The recent shifts in the economy could cause far-reaching effects across industries, including the cyber insurance market. While nobody ever really knows what the economy is going to do, as a cybersecurity researcher focused on emerging risk, I’ve been thinking hard about what the continued financial chaos might mean for the threat landscape. If we were to enter a recession, for example, what should we expect in terms of cybersecurity implications—and what can we actually do about it?
In the sections that follow, I’ll walk through the possible ripple effects across defenders, attackers, the cybersecurity industry, and the public sector. We’ll close by looking at what this means for both CISOs and the cyberinsurance industry.
Hard times for defenders
We don’t tend to think of the stock market as tied to cyber risk, but the reality is that cybersecurity spending is a cost center, not a profit center. As such, when money gets tight, cybersecurity budgets can be pretty high up the list of things that get cut. For companies already underinvested in security, such budget trims will cause technical debt to pile up and potentially defer the procurement of new mitigations. Basically, as the risk in the meta-environment grows, there’s historical precedent for that risk tolerance being extended to cyberspace.
Fiscal challenges don’t stop at products or services. It’s also likely that we’ll see a slowdown in spending on “optional” expenditure. One example of this might be penetration tests for compliance increasingly going to the lowest bidder. While price isn’t necessarily correlated with efficacy, there is some truth to the expression “you get what you pay for”. We should be smart in our spending, but not forced onto a track where we routinely just buy the cheapest solution.
In addition to pullbacks in offensive security testing, there’s a concern that we may see some companies downsize cybersecurity teams — or at least defer backfills for staff who exit. These gaps translate directly into weaker defenses. While the current crop of AI assistants are very good, they’re not (yet) capable of wholesale replacement of security staff. Fewer people means less vigilance.
Lastly, I think in really fiscally tight environments — and if the current economic challenges turn into a full-fledged slowdown or recession, that’s what we’ll see — some companies won’t survive. And that leads to M&A activity and shutdowns. Both of these events can provide additional opportunities for attackers; merging networks is hard, making protection tricky. Similarly, bankrupt companies have data, and that data can be misused as it changes hands. Worse yet, this can play into supply chain risk, so insecurity or failure anywhere in the supply chain can quickly become your risk.
Given all these stressors, there’s a good argument that we’ll see an uptick in overall cybersecurity risks for defenders. (Re)insurers must stay ahead of these evolving threats.
A bounty for attackers
Of course, risk comes from ineffective defense and heightened attacker activity. This is a familiar playbook. When the attackers’ prey gets spooked, phishing, pig butchering, and any amount of social engineering attacks become widespread. We observed this during the COVID-19 pandemic, and we see it with nearly every large news story. Mix in heightened levels of fear and confusion as people worry about money and the world is ripe for a wash of attacks.
In addition to this, we need to factor issues around motivation. If America — rightly or wrongly — is perceived as the driver of a global stock market pullback, some nation states and unaffiliated hacker groups may well see this as justification for electronic retribution. And as we’ve previously observed, even nation state hackers sometimes double dip and fill their own pockets. Essentially, a ratchet up in economic tensions in the world will inevitably motivate some attackers to apply the same reasoning to cyberspace. Moreover, such asymmetric conflict environments can be useful for those who wish to place pressure on the US without direct attribution. Do I expect this? Perhaps not at scale, but it is most definitely possible.
Cost control for the cybersecurity industry
Time for some difficult truths here — some of which we really don’t like to say aloud.
The first and biggest truth when it comes to the Cybersecurity industry is that the level of investment put into efficacy is usually not about maximizing protection; it’s about maximizing product returns. While we’d like to paint the industry as knights in shining armor, the truth is that it’s a business, just like any other. And just like any other business, it’s run with a firm focus on the bottom line. In a tighter economy with less free capital, it’s inevitable that these businesses will try to spend less on efficacy enhancements until a drop in efficacy hurts their business.
So just like traditional businesses who are looking to tighten the belt, the same is true for members of the cybersecurity community. Where this will likely hit hardest are those businesses who are working on reacting to attacker input: that is, the threat detection space.
The second ugly truth in the Cybersecurity industry is that most startups are grown using investor monies, and are heavily reliant on these funds for survival. If the meta-environment means less free capital (be that due to market fluctuations or rising inflation) that bodes poorly for investment in new cybersecurity startups, which in turn hurts innovation. Worse yet, even more mature startups, whose products are already in use by defenders, could find themselves unable to raise additional capital at acceptable terms. Such an outcome would be hugely detrimental to the cybersecurity world both today and in the future.
A smaller government
Lastly, we have to consider the role the US Government plays in helping buy down the Cybersecurity risk. Perhaps the best example of this is groups like CISA (the Cybersecurity and Infrastructure Security Agency). There’s recently been lots of talk about cuts to the agency, something that should worry every defender.
