices, regrettably, responses are often reactive, occurring only after an incident has taken place - by which time it's too late.”  

This context thus necessitates a paradigm shift in identifying potential risk contributors. Maikel Ninaber: “Our goal should be to create a framework where we don't merely scrutinise and assess products based on associated risks at a surface level. Rather, we must delve deeper into examining the ‘ingredients’ of each product, and apply risk analysis at this granular level. For every product and supplier, an assessment of these ingredients becomes imperative, as they constitute potential layers where vulnerabilities might manifest.” 

Tools tailored to a new reality  

To facilitate this transition, Mastercard itself offers an array of tools. “Our aim is to equip the ecosystem with tools that foster a novel approach towards understanding third-party risks. This symbiotic relationship between our studies, landscape analyses, and tool development underlines their intrinsic coherence. These tools don't merely offer insights into the complex risk landscape; they also contribute by pinpointing critical areas of concern and delineating necessary remedial measures. Additionally, they prioritise actionable steps,” adds Ninaber. 

Legislation takes on a pivotal role in this endeavour. “Our suite of tools is distinguished from others, as it aligns with regulatory initiatives such as NIS2 and the Digital Operational Resilience Act (DORA). Companies can use these tools to effectively chart their compliance with the stringent regulations. This, in turn, furnishes them with comprehensive guidance, enabling international benchmarking without extensive survey efforts,” Maikel Ninaber concludes. 

Companies are being driven to adopt technology at an unprecedented pace. In the past years, both remote working and the transition towards Industry 4.0 have accelerated the introduction of new technologies and digital tools. While such technology has been of great assistance, it has also brought about an increase in malicious cyber activity.  

“Cyber threats introduce risk to business operations and to systems,” says Egide Nzabonimana, president of the Belgium chapter of ISACA, an international non-profit organisation for IT professionals. “Not only are the systems used by the company itself at risk, but so are those outsourced to their third-party suppliers. This is particularly concerning for organisations whose operations rely heavily on third-party support and capabilities.” 

The back-end has become a complex web 

The result is that the back-end of a company’s digital systems has become a complex web involving many different players. Their software and systems must be compatible with each other in order to function correctly. But in the light of continuous cyber attacks, this web must fit together as tightly as possible, with no security gaps. “You can compare the situation to a newly formed family. Third-party risk management is the new form of marriage that enables our current way of operating a business,” according to Nzabonimana. 

Companies must thus not only assess their own security environments, but also understand the security environments of their third-party suppliers. “You need to treat the third-party supplier’s environment as an extension of your own IT systems. Third parties must demonstrate that their state of governance and their cybersecurity are in harmony with those of the organisations they work for, supporting systems without introducing weaknesses that can be exploited by cyber criminals. These are two major challenges for any enterprise infrastructure and accompanying third-party supplier, as the objectives of each may not align as smoothly as one would expect.” 

Keeping up with technological changes 

For successful third-party risk management, there is first a need for digital trust. “In practice, that level of trust can only be achieved when there is a common language. And this is ISACA's aim. By offering training, audits and certificates to IT trust professionals, we enable dialogue,” Egide Nzabonimana explains. “Our certificates are a globally recognised quality label that is also linked to an ethical code of conduct. They demonstrate that someone is able to contribute to a specific theme within cybersecurity. Moreover – and this is essential – you can only renew the certificates if you can demonstrate that you are keeping up with technological changes.” 

One of the most important technological breakthroughs of 2023 was generative AI, which can also become a game changer for cybersecurity. “If we want to keep up, it is crucial that we learn to have the right focus. That is why we must continue to build a framework that can deal with these impactful trends. We further contribute to this through the ISACA certificate we have now introduced for new technology.”

Collaboration and knowledge-sharing among cyber professionals therefore remains very important. “Thanks to organisations such as the Cyber Security Coalition, a well-developed ecosystem has emerged in Belgium, with the same mission as ISACA. This ensures that we do not have to keep reinventing the wheel. Especially considering the ongoing labour shortage in our sector, we must continue to look for ways to allow business-minded people to collaborate optimally with IT professionals,” the president of the Belgium chapter of ISACA concludes.