Regulation becoming ‘almost inevitable’ as cyber threats increase

Biba 2022: The changing nature of cyber crime and low compliance with law enforcement agencies is creating a situation in which government legislation around cyber protection and compliance will become “almost inevitable”, according to Will Lyne, the UK National Crime Agency’s senior manager for cyber intelligence.

Speaking at the Biba Conference 2022 during a session on cyber risks last week (12 May 2022), he explained that “cyber has evolved from quite a niche problem even just a few years ago to a national security issue in a relatively short space of time”.

Despite the recent increase in the severity of cyber attacks – such as those that shut down the Irish healthcare system in May 2021 – Lyne said that “some of the norms you see in other organised crime types tend to not apply in cyber, which is a pretty big issue”.

He explained that while most people would immediately report other sorts of organised crime to the authorities, cyber crime investigators “don’t see a huge amount of cooperation from lots of victims [of cyber crime]”.

This is what will eventually lead to the need for government intervention, Lyne said, alongside cyber criminals’ increased targeting of individuals and businesses that have no cyber security measures or cyber insurance.

Attritional catastrophe

Graeme Newman, chief executive of CFC, added that “cyber is categorically the most dynamic risk that the insurance market has ever tried to tackle”.

The cyber threat environment is “incredibly volatile”, he explained, because of “spikes in severity but also spikes in claims frequency”.

Risks can also develop quickly in cyber compared to other industries – Newman said that cyber claims two years ago were 60% made up of email compromises and social engineering, whereas the sector is now focused on tackling ransomware.

Newman branded this threat environment as “a kind of attritional catastrophe” because large data breaches could lead to a spike in other claims areas and create further volatility.

“In a simple sense, trying to build stability into a cyber insurance market where the underlying risk is fundamentally unstable is really, really hard,” he added.

In terms of a solution to this imbalance, Newman proposed building increased threat intelligence across the insurance market and using this information to manage claims and prevent them before they occur.

He said: “Using [threat intelligence] to support our clients to help reduce the threat [of cyber attacks] is incredibly important – it’s a massive role that the insurance industry needs to [take on].”