Zurich expands cyber offerings for federal government contractors
Cyber and TechnologyArticleSeptember 17, 2024
Zurich North America’s Middle Market business unit has further tailored its offerings for federal government contractors (FGCs) to include a menu of focused cyber risk mitigation solutions, at a time when the U.S. Department of Defense is working to finalize updated cybersecurity requirements for its suppliers. Zurich’s cyber solutions will be provided by SpearTip, a Zurich Resilience Solutions’ (ZRS) cyber services company.
It’s another example of how Zurich, which has been working with federal government contractors for decades, continually listens and leverages its wide range of capabilities to meet customers’ evolving needs.
“The addition of SpearTip services to our menu of offerings for federal government contractors is timely and relevant for many reasons,” said Erin Terpack, Head of the Technology and Manufacturing Industry Practice for Middle Market at Zurich North America. “One is that many Middle Market defense contractors will need to comply with expanded cybersecurity requirements in the near future.”
The Department of Defense (DoD) is finalizing new Cybersecurity Maturity Model Certification (CMMC) 2.0 standards that will require not only large prime contractors but also many smaller subcontractors to follow specific cybersecurity protocols and controls if they want to do business with the DoD. Examples of companies that could be impacted are those that provide software or hardware for the military, or for research and development, as well as other companies that handle or store federal contract information that is not intended for public release. The timeline for implementation of the updated CMMC standards has not been announced, but the final rule is expected in early 2025.
SpearTip, founded in 2005 by a former U.S. Army Counterintelligence Special Agent, became a Zurich company in late 2023. SpearTip specializes in providing cyber risk mitigation services that can fill critical gaps for midsize businesses that may not have an in-house risk manager or extensive cybersecurity team on staff.
“Federal government contractors navigate complex opportunities, requirements and risks, and many are midsize companies that may not have the resources of larger corporations,” said Trey Warman, Director of the Federal Government Contractors Industry Practice for Middle Market at Zurich North America. “By adding a focused menu of cybersecurity solutions to our range of insurance coverages, Zurich can continue to be that holistic solution provider that helps simplify and demystify risk management for our customers.”
Strengthening cybersecurity across the Defense Industrial Base has become a focus of the Department of Defense as cyberattacks become more frequent and complex, while systems increasingly integrate digital technologies and become more intertwined.
“The impending update to CMMC requirements recognizes that cyber criminals aren’t just targeting large prime contractors but also smaller subcontractors that may supply components and other inputs to larger defense contractors,” said Jarrett Kolthoff, Head of Cyber for Zurich Resilience Solutions and founder of SpearTip. “We can help these contractors take important steps toward complying with the impending rules and keeping data secure, maintaining their eligibility to bid on contracts, protecting their reputation and providing broader benefits to their resilience.”
Some federal government contractors use a government or client computer network higher on the supply chain, sometimes called a SCIF in military parlance (for “sensitive compartmented information facility”), to perform their work for the government. These companies may not be publicly traded and may not be subject to reporting requirements if they experience a breach or other cyber event. This is one reason that many may not have the same level of cybersecurity controls as some larger contractors. But “ladder climbing,” where threat actors work to penetrate cyber defenses lower on the supply chain, sometimes as an entry point to networks or data higher on the chain, is becoming a bigger concern.
“Third-party security risk is getting to be a bigger focal point,” Kolthoff said. “That’s why the new CMMC 2.0 standards are reaching farther down the supply chain. There’s increasing recognition that smaller targets are just as vulnerable.”
SpearTip employs an in-house team of cyber risk specialists who can provide objective assessments of businesses’ cybersecurity posture and unique threat environment, with consultative support to strengthen overall cyber resilience. SpearTip services available to federal government contractors include:
- Cybersecurity gap analyses and compliance reviews that can include vulnerability scanning and penetration testing.
- Virtual CISO services that can include consultation on cyber policy creation and incident response plans, such as helping to design a roadmap for CMMC 2.0 compliance.
- Design and execution of tabletop exercises to practice and refine incident response plans and increase resilience to evolving threats.
- 24/7 monitoring of systems through SpearTip’s Security Operations Center (SOC) service.
- Security awareness training on phishing and other threats, because people remain a primary vulnerability for infiltration of ransomware and social engineering attempts.
Perceived cost of cybersecurity improvements has been a barrier for many smaller businesses, including federal government contractors.
“Although concessions are being considered by the DoD to help small businesses comply with requirements for third-party assessments, potential costs of compliance remain a major concern for smaller companies with limited resources,” Warman said. “Many small to mid-size companies don’t think of looking for support and guidance from insurance carriers or may not be aware of resources such as grant funding that may be available for some cyber resilience initiatives.”
The U.S. federal government is the single largest consumer in the world, procuring a range of goods and services, from aircraft to medicines to software, through a vast network of contractors and subcontractors in their supply chain. In Fiscal Year 2023, the federal government committed about $759 billion on contracts, an increase of about $33 billion from the prior year, according to the U.S. Government Accountability Office.