About Zurich

Strengthening cyber

defenses to promote business resilience and data security

By Christopher Eaton | Marketing and Product Specialist, SpearTip/Zurich Resilience Solutions

The challenges on the cyber threat landscape are vast and have demonstrated the capacity to create significant disruptions to businesses, economies and individuals. Singular incidents, which may seem minor or insignificant at the moment, regularly wreak havoc on digital ecosystems. Because of the immense challenges posed by threat actors and various non-malicious activities, it is vitally important for organizations to engage in cyber risk management around business-critical software, services and internal practices. There is no singular framework that works for every business, but there are valuable measures that can help bring lasting resilience.

Cyber threats are top of mind for many individuals, businesses and public entities. The 2024 Global Risks Report from the World Economic Forum identified “cyber insecurity” as the fourth most severe short-term risk and eighth in long-term risk, as just one indication of its worrisome global presence.1 The repercussions can be devastating if cyber defenses fail to protect sensitive data, maintain operational uptime and limit financial or reputational damage caused by cyber incidents. An investigation of the current landscape provides a valuable starting point for understanding both the gravity of trials facing today’s business climate and how to navigate threats to build resilience and improve business continuity.

A few months ago, there were multiple cases in which a single point of failure within a third-party software provider brought disparate industries to a temporary halt. In one instance, malicious threat actors targeted the software provider with ransomware and, as a result, impaired customer relationship management tools, financing, payroll, support and service, inventory and back-office operations for approximately 15,000 client operations.

Affected businesses are cumulatively expecting losses to exceed $1 billion2, which does not include the impact on the service provider or the estimated $25 million ransom that was paid to limit data loss.3

In a separate case of severe supply chain disruption, a security software provider issued a broken update to customers. While there was nothing malicious involved, more than 8 million users could not access their devices because of the process error.4

Both cases, while dissimilar in their particulars, offer a stark reminder that the information technology (IT) supply chain is vulnerable and fragile and that in some instances there is no foreseeable prevention. However, with a focus on preparation and enhanced resilience, individuals and organizations can be better equipped to withstand and recover from such technological trials.

Considerations for cyber risk preparation & development of cyber resilience

Businesses must be forward-looking and prepare for unknown cyber threats, which can be daunting and feel impossible. Having a robust and well-developed cyber program is a must in today’s technological era. But what does this entail?

A resilient and prepared organization is one built with a culture that prioritizes managing cyber risk. When constructing this culture, it is incumbent on executives and business leaders to promote and demonstrate cyber awareness; non-management team members should understand the basic components of cyber hygiene as well as their significant role in achieving organizational cyber maturity.

The two overarching goals of cyber maturity are enhanced visibility and sufficient preparation: Do you have visibility into all the devices and user activity on your network so you can monitor for both approved and suspicious behavior? Do you have an appropriate and effective incident response plan when something problematic is inevitably detected? While no infallible program exists to prevent all malicious threats or avoid costly insider breaches, visibility and preparation will go a long way to building lasting organizational resilience.

For those looking for guidance, proactive risk and vulnerability assessments offer valuable starting points. The first order of gaining optimal network visibility requires awareness of what devices, users and other technologies are connected to that network. Vulnerability scans, penetration tests, web application assessments and other examinations of your organization’s digital blueprint can provide a baseline for network activity while also identifying potential blind spots in need of patching or remediation. Addressing gaps in your business processes, policies or personnel regarding cyber readiness can help you better protect sensitive information, business-critical data and operational continuity.

These thorough assessments should extend to third-party service or software providers that in any way handle, store or maintain access to sensitive, business-critical data. Third parties are vital resources, necessary to help organizations develop and enhance market opportunities. In most cases, these relationships are mutually beneficial; however, there are associated risks. According to data published by the U.S. Securities and Exchange Commission (SEC) from a Security Scorecard study, 98% of companies are associated with a third party that has experienced a breach.5 While this does not necessitate any significant downtime or data loss, there should be a healthy concern for the safety of working with distant third parties.

