This latest Opinion piece is by Matt Middleton-Leal, (pictured below) Managing Director EMEA, Qualys, and it looks at the issues surrounding cyber attacks that may be backed by State actors, or agents working on behalf of nation States. It’s a real challenge for the insurance sector and the answer is deeper collabs with companies and public sector bodies affected by organised cyber criminals and rogue States alike.
The cyber insurance market continues to grow in response to all the challenges that organisations face. According to Lloyd’s of London, the cyber insurance market should grow from around £12 billion to £35 billion by 2030. Alongside this, Lloyd’s discussed the impact of the cyber insurance market in its annual report for 2022: “Our oversight work will centre around delegated underwriting performance, the impact of capital and reinsurance capacity pressures, systemic risk and ensuring the market is compliant with state-backed cyber attack exclusions.”
The last point here will be the most important one for insurance providers. The team at Lloyd’s has provided model clauses for cyber insurance policies that specifically remove cyber attacks linked to nation states or attack groups that are run at arm’s length. These should come into force from the 31st March 2023 on all new policies issued by insurers that use the Lloyd’s market.
In practice, these policies mean that any attacks linked to malware created as part of real world war situations would not be covered. From an insurance point of view, this would mean that the cost of cleaning up an incident would have to be borne by the company affected. This could be very costly, at the very point when budgets are most stretched.
There are real world precedents for this too – the NotPetya malware in 2017 launched as part of the Russia-Ukraine conflict and led to more than $10billion in damages according to estimates by the White House. For the companies involved in attacks like this, costs for recovery would be hundreds of millions for the largest businesses, while smaller companies would face huge costs too. The prospect that a systemic attack of this magnitude would not be covered by cyber insurance is disconcerting.
In order to prepare for this future market, cyber security companies and cyber insurance providers have to work together. Both sides are interested in protecting customers, one through the products they sell and the other through wanting to prevent claims. Both sides also want to help their customers improve their approach to risk. But how can we achieve this?
Best practices and real world results
For security teams, preparing networks and IT assets is essential to prevent issues. Applying software updates and patches can prevent potential attacks before they start. However, these processes have to be implemented effectively, and there are some simple things that can get in the way.
To start with, companies should have a list of all the IT assets that they have, and keep this list up to date. Without this asset registry, it is hard to be sure that all the company’s devices, software and other IT systems are up to date and protected. Alongside this asset management approach, companies can also use vulnerability management and external attack surface management approaches.
These programmes look for potential issues that might exist within the network and flag them to be fixed. One of the biggest problems in this is how to prioritise the systems that are most valuable to the business, as well as those which might represent the biggest threats. This can change over time, so all companies will have to maintain those asset lists and know what they have, so that these potential threats can be proactively managed.
For cyber insurance companies, getting evidence that customers run these programmes demonstrates that they have effective security management processes in place and take them seriously. However, there is a difference between saying that processes are operational and running them well. In these circumstances, looking for evidence of how the board or management team manages risk can be effective, as it demonstrates that the whole company engages in security.
The ideal goal for the cyber security and cyber insurance sector is that companies can get effective protection that flexes alongside their operations. This is starting to happen – for example, US cyber insurance companies are already developing adaptive security policies that can scale up and down based on customer business needs. Companies can effectively reduce their cyber premiums if they can prove they are fully in control of their cyber risk.
In the same way as insurance companies can inspire consumers to adopt more healthy lifestyle practices, so cyber insurance brokers and providers can encourage their customers to implement best practices around security. Adopting best practices can keep companies running effectively, but cyber insurance companies will have to look at how they get the right evidence that those programmes are running in the real world and delivering what they are supposed to.
It is in everyone’s interest to improve security and help companies manage their risk. By collaborating with each other, cyber security and cyber insurance providers can support adoption of best practices across security and risk. Without this collaboration, cyber insurance premiums will continue to go up and coverage levels will decrease, affecting the growth of the market. In order to help companies manage their risks in a more uncertain and unpredictable world, this collaboration will be essential.
Be the first to comment