KCS Group chief executive Poole-Robb on the changing face of cyber attacks
A century ago, the American satirist Ambrose Bierce defined insurance as “an ingenious modern game of chance”, writes business security firm KCS Group chief executive Stuart Poole-Robb.
In the interceding hundred years, the insurance industry has done its utmost to reduce the chance element by developing risk assessment into a virtual science. But, so far, insuring cyber risk has eluded risk assessment experts. Aon’s 2014 Captive Benchmarking study showed that out of more than 1,000 managed captive clients, only 1% of captive owners currently insure cyber risks - a figure that has remained unchanged in the last two years.
Many losses involving digital attacks and data breaches still remain uninsured, even in the US.A 2013 Harvard Business Review Analytic Services survey reported that les than 20% of companies purchase some form of cyber insurance. A 2014 Crawford & Company study, ‘The Future of Cyber Insurance’, found that very few carriers are willing and able to indemnify more than $50m, with the majority writing a maximum limit of $10 million or less. The reason they do this is that it most organisations have a slender grasp at most of the level of cyber risk they face.
The problem in accurately assessing cyber risk is that organised gangs of cyber criminals are constantly evolving new and ingenious methods of breaking through corporate firewalls to cause unprecedented levels of data destruction. While it might be relatively to assess the likelihood of a building burning down, determining the strength of an organisation’s cyber defences or its vulnerability to a cyber attack are still largely uncharted waters for most insurers. So too is the level of damage such an attack can wreak on an unsuspecting company.
Once the hack has been completed, the target organisation is then open to blackmail, espionage and terrorism. The usual approach is to demand a high ransom from the target company. Refusal to pay means running the risk of the cyber criminal inflicting the maximum possible damage. This can simply mean wiping huge swathes of mission critical data or using confidential customer information to compromise the company’s key clients.
In the US, where the cost of cyber crime is estimated to be running into over a trillion dollars a year, companies unwilling or unable to meet the hackers’ ransom demands are being forced into liquidation. A recent example is New Jersey based code-hosting and project management services provider CodeSpaces being forced to close its operations following a malicious cyber attack.
The problem of assessing the likelihood of an organisation experiencing a similar attack is further compounded by the fact that many organisations of all sizes now have malware sitting on their systems undetected for months or even years. Unless companies also deal with malware that has already infiltrated their systems, they may discover that, when a malicious intrusion is detected, their insurance does not cover damage relating a problem that already existed before the policy was signed.
The only solution is for organisations to carry out a full security overhaul of their systems at the time of taking out cyber insurance. This exercise must also comprise a real-time picture of the organisation’s overall cyber security.
Sadly, anti-virus software, traditionally firm’s first line of defence, is of little use in either case. There are, however, some new highly cost- effective security software products now coming onto the market which are capable of accurately assessing the state of an organisations cyber defences in real time.
Once a full sweep security check has been conducted, the organisation can go ahead plugging any security holes. This also enables potential insurers to take a clear risk decision based on a real-time picture of the precise state of an organisation’s cyber security profile.