One reason for third-party risk is the lack of control of data flow. Third parties, in their scope of service provision, manage your data and accessibility to their systems. If a vendor fails to update their own software—or that of a third party with whom they contract— and succumbs to a security issue, or experiences a breach themselves, the repercussions will inevitably trickle down to the contractor and, in some instances, into the larger supply chain.

While these risks cannot be erased entirely, there are mitigation strategies contracting organizations can employ to limit potential negative consequences associated with third parties. Conducting a thorough risk assessment that includes vetting the relevant internal policies, historical efficacy and adherence to industry or regulatory compliance standards of any vendor that will have access to sensitive data will likely reveal gaps and vulnerabilities in their operations, which can then be addressed. This might mean working to ensure all data flowing to and from your business is encrypted or that additional resources need to be developed or contracted to enhance overall security posture, including 24/7 Security Operations Center (SOC) monitoring, the implementation of policies requiring strong passwords and MFA (multi-factor authentication), incident response planning, and general vulnerability management via risk assessments.

Furthermore, enhancing overall collaboration and communication with any third-party vendor can be beneficial. There is value in maintaining your agency when contracting for software or complementary services.

A recent report published6 by global business consulting firm Protiviti further highlights both the perception and gravity of the challenges facing organizations regarding third-party vendors. In their “Executive Perspectives on Top Risks for 2024 and a Decade Later,” third-party risks are the fourth greatest concern this year and sixth projected for 2034. Cyber threats, which are inextricably linked, rank third this year and first for 2034.

Actively maintaining a focus on cyber resilience

Visibility into your entire digital environment is necessary but requires real-time response capabilities to be most effective. If you see something suspicious, it is imperative to interrupt and remediate it before something damaging occurs, like a threat actor deploying ransomware in your system or the exfiltration of massive amounts of sensitive data. Active monitoring, whether conducted in-house or outsourced through a third party, can help businesses detect anomalies, unauthorized access attempts and other malicious network activities. Visibility into such events, as well as their remediation if detected early enough, can be established down to the individual endpoint level, which is necessary for individual business and supply chain security.

Maintaining such capabilities 24/7 is paramount because threat actors do not operate on a set schedule and, with the enhancements of artificial intelligence (AI), businesses cannot afford to have gaps of time when their digital environment is unmonitored. This monitoring is also a function of daily operations for all employees. Regular security awareness and phishing and social engineering training for team members and contractors who ever have access to the larger network in any capacity is a valuable component of active cyber resilience.

Preparation for the inevitability of a cyber incident

Without regard to the quality and specifics of your cybersecurity program, no prescription will keep your organization 100% protected against all potential threats. It is incumbent on organizational leaders to have a well-developed and tested Incident Response and Recovery (IR) plan in place if something were to threaten business continuity or data loss.

Whether it is your business or that of a client, IR planning should encompass several key areas with the principal goals of reducing downtime, limiting data loss, maintaining organizational reputation and protecting revenue. First, the team responsible for coordinating the response to an active incident must have the capacity to isolate impacted systems. As soon as malicious activity is detected, affected systems should be disconnected from the internet and the rest of the network to limit spread and preserve evidence for any subsequent investigation. In coordination with isolating systems, it is critical to immediately change all passwords for network directories and any remote access solution. Failure to do so could allow a threat actor to return and further disrupt the environment.

In a significant number of attacks, a vulnerable remote access solution is leveraged. It is critical that you do not enable public internet access via remote desktop protocol (RDP) on any server or allow any unpatched virtual private networks (VPNs) back online. All software should be fully patched and updated, MFA enabled and credentials reset before bringing them or the network back online.

An additional essential step in Incident Response planning is to maintain contact with your cyber insurance provider and any remediation team throughout the incident response and recovery process. You shouldn’t feel like you have to resolve a cybersecurity incident on your own. Beyond that, there are various reporting requirements by which many businesses must abide regarding how and when to share information about a ransom payment, ransomware attack or loss of legally protected data.

