The nature of cyber threats is evolving rapidly, and in some ways is a perfect synonym of the common cold as they change rapidly and are difficult to protect against.
The types of attacks themselves can be varied. They could be targeting a business’s intellectual property, customer data, or aimed at causing maximum disruption, such as a distributed denial of service (DDOS) attack.
The good news is that the awareness of the threats is evolving too, and businesses finally understand the consequences of suffering a data breach.
Modern cyber threats have three unique challenges. One, they are intangible, so understanding the nature of the risk exposure is a real challenge for insurers, this is underpinned by a lack of trusted insight into the frequency and severity of attacks.
>See also: How to communicate cyber risk to the board
Secondly, cyber threats are systemic and a single attack can lead to a lot of consequences, so threats can quickly propagate throughout networks, even across geographical borders.
The third component is that cyber threats are still generally human driven, whereby those planning an attack will study the defences in front of them and try to circumvent them – so it is always a battle to stay one step ahead of the threat.
Another big problem for the industry is how to value any potential payout. It is no longer a physical entity – such as offices or stock – that are being insured but the data itself. So the nature of the causable loss is difficult to pinpoint.
A question of time
The nature of how insurance policies should be sold was also a point of concern for attendees. As cyber insurance policies have become more popular, brokers are finding it increasingly difficult to find the time to actually visit a customer’s site to provide a proper risk assessment.
Much is having to be done via a checklist and taken as read by the insurers, but mistakes or misunderstandings can happen. Whilst a site visit would always be preferable, it is only really practical with the biggest clients. Yet, this is an issue that needs to be solved as most of the interest in cyber insurance is from medium-sized businesses.
A topic of intense debate revolves around where the onus of education falls. Some feel that the insurers should be educating businesses, whilst others feel that it is businesses themselves that need to drive the insurance industry to provide such cyber policies.
The industry needs to improve how it shares data and the government needs to enforce this, albeit on an anonymised basis. The industry needs leadership from the government, a legislative force, and access to detailed data and research so that premiums can be better set.
The insurance industry is already talking to government regarding how the industry can drive resilience against cyber attacks. One thing they could do it target big multinational companies with a substantial supply chain (such as the large supermarkets) – by them implementing cyber insurance policies, it would filter down through the supply chain to their various suppliers and partners.
Putting a price on failure
The insurance industry needs to collectively set premiums that truly reflect the risk, but how do you put a price on a breach? Unfortunately, there is no quick fix.
The challenge is to achieve an objective measurement of the true costs incurred following a breach. This is where by working the infosec industry, insurers can more accurately calculate a risk profile and what the potential impact cost would be for different events.
This education would not only benefit the insurance industry but the companies themselves, as business will be encouraged to mitigate the risk by being given an incentive to do so. For example, a specific regulatory regime might force certain types of businesses to purchase cyber insurance.
Recent worrying research highlighted the disparity between the perception of CEOs as to their cover, and the reality. Of those CEOs in large organisations surveyed, over half (52%) thought they had suitable insurance to be covered in the occurrence of a breach, whilst risk professionals said only 15% were in reality, and insurers themselves estimated the number with applicable cover to be only 2%.
Uncertainty and ambiguity are the biggest issues with any type of insurance policy. The industry needs to appreciate that businesses want one single integrated insurance policy that covers everything needed to protect the business, and that cyber insurance is a component of that.
If policies are split by occurrence, or even worse by provider, then you will get to a stage where each insurer is pointing the finger at the other, or even worse the businesses cover could simply fall between the cracks between the policies.
There is no doubt as to the severity of business interruption caused by a cyber attack and how the ever expanding digital world and the Internet of Things means that the risk of exposure is growing exponentially. The insurance industry needs to act now to be able to cope with this coming wave.
Sourced from Kirill Slavin, GM of UK&I at Kaspersky Lab