The latest insights from Altus Consulting, this time from Aaron Cain, Cyber Consultant. It’s time for insurers to think about risk in global terms and as a kind of asymmetrical warfare.
Held in November this year, Lloyd’s first Cyber Summit is shaping the market’s conversation on Cyber Risk. That conversation continually adapts to the exponential growth of cyber threats and threat actors around the world.
To understand why cyber is of particular interest to Lloyd’s as a ‘risk market’, it’s necessary to understand what’s being protected by insurers, the threats to those protected assets and how the threat landscape is changing.
The evolution of assets being insured against cyber risk…
Up to 10 years ago, most companies defined their IT perimeters as the infrastructure contained within premises with the odd addition of web hosted servers or the occasional remote datacentre. Given the ability to isolate and protect assets within campus(es), cyber exposure was quantifiable and insurers including Lloyd’s could easily judge the risks of providing cyber cover.
Moving forwards to today, the perimeter of the organisation varies by location of processing services, hybrid working policies and potentially a geographically dispersed workforce. Organisations need to protect systems and services regardless of location, operators or requester location; data traffic connecting widely dispersed resources and users; resource access controlled by authentication and authorisation of the requester. Cyber risk assessments have increased in complexity as a result of this new world of decentralised infrastructure.
The changing nature of cyber threats…
There is an ever-expanding pantheon of cyber-attacks. We are all familiar with Denial of Service, where threat actors flood a company’s online services with so many requests that real requests are delayed or the entire web infrastructure collapses. Also in the modern lexicon are Ransomware attacks where hackers enter the corporate infrastructure and encrypt systems offering a decryption key to allow recovery for a ransom payment.
As cyber threat mitigations have matured, hackers diversified their portfolios adding data exfiltration attacks to steal a corporations ‘crown jewels’ and blackmail them with a threat to publish the stolen information; open source software flaw exploitation where errors or weaknesses within freely available application code can be identified and utilised to break into businesses either directly or via companies in their supply chains; redirection tactics infecting browsers and other domain name services to send users to ‘evil twin’ sites when access to legitimate sites is attempted, allowing credentials to be harvested; wiperware attacks in which the attacker destroys everything they can reach within the system/network segment/cloud instance leaving the company requiring a complete rebuild of their infrastructure in order to recover.
The statement that hackers are diversifying their portfolio is because existing attack methods will continue to be used no matter what mitigations or defences are available. Legacy platforms are typical in many industries, but particularly in finance. For example, flaws in Windows 98 led to its sunset and replacement with new version(s) of Windows. Attacks against Windows 98 would have been sent into the software dustbin, until hackers realised that certain medical devices embedded deep within hospitals are controlled by Windows 98 with no options to upgrade to newer Windows versions.
Windows server 2003 and 2008 can integrate complex infrastructures and bespoke mainframe systems. Boards invest in shiny new technologies that will deliver the next greatest business enhancement, but convincing business leaders to invest heavily in upgrading a working system can be a real challenge!
The constantly shifting cyber landscape…
Insurers like Lloyd’s, who amongst others, underwrite the business world’s cyber policies have a hard enough time with continually changing infrastructures and evolving cyber threats, but that’s only part of the problem. They can observe and map centralised or decentralised organisational infrastructures. Threat intelligence delivers attack patterns and available mitigations. The next component of risk calculation is understanding the attackers and their motivations.
Any grouping of hackers and their motivations is going to be incomplete because human nature is divergent. However, we can identify some rough characteristics of the individuals that cause damage in some form to the business. To start, let’s consider the fact that employees can make unintentional mistakes, be negligent or even malicious. While humans are in the risk equation, there are going to be unknowns. Next, we have the so-called “script kiddies”. It’s a useful term for those with limited skills, perhaps few advantages in life, who think the only way out of their situation is to take something from anyone who is better off.
Better skilled are “unethical hackers” who have more technical knowledge and again a desire to improve their existence by stealing from people, businesses and organisations. A twist on the hacking ethos is the ‘hacktivist’ who breaks the law based on some real or perceived fault in the targeted organisations. Sometimes, groups of hackers form consortia to pool their skills and bring a more corporate framework to their stealing. The last in this list are the nation state hackers, usually highly skilled/trained individuals who create malware and attacks focussed on targets set by their country.
“War, h’uh – What is it good for? – Absolutely nothing, say it again”…
While the Temptations/Edwin Starr have a point, its relevance to the discussion of insurers like Lloyd’s and the others is essential. Consider how calculations of cyber risk have been affected by the Russian war against Ukraine.
First, there’s the consideration of the skill of hackers involved in an attack and the malware and/or tactics they employ. If an industry is part of national Network and Information Systems (NIS) a cyber-attack may be one nation state attempting to destabilise another. Normally the source and actor can be determined after the fact which, in the simplest case, allows the invocation of the mooted cyberwar clauses arising in the insurance industry.
Second, the identification of resources being targeted by an attack is much more complicated than in the halcyon days of on premises infrastructure located within a conflict zone. Today a nation state may want to attack the financial hub of an adversary or their national infrastructure, but the damage inflicted on cloud based or network connected resources can easily spill over with devastating effects on non-combatants.
Third, considering ransomware or denial of service attacks, the demanded payments to reverse the damage can lead to very uncomfortable conversations with regulators and statutory groups about funding terrorism.
Finally, there’s escalation of attacks to the point of ultimate destruction. Whether attacks are kinetic or cyber, total destruction is much simpler than targeted effects. On the battlefield, snipers can remove individuals, field guns inflict damage within a limited range, missiles inflict devastation across much wider areas. When it comes to cyber warfare, a highly targeted attack against a single point can escalate quickly into full blown annihilation.
Cyber risk insurance must apportion the cost of incidents between the underwriter and policy premiums and the victim and associated costs of reinstating “business as usual”. Where cyber risks are understood and can be effectively assessed, premiums can be set against policy limitations. Unfortunately, for insurers (and the insured), the cyber risk landscape is constantly changing, and risks and mitigations do not necessarily keep pace with each other. This will undoubtedly keep the boards of the insurers in a state of unease, while the insured will have to continually improve their cyber postures and meet increasingly stringent cyber maturity requirements to be able to keep existing, or qualify for new, cyber risk policies and defend claims which may arise.