Zurich expands cyber offerings for federal government contractors

Cyber and TechnologyArticleSeptember 17, 2024

Middle Market business unit adds menu of services from SpearTip, a Zurich cyber solutions provider, to help defense contractors meet evolving cybersecurity requirements.
Share this

Zurich North America’s Middle Market business unit has further tailored its offerings for federal government contractors (FGCs) to include a menu of focused cyber risk mitigation solutions, at a time when the U.S. Department of Defense is working to finalize updated cybersecurity requirements for its suppliers. Zurich’s cyber solutions will be provided by SpearTip, a Zurich Resilience Solutions’ (ZRS) cyber services company.

It’s another example of how Zurich, which has been working with federal government contractors for decades, continually listens and leverages its wide range of capabilities to meet customers’ evolving needs.

“The addition of SpearTip services to our menu of offerings for federal government contractors is timely and relevant for many reasons,” said Erin Terpack, Head of the Technology and Manufacturing Industry Practice for Middle Market at Zurich North America. “One is that many Middle Market defense contractors will need to comply with expanded cybersecurity requirements in the near future.”

The Department of Defense (DoD) is finalizing new Cybersecurity Maturity Model Certification (CMMC) 2.0 standards that will require not only large prime contractors but also many smaller subcontractors to follow specific cybersecurity protocols and controls if they want to do business with the DoD. Examples of companies that could be impacted are those that provide software or hardware for the military, or for research and development, as well as other companies that handle or store federal contract information that is not intended for public release. The timeline for implementation of the updated CMMC standards has not been announced, but the final rule is expected in early 2025.

SpearTip, founded in 2005 by a former U.S. Army Counterintelligence Special Agent, became a Zurich company in late 2023. SpearTip specializes in providing cyber risk mitigation services that can fill critical gaps for midsize businesses that may not have an in-house risk manager or extensive cybersecurity team on staff.

“Federal government contractors navigate complex opportunities, requirements and risks, and many are midsize companies that may not have the resources of larger corporations,” said Trey Warman, Director of the Federal Government Contractors Industry Practice for Middle Market at Zurich North America. “By adding a focused menu of cybersecurity solutions to our range of insurance coverages, Zurich can continue to be that holistic solution provider that helps simplify and demystify risk management for our customers.”

Strengthening cybersecurity across the Defense Industrial Base has become a focus of the Department of Defense as cyberattacks become more frequent and complex, while systems increasingly integrate digital technologies and become more intertwined.

“The impending update to CMMC requirements recognizes that cyber criminals aren’t just targeting large prime contractors but also smaller subcontractors that may supply components and other inputs to larger defense contractors,” said Jarrett Kolthoff, Head of Cyber for Zurich Resilience Solutions and founder of SpearTip. “We can help these contractors take important steps toward complying with the impending rules and keeping data secure, maintaining their eligibility to bid on contracts, protecting their reputation and providing broader benefits to their resilience.”

Some federal government contractors use a government or client computer network higher on the supply chain, sometimes called a SCIF in military parlance (for “sensitive compartmented information facility”), to perform their work for the government. These companies may not be publicly traded and may not be subject to reporting requirements if they experience a breach or other cyber event. This is one reason that many may not have the same level of cybersecurity controls as some larger contractors. But “ladder climbing,” where threat actors work to penetrate cyber defenses lower on the supply chain, sometimes as an entry point to networks or data higher on the chain, is becoming a bigger concern.

“Third-party security risk is getting to be a bigger focal point,” Kolthoff said. “That’s why the new CMMC 2.0 standards are reaching farther down the supply chain. There’s increasing recognition that smaller targets are just as vulnerable.”

SpearTip employs an in-house team of cyber risk specialists who can provide objective assessments of businesses’ cybersecurity posture and unique threat environment, with consultative support to strengthen overall cyber resilience. SpearTip services available to federal government contractors include:

  • Cybersecurity gap analyses and compliance reviews that can include vulnerability scanning and penetration testing.
  • Virtual CISO services that can include consultation on cyber policy creation and incident response plans, such as helping to design a roadmap for CMMC 2.0 compliance.
  • Design and execution of tabletop exercises to practice and refine incident response plans and increase resilience to evolving threats.
  • 24/7 monitoring of systems through SpearTip’s Security Operations Center (SOC) service.
  • Security awareness training on phishing and other threats, because people remain a primary vulnerability for infiltration of ransomware and social engineering attempts.

Perceived cost of cybersecurity improvements has been a barrier for many smaller businesses, including federal government contractors.

“Although concessions are being considered by the DoD to help small businesses comply with requirements for third-party assessments, potential costs of compliance remain a major concern for smaller companies with limited resources,” Warman said. “Many small to mid-size companies don’t think of looking for support and guidance from insurance carriers or may not be aware of resources such as grant funding that may be available for some cyber resilience initiatives.”

The U.S. federal government is the single largest consumer in the world, procuring a range of goods and services, from aircraft to medicines to software, through a vast network of contractors and subcontractors in their supply chain. In Fiscal Year 2023, the federal government committed about $759 billion on contracts, an increase of about $33 billion from the prior year, according to the U.S. Government Accountability Office.

This article is intended to provide a general description of certain types of managed security services, including incident response, continuous security monitoring, and advisory services, available to qualified customers through SpearTip LLC. SpearTip LLC does not guarantee any particular outcome. The opinions expressed herein are those of SpearTip LLC as of the date of the release and are subject to change without notice. This document has been produced solely for informational purposes. All information contained in this document has been compiled and obtained from sources believed to be reliable and credible, but no representation or warranty, express or implied, is made by Zurich Insurance Company Ltd or any of its affiliated companies (collectively, Zurich Insurance Group) as to their accuracy or completeness. This document is not intended to be legal, underwriting, financial, investment or any other type of professional advice. Zurich Insurance Group disclaims any and all liability whatsoever resulting from the use of or reliance upon this document. Nothing express or implied in this document is intended to create legal relations between the reader and any member of Zurich Insurance Group. Certain statements in this document are forward-looking statements, including, but not limited to, statements that are predictions of or indicate future events, trends, plans, developments or objectives. Undue reliance should not be placed on such statements because, by their nature, they are subject to known and unknown risks and uncertainties and can be affected by numerous unforeseeable factors. The subject matter of this document is also not tied to any specific service offering or an insurance product nor will it ensure coverage under any insurance policy. No member of Zurich Insurance Group accepts any liability for any loss arising from the use or distribution of this document. This document does not constitute an offer or an invitation for the sale or purchase of securities in any jurisdiction.