When developing an Incident Response plan, there are several components to consider as soon as an incident is detected, including the personal response responsibilities of each organizational leader, whom to contact for assistance and how to manage backup systems so they are part of an unaffected network. Engaging in tabletop exercises as part of ongoing development and practice of the Incident Response process can help significantly improve how executive, technical and functional teams act when IR plan implementation is required.

All these preparation components are elements of a larger Incident Response program that, to be optimally effective, must be in place before anything significant or problematic were to occur.

Preparation is Key

The rapidly evolving cyber threat landscape necessitates a comprehensive approach to cyber risk management and resilience building. The myriad challenges underscore the importance of developing robust cybersecurity frameworks tailored to each organization’s unique needs. Fostering a culture of cyber awareness, ensuring visibility into all network activities and maintaining effective incident response plans are critical components of cyber resilience. Ultimately, while no system can guarantee complete immunity from cyber threats, a well-prepared organization can significantly mitigate risks and swiftly recover from incidents, thereby safeguarding its operations, reputation and bottom line.

Additional Insights

Security Operations Center (SOC): SOC is where the information from clients’ environments is collected and viewed by an analyst. This includes network monitoring; log management; threat detection and intelligence; incident investigation and response; reporting; and risk and compliance.

Non-malicious human error is a contributing factor in 68% of data breaches (Source: Verizon 2024 Data Breach Investigation Report)

  1. The Global Risks Report 2024 – 19th Edition
  2. Smith, Cristopher. “Dealers Are Set to Lose Nearly $1 Billion Over CDK Cyberattack”, MSN.com
  3. Alspach, Kyle. “CDK Paid $25 Million Ransom To Expedite Recover After Attacks”, CRN: 12 July 2024
  4. Reuters “Microsoft says about 8.5 million of its devices affected by CrowdStrike-related outage, Reuters: 20 July 2024
  5. Cyentia Institute and Security Scorecard Research Report: “Close Encounters of the Third (and Fourth) Party Kind, Security Scorecard”, 1 February 2023
  6. Protiviti Global Business Consulting. “Executive Perspectives On Top Risks For 2024 and a Decade Later”, Protiviti.com

About Zurich

Understanding the surge of

nuclear verdicts in liability claims

By Lisa Bellino | VP Claims Judicial and Legislative Affairs

Nuclear verdicts. The words seem so ominous. By definition, “nuclear verdicts” are those of $10 million or more. At this point, terms like “mega nuclear” and “thermonuclear” verdicts are quickly becoming common parlance as well, describing verdicts over $50 million and $100 million respectively. They are words used to describe a growing trend of staggering verdicts against corporate defendants. Understanding how and why these verdicts occur may help to mitigate them in the future.

Historically, less than 10% of civil cases actually go to trial. In some jurisdictions, it is as low as 1%. Yet, as depicted in the graph1 below, except for the pandemic, the rising trend of nuclear verdicts continues.

Depending upon the jurisdiction, juries can be conservative or liberal in deciding both liability and damages. Most often, defense verdicts do not make headlines. Rather, the nuclear verdicts are what grab the public’s attention. Unfortunately, these outcomes desensitize the average American to the value of a dollar and often set the floor for the next verdict. Today, a verdict that would have seemed outlandish 20 or 30 years ago is instead mainstream and accepted by the public as the way things are.

There are several factors that are common to most nuclear verdicts. Jury demographics, corporate mistrust and jurisdictional influences are leading factors. The tactics used by the plaintiffs’ attorney during litigation also may lead to a nuclear verdict.

A jury’s make-up, or demographics, may steer the outcome of a trial so that the end result seems far from the facts of the claim. Today’s jury typically sees itself as the guardian of society which must protect the citizenry and do what it feels is just, rather than follow the judge’s instructions on the law. Recently, juries have been referred to as the “conscience of the community” and feel as if they are helping the “little guy” get justice. Mock juries and focus groups have been heard to say that corporations have a lot of money and need to learn a lesson or that paying an exorbitant verdict won’t even be a drop in the bucket for a company. Oftentimes, jurors know that insurance is involved in a trial and therefore feel as if no one is actually paying for the verdict, so insurance companies should be required to pay anyway.

