Business continuity plans are struggling to keep up with the fast-changing world of cyberattacks, says Eric Schmitt, chief information security officer at Sedgwick. He explains that many companies confuse business continuity with disaster recovery. Business continuity is about keeping the business running, while disaster recovery focuses on the technical side of fixing systems.
Schmitt points out that cyber attackers no longer target companies directly. Instead, they go after third-party vendors or service providers, who often have weaker security. This way, attackers find an easier path into large organizations that otherwise have strong protections.
The idea of what counts as critical infrastructure is changing too. It’s not just power plants or water systems anymore. Now, any industry holding sensitive data, including logistics, insurance, entertainment, and claims management, is seen as critical. This shift has made many new sectors more vulnerable to cyber threats.
Cybercriminals have also become smarter, using artificial intelligence and open-source information to quickly gather detailed profiles on targets. Schmitt’s team once used AI to create a full profile of Sedgwick, including its supply chain, in just seven minutes. Attackers even use stolen insurance data to guess how much ransom money a company can pay, aiming for bigger payouts by hitting insured businesses.
Insurers are responding by tightening cyber liability policies. Discussions about war exclusions have grown more intense, especially after incidents like NotPetya, shifting how policies deal with cyber conflicts linked to geopolitical issues. Companies now face stricter requirements, and if they don’t meet certain basic controls, their insurance might not cover them.
Rather than replacing security spending, insurance is pushing companies to improve their defenses. Schmitt says insurers are setting baseline controls for industries that weren’t regulated before.
Cybersecurity is also becoming a big topic in boardrooms. Boards are treating it as a core business risk, not just a technical issue. They meet more often, review cyber reports quarterly, and get more involved in incident response planning. Cybersecurity metrics once kept in technical reports are now part of bigger business risk discussions.
Given how quickly attackers change tactics and the limits of insurance coverage, Schmitt stresses that companies need stronger oversight, tighter controls, and better visibility across their entire supply chain to truly stay resilient against cyber threats.