A third of those that work in cyber security think that cyber insurance is good

Around a third (31%) of cyber security professionals believe that cyber insurance is a good thing, however a recent social media poll also confirmed that many cyber security staff view this type of insurance as ’a necessary evil’.

These results were part of a presentation delivered by cyber security firm Cygenta’s co-founder and co-chief executive Jessica Barker, at CFC Underwriting’s London Market Cyber Symposium event, held last night at the Courthouse Hotel Shoreditch.

Prior to the event, Barker had conducted a poll on her Twitter account, which received 1,000 responses. Although this found that cyber insurance was perceived as a positive by just under a third of those working within the security sector, the results also highlighted a healthy dose of scepticism.

View on insurance

Trends revealed by Barker included that security professionals felt that cyber security was a very complex area and therefore questioned how it could be insured adequately. Many were also concerned over insurance small print, showcasing an industry-wide perception that insurers don’t pay out for cyber insurance.

Worryingly, another trend was that cyber security staff see cyber insurance as a necessary evil, while others in the industry were concerned about security standards at businesses that had bought cyber insurance, questioning whether having the security blanket of an insurance policy would lead to more lax in-house security measures.

Barker said: “There’s an issue around small print. A lot of people feel that if it’s human error, that’s not insured against and lots of people feel that cyber’s so complicated, attacks are so diverse, how can you insure against that?

“People, I think, feel threatened by insurance because there’s a concern if an organisation has insurance then why are they going to engage in all of these controls, so a lot of people feel it’s passing the buck.

”There’s lots of issues and whether they’re valid or not, they are certainly valid in the minds of security professionals and that’s a hurdle I would say you need to overcome.”

However, Dr Barker did also have some positive feedback regarding cyber insurance. It helped to provide access to expertise, a quick response, aided with compliance and was useful in quantifying risks. The sector felt that cyber insurance is particularly beneficial for small businesses.

Cyber risks

Dr Barker further explored the role of cyber insurance in terms of ransomware, a malicious type of software that blocks access to a computer system or data until a ransom is paid. One issue, she explained, is that cyber insurance can put a target on organistions’ backs as perpetrators believe they are more likely to receive their demanded ransom because insurers will pay out.

Other warning signs that businesses need to be aware of include spear phishing emails, which use social engineering triggers such as curiosity, temptation and reciprocation to scam recipients.

Security fatigue is also becoming a more prominent concern as individuals are getting increasingly tired of extensive security measures and warnings, leading to disengagement.

Business case

Presenting the business case for cyber insurance last night was Adam Banks, chief technology information officer at AP Moller-Maersk. He shared with around 80 attendees the story of the NotPetya cyber attack in June 2017, which cut the entire business to the quick in just seven minutes.

Around 56,000 devices and 8,000 services were affected as a result, with all voice communications and technology systems ceasing to operate; it took the business 24 hours to work out the cause of the involuntary shut-down.

Distressingly, Maersk was not even the target of the devastating cyber attack – alongside numerous other organisations, the logistics and shipping firm was merely collateral damage to an attempt to disrupt Ukrainian government.

Banks explained that Maersk was not unprotected from cyber action; the ransomware, however, had four different modes of attack and Maersk was only able to defend the first two attempts.

Key learnings

The attack has influenced Maersk’s approach to cyber security – Banks said that security has to be designed into business models, not just placed on top. The changing nature of business attacks, Banks said, calls for a change in approach too.

He also emphasised the importance of detection and response, rather that focusing solely on prevention. Maersk, for example, spent time analysing what activity was normal for its business; anything outside of this now leads to an instant shut-down of the anomaly terminal.

Back in 2017, it took Maersk three weeks to recover from NotPetya; now the business can bounce back in 24 hours.

Different approach

With an increase in security measures, Banks has correspondingly lessened the organisation’s cyber insurance coverage to reflect the business’s better protection. However, Banks said he wouldn’t do away with cyber insurance entirely, as there is always a level of risk to consider, especially regarding risks for commercial gain.

Banks added: “The kind of protection models that you would use in a digitised physical business are fundamental different to a governmental or financial services business. And the software market hasn’t caught up with that yet. We haven’t got tools that exist naturally to protect against that.

“You have to design security in to your overall model rather than trying to secure all the bits of the model and hoping that it holds together.

“We’ve changed the way that we look at our [defence]. First point, let’s assume we can’t defend ourselves. Let’s assume they’re in and let’s make sure we’re able to detect them being in and do something about it rather than focus entirely on the premise of what’s going on behind us. That’s proved hugely useful.”

Target

Dr Barker and Banks spoke alongside Peter Ricketts, a former UK national security adviser who sits in the House of Lords. Ricketts explained that cyber is different to all other national security risks, including terrorist threats.

“The government can’t protect the nation from cyber risk alone,” he said. “It has to work in tandem with [the] sector, with professionals and with individual citizens to try to avoid weaknesses in the defences which allow criminals and hackers in.”

Ricketts additionally identified insurers as a target for cyber attack, because of the data these firms hold.

His session also promoted the National Cyber Security Centre (NSCS), a government agency that should be a first port of call when faced with any cyber security issues.

have-your-say-banner