Using the graph2 inserted here, the three largest case types that garner these verdicts contain the three most targeted corporate defendants: trucking companies, construction companies and hospitals. Studies have indicated that post-COVID, juries are on average angrier than in the past and if that anger is stoked, higher verdicts will result.

Nuclear Verdicts by Case Type, 2013 - 2022

One way of leaning into that anger is a tactic known as the “reptile theory”. Plaintiffs’ attorneys use this tactic to urge the jury to make sure the defendant is punished for the plaintiff’s alleged damages. Sometimes, the tactic evolves into chastising the defendant for actually defending a case, so that the jury will punish the defendant for making the plaintiff wait to recover. If a piece of evidence, relevant or not to the case, is not retained, a plaintiff’s attorney may highlight that to demonstrate to the jury that the corporate defendant has something to hide. A defendant’s failure to fix what the plaintiff argues is integral to safety can also result in a large verdict. Given these factors, jury trials today are more unpredictable than in the past.

Jurisdictional influences also play a part in verdicts. Some jurisdictions are known to be more liberal than others when conducting trials or are known to sympathize more with the plaintiffs’ side of the case, therefore making it easier for a jury to find liability and award damages. These jurisdictions are highly sought after by plaintiffs’ attorneys who bring cases to those jurisdictions in an effort to garner larger awards. In many of those jurisdictions, punitive damages are easily assessed, and those damages can multiply a compensatory damage award significantly.

Finally, advertising is believed to play a large part in jury verdicts. When the average person sees commercials that slant definitions of the law, they sometimes believe it. Just like a catchy jingle that people get stuck in their head, a plaintiff’s attorney espousing a view of the law may also resound with a person sitting on the jury. Whether that view is a correct application of the law is a completely different story. Furthermore, these advertisements also announce nuclear verdicts to demonstrate how aggressive or successful the plaintiffs’ attorneys are. While these amounts may be diminished or nullified on appeal or never even collected, the effect of these numbers is to have the average citizen expect that this is now the norm rather than the outlier. These figures place an artificial floor for the next jury to use so that each jury compounds the effect of the previous.

It seems like the tides are against corporations, but there are ways to mitigate these nuclear verdicts.

  • Wherever possible, claims assessments should be done without rose-colored glasses. Not everything that appears to be a defense or damaging to the plaintiff translates that way to a jury. Therefore, objectively looking at a claim may best serve to avoid a nuclear verdict.
  • Keeping clear and consistent records may also prove valuable to the defense. This assists in retaining needed evidence and helps to explain why key evidence might not be available. Consider having a method in place for retaining evidence when necessary.
  • Attorneys and jurors will check out your company’s website. What does it say about the corporation? Does it allow a plaintiff’s attorney to suggest that your company places profit over safety? Does your website list the community activities in which you are engaged or how you serve your customers? This type of communication may help to soften the corporation in the eyes of the jury.
  • When asked for a corporate designee, the appointed person should not only understand the company well but should be able to answer the questions that are listed. Sometimes, that takes more than one person. Be willing to work with counsel to make sure that the hard questions are answered appropriately. Understanding your role in the lawsuit may help to stave off a nuclear verdict.
  • Similarly, understanding the tactics that the defense counsel or your claim representative may wish to use is helpful. Ask questions to make sure that you have a grasp of where the case is going. For example, if counsel explains that the need to anchor is present, understand why so that you may follow the thought process and achieve the best outcome.

While there are no guarantees against a nuclear verdict, being prepared in the event of a lawsuit certainly assists in providing a strong defense.

Nuclear verdicts are only one by-product of social inflation. To learn more about this, feel free to reach out to Zurich’s Claims Judicial and Legislative Affairs group at usz_cjla@zurichna.com.

  1. Corporate Verdicts Go Thermonuclear Report, page 5, MarathonStrategies.com
  2. U.S. Chamber of Commerce Institute for Legal Reform, “Nuclear Verdicts: An Update on Trends, Causes, and Solutions,” May 2024.