Part of CISA’s work includes the Known Exploited Vulnerabilities (KEV) catalog – an updated catalog of vulnerabilities that attackers are known to target. As such, when a vulnerability ends up on the KEV, it’s a huge indicator that you should patch it as soon as possible. KEV is only a small part of CISA’s mission — and all of it helps reduce cyber risk both in the USA and worldwide. Regardless of one’s opinion about upcoming cuts at CISA, we should be able to agree that these will materially reduce the amount of protection CISA affords us. Many defenders may not realize how much good these programs do holistically, but they will feel the results.
Cuts to other stakeholders within the government will also contribute to an overall increase in risk. For example, the FBI Cyber Division plays an important role in helping drive down larger cybersecurity threats. Law enforcement agencies in general have struggled to deal with cybercrime, and funding cuts and changing priorities will only exacerbate this.
In addition, there’s the whole problem around cyber policy. Will the US government become so distracted by internecine wars that they’ll deprioritize making advances in laws that help preserve the privacy and security of every user on the Internet?
Lastly — and most certainly not least — there’s critical infrastructure to secure. This task goes beyond the Federal government, and also involves state legislatures who are often responsible for critical infrastructure locally. Combined, these issues all point strongly towards a more “risk on” approach to cybersecurity.
Quantifying risk in a Brave New World
The environment is a big part of security. It surrounds us, and drives security outcomes through attackers, defenders, the cybersecurity industry at large, and the government. Unfortunately, everything coming together all at once looks sure to raise the overall threat profile worldwide.
As someone who helps quantify risk for a living, this is challenging, but not impossible. The basics of cybersecurity risk management remain the same, so the indicators of risk themselves won’t change. However, the frequency and severity of these risks will. The hard part is figuring out by how much. While we’re in uncharted territory in the Big Picture, we do have some previous experiences to draw from.
As an example, when we consider an attack that involves a piece of malware that targets a specific vulnerability. First, defenders may not be aware of the vulnerability, as a smaller, less funded CISA may well be updating the KEV less frequently. Similarly, stretched anti-malware detection solutions may see delays in protection, as they try to “do more with less”. Finally, gaps in the defenders’ team may miss indications of compromise, leading to a larger impact. Note here that the scenario itself hasn’t changed; rather the probability of failure at each step has increased, which leads to more damage, even if the threat level remains constant. The trick is to get a good magnitude for the changes we expect to see.
It’s worth noting that even though I’ve focused on the US, many drivers of these cybersecurity risk increases are global in nature. If the US economy does contract, it will drag everyone down with it. Similarly, more than US companies rely on CISA’s KEV. For almost every risk cited here, there’s an international component. What's more, risk isn’t — and never will be again — singular in nature. That is, there’s a certain holism that means that risk going up somewhere else drives up risk here.
Gain a better understanding of your risk
As a defender, I do think the current environment will begin to seriously degrade the state of cybersecurity if it remains in place, but quantifying this is hard. What you can and should do is have real ROI-based conversations with other executives about what risks you are able to accept and what risks are a step too far. In addition, try to view security as a business enabler rather than a cost center. That requires more than just a trite rebranding of your role, but a reimagining of how security should function within your organization.
Try and think hard about what would signal cyber risk rising. Are you measuring, as best you can, the efficacy of the solutions you’ve deployed? Can you track when the overall picture is getting worse? Are you carefully monitoring the financial health of your critical vendors? All these things and more are going to matter to you. Similarly, have data to support your perspective around what you can cut, if push comes to shove, versus what is truly non-negotiable.
If you're a CISO, now is the time to sharpen your metrics, trim the fat without cutting bone, and make sure your executives understand that security is a long-term investment in resilience—not a discretionary cost. The coming months may not give us time to catch up.
The impact for cyber insurance
For those in the cyber insurance space, I think the important thing here is to realize that change has always been a constant in cybersecurity. Some of this is baked into the modeling that we already do today to quantify risk. Some of it is new. That’s just how cyber works.
Additionally, I think an analogy here will help. When we look at the world, we can think about the climate, and the weather. The weather is what’s happening right now, what you see when you look out of the window. The climate relates to longer trends and probabilities. Just like La Niña increases the probability of Atlantic Hurricanes, the factors I’ve outlined increase the probability and impact of certain events. It doesn’t mean they will actually happen. Should we enter a real economic downturn, the cybersecurity climate has a chance of shifting and driving more losses; one might expect loss ratios to rise due to systemic changes. However, it doesn’t mean they will.
In insurance, then, now is the time to start asking questions and to make sure you are well aligned with your view of cyber risk. Engage with your risk partners now, just in case: heightened vigilance is a more appropriate action than outright change today. Be ready, but don’t over-react.
As Yogi Berra allegedly once said, “Prediction is hard, especially about the future.” As such, we can’t know what is going to happen, but we can at least be prepared.
