Cyber security is a notoriously complex topic, with insurers grappling online threats that seem to change by the day, but does the key to effective and proactive cover actually lie in simplifying things for policyholders?
Jason Hart, managing director of proactive and global security services at CFC, is well versed in the world of cyber security.
Hart was one of the world’s first ethical hackers, founding ethical hacking firm White Hat Security in 2002. Since then, he has amassed over 20 years of experience in the cyber security industry, holding roles including chief executive at cloud-based authentication firm CryptoCard and chief technology officer at security software firms Rapid7 and Trustonic.
In 2024, Hart joined CFC to head up the proactive cyber division before being promoted to the role of managing director of proactive and global security services.
Proactive capabilities, the firm says, are designed to “help prevent cyber attacks against insureds from the moment their policy binds”, a type of protection that Hart explains is vital in a world where the sophistication of hacking has been revolutionised.
He tells Insurance Times: “What would have taken me four or five months [in 2002], now could take me two or three seconds. That’s the scale of the change.”
Modus operandi
While the word “hacker” may conjure up images of a masked figure typing lines of code into a command line from a dimly lit room, the reality is much broader than that.
Read: Jaguar Land Rover hit by cyber attack
Read: Does cyber insurance need its telematics moment?
Explore more cyber-related content here, or discover other interview stories here
According to the UK government’s Cyber security breaches survey 2024, 84% of that year’s cyber crimes were the result of phishing, a type of social engineering cyber attack in which criminals impersonate legitimate business entities to lure individuals into handing over personal and sensitive information.
Given the combination of technical and social factors involved in these new methodologies, the emergence of artificial intelligence (AI) has springboarded hackers to the next level.
“The ability for a threat actor to gain insight into an organisation is becoming ever more trivial, driven by new tools and underpinned by AI,” Hart explains.
“From a hacker’s perspective, what they’re trying to establish is three core elements. They’re trying to understand the structures and processes of an organisation, then they’re trying to look at the security controls and, finally, they’re trying to look at the technology that’s in use.
“Using AI gives them the ability to very quickly enumerate those three elements and getting this big picture of an organisation becomes really trivial. Profiling you and the organisation you work for has become simple. The AI can generate an intelligence pack on an individual or an organisation.
“Once they have all these data elements and relationships, they can set up a social engineering attack in a way that, because they’ve done their homework, can be successful – be it an email, a text message or a deepfake.”
The importance of fundamentals
The wide range and constant evolution of digital threats have likewise led to new and reactive cyber insurance products, though the breadth of these products can in itself be a barrier to customers understanding the extent and value of their cover.
Hart explains: “From an insured perspective it can be very confusing. On the one side you’ve got people saying the world’s going to end, people are getting hacked and we see the incidents.
“And then on the other side you’ve got cyber security vendors saying we can solve this problem and focusing on very technical and complex next-generation security.”
Hart explains that, in his professional experience, the cyber security industry can sometimes become proliferated by “whizz-bang moments” and “buzzwords” such as blockchain, automation and AI, ultimately leading to confusion and fatigue around where to focus attention.
This fatigue can lead to a “buy this tech and fix this” approach, which replaces security fundamentals with a less targeted, cover-all solution. Refocusing on those fundamentals could ensure more robust cover.
“From a CFC perspective, from a proactive standpoint, we focus on identifying the things that actually translate into an event happening,” Hart adds.
“It’s a very, very complex landscape for insureds. I see it as our mission, and my passion, to remove the complexity and inform the insureds on what actually matters.
“To say – yes, you could have lots of problems, but actually it’s these two or three things that you need to address. You and I could go and look at an organisation tomorrow and, from a cyber security perspective, we would surface problems. But those problems don’t necessarily turn into an event, they’re not problems that a threat actor would necessarily target.”
He concludes: “If an insurer sees all these problems, it actually distracts them into focusing on stuff that doesn’t matter and that increases operational cost, as opposed to focusing on the basics. We’re saying these are the things you need to focus on. It’s really important that we inform on risks and threats that matter.”
He graduated in 2017 from the University of Manchester with a degree in Geology. He spent the first part of his career working in consulting and tech, spending time at Citibank as a data analyst, before working as an analytics engineer with clients in the retail, technology, manufacturing and financial services sectors.View full Profile
No comments yet