Posted in:

Cyber insurance: policy decisions

If you want to be insured against losses from cyber attacks, ensure that your organisation can pass an insurer’s security ‘fitness tests’, reports James Hayes

Cyber insurance – also known as cyber risk insurance – has put insurers and insured on a major learning curve. Although this basic proposition seems to be straightforward, policies designed to recompense enterprises for damages due to cyber attack can prove complex and difficult to get right.

In its report Insurance 2020 and Beyond, consultancy PwC points out that cyber risk ‘is not like any other risk insurers and re-insurers have ever had to underwrite… While underwriters can estimate the likely cost of systems remediation with reasonable certainty, there isn’t enough historical data to gauge further losses resulting from brand impairment or compensation to customers, suppliers and other stakeholders’.

For governance officers, cyber insurance assessment can highlight contentious questions over cyber ‘defence spending’. But the variable factors and grey areas that are known to exist have not deterred insurers or their customers from driving market growth. For enterprises, cyber insurance entails yet another exercise in in-depth cyber self-examination.

Unlike other forms of enterprise insurance, there are few ‘known-knowns’ when it comes to the assessment of cyber threats. It’s almost impossible to anticipate with any reliable degree of certainty, where threats are going to spring from, and the size of their damage impact zone. Yet, it’s also a market that insurers reckon will provide them with considerable future value.

Analyst Allied Market Research forecasts that the global market is expected to garner $14bn by 2022, registering a CAGR of nearly 28% through to 2022. The threat landscape is continually evolving; the nature of business operations means that new threats and vulnerabilities may emerge by the week.

Cyber insurers routinely require that applicants for coverage are assessed to see how well their current defences would stack up in the event of an attack. Value judgements based of the evidence of security audits often throw up moot points, like known vulnerabilities that would cost more money to fix than would likely be lost were they exploited in an attack.

“Calculation of cyber risk is substantially different from calculating typical commercial risks,” says Paul Mang, General Manager-Analytics & Data Services at Guidewire. “Cyber risks constantly evolve because of the pace of technological evolution. This means that data often needs to be collected in a dynamic, real-time manner for insurers to keep pace with ever-changing threat vectors.” This sets a demanding new challenge for auditors.

Nonetheless, it’s clear that cyber insurance “is important and needed,” acknowledges Sharon Besser, VP Products at Guardicore. “Like other types of insurance, cyber insurance allows you to engage more capital to run the operation… Without insurance, targeted organisations [would have to] set aside large amounts of money to cover potential financial consequences of risk exposure, should they come to pass.”

Attack attribution is at the heart of Threat Intelligence that’s often a decisive factor when settlements are made – it’s the incriminatory evidence that indicates likely culprits behind an attack. Intelligence that customarily provides the evidence in support of cyber insurance claims. It’s also a contentious area of Threat Intelligence, because even when it does seem clear who is behind an attack, that information itself has to be validated against the possibility of false trails, track covering, and other subterfuge an attacker has left.

Attackers are dastardly, and the avoidance of attack misattribution is important for insurance claim validation, and also to avoid legal action in the event of a mistaken allegation caused by attackers that give the impression of being some other party.

“We have seen numerous cases where cyber outlaws and terrorists penetrated legitimate networks in order to launch attacks,” reports Sharon Besser at Guardicore. “Let’s imagine that as a preventive action, the targeted organisation shut down its network and the organisation’s services. If the insurance policy is ambiguous, then such an act could be used by the insurer to reject a claim for losses.”

“Accurate attack attribution will be an important part of defining policy payout terms. More important, however, will be that organisations are actively involved in corresponding cyber risk reduction programs that affect their policy terms and pay-out terms, with their insurance providers,” explains Matthew McKenna, Vice-President EMEA at SecurityScorecard. “It will be finding that ideal balance between financial risk transference from the policy and having to proactively engage in risk reduction programs as part of the policy that will result in the overall reduction of contested claims [as things play out] over the longer term.”

Attack attribution is decisive factor

Nation state threat actors have employed a wide variety of measures to obfuscate their actions including implanting false code, hijacking infrastructure, and recruiting spies to run cyber operations, says Paul Mang at Guidewire. “In addition, nation state cyber weapons are often repurposed by hacktivists and other hackers,” Mang adds, so it can be very hard – if not impossible – to determine which suspect party is really behind an attack.

“As nation states [home and foreign] get more involved in regulation and even technical controls, and the insurer offers to cover residual risk, the roles and responsibilities of the individual business become less clear,” says Charl van der Walt, Chief Security Strategy Officer at SecureData. “Ultimately, insurers are learning from these incidents, and have the necessary experience to find a balance between their premiums and their policies, and so will –eventually – develop offerings that strike a reasonable balance that proves attractive to their given target market. “Until then, the tension and uncertainty in the market will probably continue.”

According to Guidewire’s Paul Mang, “The cyber landscape is such that some nation states are frequently attacking each other. However, these nation states have employed a wide variety of measures to obfuscate their actions, including implanting false code, hijacking infrastructure, and recruiting spies to run cyber operations.” In addition, nation state cyber weapons are often repurposed by hacktivists and other types and groups of hackers.

“Finally, forensic analysis on human actors in a technical system is an imperfect science because of the multiple layers of complexity and the sheer volume of information to review,” Mang adds. “Because of these factors, it is extremely difficult to definitively prove [that a given] nation state was responsible for any specific attack.”

We’ll see insurers “running their own risk audits.” predicts Guardicore’s Besser, “or use tech solutions to assess [a potential client’s] organisation’s situation, before pricing, approving or denying coverage.”

“Cyber risk insurance providers are currently investing in multiple forms of telemetry, risk modelling, and other tooling, which helps them manage the pricing of their policies and eventually how claims are paid out,” says Matthew McKenna at SecurityScorecard. “In respect to nation state threat actors, it will certainly be within the realms of possibility if it doesn’t already exist that policies will be created for these eventualities. Cyber warfare of government against global enterprises is commonplace, and should be taken into consideration as part of policy alternatives.”

Business would be “attracted to the route of security compliance and cyber insurance, which promises a predictable balance between [security] investment and the maximum downside risk they’re exposed to,” says van der Walt at SecureData. “While this is attractive financially, it might lead to a situation where ‘best practice’ becomes the only practice – and that might not be sufficient in light of increasingly well-funded, `motivated and brazen adversaries.”