Cyber insurance: The good, the bad and the ugly – ComputerWeekly.com




photon_photo – stock.adobe.com
Insurance exists to cover the unexpected costs of loss, damage or injury. Despite our best efforts to avoid fire, theft or accidents, these things happen and can be expensive. We cannot predict if or when such an event will happen to us. However, we can measure the occurrence of such events and calculate their likelihood and consequences by analysing a large population sample.
The first insurance markets developed from insuring ships and cargos in the 17th century. The sudden loss of a ship could be catastrophic for businesses; however, insurance could mitigate the financial damage. Large losses could be absorbed by insurers who could predict these costs and charge appropriate insurance premiums. As businesses have evolved and digitised, so too have the risks to which they are exposed. Catastrophic losses to businesses have not disappeared, but changed in nature.
Cyber insurance policies have been around since the 1990s, emerging as a mature product over the subsequent decades. As the possibilities provided by technological advances grew, so did business risk exposure. The introduction of data privacy laws, with the obligation to disclose the breach of personal data to those affected, meant that incidents could no longer be kept quiet. A plethora of high-profile breaches in the mid-2010s cemented the need for cyber insurance.
Cyber incidents can be expensive. External incident response consultants, legal experts and communications specialists may need to be brought in to help manage the consequences of the breach and restore normal working order. These costs are in addition to the potential costs of lost days of operations.
Insurance markets have developed cyber insurance products to cover such unexpected losses. It is an adjunct to, not a replacement for, best practices. Neglecting cyber security, in the belief that cyber insurance will cover the losses due to the inevitable breaches, is simply a recipe for disappointment and ever-increasing premiums.
A good cyber security posture requires balancing investments in cyber protection to reduce the likelihood that a breach will occur and minimise the resulting damage, along with recognising that the unexpected can occur and seeking to mitigate those potential losses through insurance.
Just as cyber security is an ever-evolving field, so is cyber insurance. To remain a viable product, insurers must understand and manage their risk exposure. Understandably, many insurance policies contain exclusions restricting claims due to war (whether declared or not) or armed conflict. No insurer wants to be exposed to the simultaneous number of expensive claims resulting from a significant attack hitting many organisations across the world.
Probably the most destructive cyber attack to date has been the NotPetya worm of 2017. The estimated total damage across the world is around $10bn. Although no one has claimed responsibility, the US Department of Justice indicted Russian military intelligence officers for their alleged role in carrying out the attack.
Cyber attacks conducted with the resources of a nation state, such as an intelligence agency, can be particularly destructive. Nation states have the ability to invest in the long-term development of offensive cyber capability and can pick the most opportune moment to launch an attack. The potential consequences of a state-backed attack are so severe that such actions, which also disrupt a state’s functioning, have recently been excluded from coverage by cyber insurance.
However, this raises the question of exactly what constitutes a state-backed attack. Conflict in other theatres involves uniformed military personnel and national markings to identify armed forces. In the cyber domain, there are no such markings. Aggressors may be military or criminal, amateur or professional, and all shades in between. In the absence of a cyber equivalent of military uniforms, determining the nature and affiliation of an attacker is incredibly hard to achieve.
As with any crime, attackers leave traces behind at the scene of their crimes. But unlike other crimes, these traces do not necessarily uniquely identify the perpetrator. Many different criminals may share the same tooling, leaving similar traces at the scenes of their crimes. The most sophisticated attackers actively try to hide their identities to frustrate and confuse the identification of their attacks.
State-backed attacks may not be conducted by agents of the state. Proxy actors can carry out campaigns on behalf of their paymasters. Criminals can be given tacit approval or state direction in carrying out their attacks.
Determining who is responsible for a cyber attack is incredibly challenging at the best of times. In an increasingly complex threat landscape where the identity, motivations and backing of a threat actor are important, we risk making assertions that cannot be supported by evidence or the science of attack attribution.
The importance of attributing attacks is only likely to increase, but the degree of certainty to which attribution can be made is frequently weak. Where we can make statements of attribution, the assertions are shrouded in words of estimative probability. Attribution is rarely clear-cut and relies on a series of inferences that necessitate an explanation of the analyst’s certainty, which contrasts with the certainties required to satisfy contracts or policies.
Cyber insurance is part of any cyber security strategy. However, organisations need to understand exactly what they are insuring and the limitations that may restrict policy claims.
In the near future, attribution of attack may become a key feature for cyber insurance claims. Security professionals would do well to review the forensic evidence they collect and how this could be used to support or refute assertions of attribution.
One thing is certain – only the threat actor knows who exactly carried out an attack and for what purpose, and they are unlikely to snitch on themselves.
Martin Lee is technical lead of security research at Cisco Talos.
The Inflation Reduction Act invests not only in existing clean energy technology like wind and solar, but future innovations and …
Midterm election outcomes aren’t likely to immediately affect progress of hotly debated antitrust and Section 230 reform bills or…
Lifelike experiences, equal access, better collaboration and new business opportunities, yet there’s the potential for higher …
The U.S. Department of Justice filed criminal charges against a Canadian man with dual Russian citizenship who is accused of …
Flashpoint’s new model assigns a ‘ransomware likelihood’ rating for vulnerabilities contained in the VulnDB database, which …
The pressure is on. It’s time for better security that can keep up with modern software developers. That was the message at this …
Most people think automation will take jobs away. For OSU Wexner Medical Center, network automation helps improve security, …
These 16 Windows PowerShell cmdlets, including Get-NetIPAddress and Test-Connection, help network administrators troubleshoot …
When troubleshooting wireless network issues, several scenarios can emerge. But valuable end-user insights can help network …
Powered by AMD’s EPYC processor, Dell’s latest generation of PowerEdge servers is twice as fast as the previous generation, with …
VXLANs add network isolation and enable organizations to scale data center networks more efficiently. Consider VXLANs to expand a…
HPE added another software and service option with the new ProLiant servers featuring GreenLake, improved security software and …
The startup looks to provide a competitive alternative to RocksDB by building out its data technology and community of developers…
The cypher query language got a big boost in the Neo4j 5 database update, letting users execute more complex queries faster than …
The cloud data vendor released preview updates to its platform to accelerate data queries, better support multi-cloud operations …
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top